The SDL structure presents a problem for Agile methodologies, simply by virtue of having been in development for so long; it's basically presented as a waterfall (or at best, a discrete and non-time-boxed iterative cycle) process, because that was the predominant mode of working in the early years of this millennium. In addition to this, the SDL was originally developed to support very large products, such as Windows itself, and Office; products with very long development cycles. Looked at from an Agile perspective, the SDL is enormous, monolithic, and chiseled out of Aberdeen granite.
Getting these two to play nice together was never going to be very easy.
As you might have expected, Microsoft has been working on this problem over the past year. Specifically, a cooperation of security professionals from the Online Services Security & Compliance team, Trustworthy Computing Security, and the SDL, have developed a process to solve the methodology mismatch. Their solution is incorporated into the latest release (4.1a) of the SDL Process Guidance document (1.1MB docx), starting on page 45, in a chapter creatively captioned "Security Development Lifecycle for Agile Development".
The key idea is to split the SDL requirements. With Agile cycles of a week or three being the norm, not all of the SDL requirements can be addressed in every sprint (to take Scrum as an example). The optimum compromise has been determined to comprise three categories of SDL requirement, and their related task sets:
- Every-Sprint - e.g. new feature thread modelling, web i/o sanitizing;
- Bucket - e.g. verification, design review, response planning tasks;
- One-Time - baseline threat model being the largest of these.
We believe we’ve developed a process that is faithful to both Agile and to SDL, in which teams can innovate and react quickly to changing customer needs but in which the products they create are still more resilient to attack.
Download it here.