| Security Development

Lifecycle
Template: Security Requirements
Questionnaire
Sample criteria and format for creating a custom security
requirements questionnaire for an SDL project.

For the latest information, please see http://www.microsoft.com/sdl.

This document is provided as-is. Information and views expressed in this document, including URL and
other Internet Web site references, may change without notice. You bear the risk of using it.
Some examples depicted herein are provided for illustration only and are fictitious. No real association or
connection is intended or should be inferred.
This document does not provide you with any legal rights to any intellectual property in any Microsoft
product. You may copy and use this document for your internal, reference purposes.
2011 Microsoft Corporation. All rights reserved.
Licensed under Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported
Microsoft and Windows are trademarks of the Microsoft group of companies.
The names of actual companies and products mentioned herein may be the trademarks of their respective
owners.

Note: This sample document provides some criteria to consider when

building a security requirements questionnaire. The content presented
outlines basic criteria to consider when creating security processes. It is not
an exhaustive list of activities or criteria, and it should not be treated as
such.
During the Requirements Phase of a Security Development Lifecycle (SDL)
project, the development organization should develop and answer a short
questionnaire to determine which SDL practices should be adopted based on
the features and intended use of the application being developed.
The Microsoft SDL team has provided this basic list of criteria to help
organizations begin thinking about security requirements in their projects.
This list is derived from the SDL Process Guidance: Introduction. It provides a starting
point for creating your own security questionnaire by identifying the features,
functionality, and usage scenarios that most commonly affect the security of
an application.

What Products and Services Should Adopt the

Security Development Lifecycle Process?

Any software release that is commonly used or deployed within any organization,
such as a business organization, government, or nonprofit agency.
Any software release that regularly stores, processes, or communicates personally
identifiable information (PII) or other sensitive information. Examples include financial
or medical information.
Any software product or service that targets or is attractive to children 13 years old
and younger.
Any software release that regularly connects to the Internet or other networks. Such
software might be designed to connect in different ways, including:
o
o
o

Always online. Services provided by a product that involve a presence on

the Internet, such as Windows Live Messenger.
Designed to be online. Browser or mail applications that expose Internet
functionality, such as Microsoft Outlook or Internet Explorer.
Exposed online. Components that are routinely accessible through other
products that interact with the Internet, such as Microsoft ActiveX controls or
PCbased games with multiplayer online support.

Any software release that automatically downloads updates.

Any software release that accepts and/or processes data from an unauthenticated
source, including:
1

o
o

Callable interfaces that listen.

Functionality that parses any unprotected file types should be limited to
system administrators.

Any release that contains ActiveX controls.

Any release that contains COM controls.