| Security Development Lifecycle

Template: Security Requirements Questionnaire

Sample criteria and format for creating a custom security requirements questionnaire for an SDL project.

For the latest information, please see http://www.microsoft.com/sdl.

This document is provided “as-is.” Information and views expressed in this document, including URL and other Internet Web site references, may change without notice. You bear the risk of using it.

Some examples depicted herein are provided for illustration only and are fictitious.  No real association or connection is intended or should be inferred. 

This document does not provide you with any legal rights to any intellectual property in any Microsoft product. You may copy and use this document for your internal, reference purposes.© 2011 Microsoft Corporation. All rights reserved. Licensed under Creative Commons Attribution-NonCommercial-ShareAlike 3.0 UnportedMicrosoft and Windows are trademarks of the Microsoft group of companies. The names of actual companies and products mentioned herein may be the trademarks of their respective owners.

During the Requirements Phase of a Security Development Lifecycle (SDL) project, the development organization should develop and answer a short questionnaire to determine which SDL practices should be adopted based on the features and intended use of the application being developed.

The Microsoft SDL team has provided this basic list of criteria to help organizations begin thinking about security requirements in their projects. This list is derived from the SDL Process Guidance: Introduction. It provides a starting point for creating your own security questionnaire by identifying the features, functionality, and usage scenarios that most commonly affect the security of an application.

What Products and Services Should Adopt the Security Development Lifecycle Process?

Any software release that is commonly used or deployed within any organization, such as a business organization, government, or nonprofit agency.

Any software release that regularly stores, processes, or communicates personally identifiable information (PII) or other sensitive information. Examples include financial or medical information.

Any software product or service that targets or is attractive to children 13 years old and younger.

Any software release that regularly connects to the Internet or other networks. Such software might be designed to connect in different ways, including:o Always online. Services provided by a product that involve a presence on the

Internet, such as Windows Live® Messenger.o Designed to be online. Browser or mail applications that expose Internet

functionality, such as Microsoft Outlook® or Internet Explorer®.o Exposed online. Components that are routinely accessible through other

products that interact with the Internet, such as Microsoft ActiveX® controls or PC–based games with multiplayer online support.

Any software release that automatically downloads updates.

3

Note: This sample document provides some criteria to consider when building a security requirements questionnaire. The content presented outlines basic criteria to consider when creating security processes. It is not an exhaustive list of activities or criteria, and it should not be treated as such.

Any software release that accepts and/or processes data from an unauthenticated source, including:o Callable interfaces that “listen.”o Functionality that parses any unprotected file types should be limited to system

administrators. Any release that contains ActiveX controls. Any release that contains COM controls.

4