Best Practices for the Security APIs
To help develop secure software, we recommend that you use the following best practices when developing applications. For more information, see Security Developer Center.
Security Development Life Cycle
The Security Development Life Cycle (SDL) is a process that aligns a series of security-focused activities and deliverables to each phase of software development. These activities and deliverables include:
- Developing threat models
- Using code-scanning tools
- Conducting code reviews and security testing
For more information about the SDL, see the Microsoft Security Development Lifecycle.
Threat Models
Conducting a threat model analysis can help you discover potential points of attack in your code. For more information about threat model analysis, see Howard, Michael and LeBlanc, David [2003], Writing Secure Code, 2d ed., ISBN 0-7356-1722-8, Microsoft Press, Redmond, Washington. (This resource may not be available in some languages and countries.)
Service Packs and Security Updates
Build and test environments should mirror the same levels of service packs and security updates of the targeted user base. We recommend that you install the latest service packs and security updates for any Microsoft platform or application that is part of your build and test environment and encourage your users to do the same for the finished application environment. For more information about service packs and security updates, see Microsoft Windows Update and Microsoft Security.
Authorization
You should create applications that require the least possible privilege. Using the least possible privilege reduces the risk of malicious code compromising your computer system. For more information about running code in least possible privilege level, see Running with Special Privileges.
More Information
For more information about best practices, see the following topics.
| Topic | Description |
|---|---|
| Running with Special Privileges |
Discusses security implications of privileges. |
| Avoiding Buffer Overruns |
Provides information about avoiding buffer overruns. |
| Control Flow Guard (CFG) |
Discusses memory corruption vulnerabilities. |
| Creating a DACL |
Shows how to create a discretionary access control list (DACL) by using the Security Descriptor Definition Language (SDDL). |
| Handling Passwords |
Discusses security implications of using passwords. |
| Dynamic Access Control developer extensibility |
Basic orientation to some of the developer extensibility points for the new Dynamic Access Control solutions. |