Building secure business applications at Microsoft

Abstract

Like many global enterprises, Microsoft depends on internally developed and third-party line-of-business (LOB) applications to run its daily business activities. Nearly 4000 LOB applications are in service at Microsoft including a significant number of applications that contain business-sensitive data, customer data, or confidential employee data. In 2001 the Microsoft IT organization wanted to make sure that the company's security risk was appropriately managed. The Security Development Life cycle for IT (SDL-IT) was created within Microsoft IT to keep track of, assess, and address potential security and privacy vulnerabilities found in LOB applications. A specialist team called the Application Consulting and Engineering (ACE) Team was formed to manage the program, providing support and oversight ensuring that application development teams adhere to the SDL-IT process. This paper contains descriptions of the processes and standards that make up the SDL-IT process and discusses best practices that might be useful to other organizations wishing to create and enforce a security and privacy processes for LOB applications. While this paper describes Microsoft ITs own security and privacy process the authors recognize that every organization is unique and believe that the technology agnostic SDL-IT process and methodologies described can be implemented in other enterprises.