“I think we have a long way to go to get the broad understanding of what security really means in the development world.” — Steve Lipner
Steve Lipner has lead the Security Development Lifecycle team at Microsoft since 2004. The SDL initiative is a set of requirements for secure software development.
“The SDL is a set of requirements that developers have to meet. No matter how you are doing development, you have to meet those requirements. A lot of the SDL requirements are based on the application of automated tooling; build requirements, code analysis requirements, automated test tools… ” — Steve Lipner
I had an extended discussion with Steve about what the SDL is really for and how it is used at Microsoft. Along the way, we talked about how application security for the cloud is handled with the SDL, and how the disciplines of DevOps/Agile are taken into account.
“We’ve tried with the SDL to provide a discipline and a set of requirements for secure development, but at the same time, to do that in a way that enabled development groups to meet their customer requirements, to meet their market requirements, to meet their time limit requirements.” — Steve Lipner
Listen to the full interview:
Steve Lipner – The Security Development Lifecycle at Microsoft