I've seen this in the context of Microsofts SDL (Secure Development Lifecycle).
Is it just those 12 practices and if the team follows those, you can say you implemented them? Are there any "hard" checks? Any software solutions one should use?
1 Answer
What it means to implement a process framework depends on the framework in question. The Microsoft Secure Development Lifecycle is a set of 12 practices that help an organization build secure software and follow security and compliance guidelines. I would consider an organization to be implementing the SDL if they have a reasonable plan to incorporate all 12 practices into their software development life cycle. I would consider the SDL to be implemented once all 12 practices are in place.
Something that isn't explicitly in the 12 practices, but is identified in the Simplified Implementation of the Microsoft SDL whitepaper (linked to in the FAQ as a Word document) are the practices of continuous improvement and periodic process updates. You need to measure the effectiveness of the process activities and ensure that they are meeting the desired objectives and level of quality, making changes where necessary to meet the needs of the development organization and the stakeholders.
As far as software solutions go, a good process framework is independent of tools. It looks like Microsoft provides some guidance for using their services and tools, but there are ways to satisfy these requirements using other means. If a development organization is looking to implement the SDL as a basis for their security processes, then they may need to assess their tools with the ability to provide the required functionality and either augment them with additional tools or replace the tools entirely.
