Best Practices for the Security APIs

To help develop secure software, we recommend that you use the following best practices when developing applications. For more information, see Security Developer Center.

Security Development Life Cycle

The Security Development Life Cycle (SDL) is a process that aligns a series of security-focused activities and deliverables to each phase of software development. These activities and deliverables include:

  • Developing threat models
  • Using code-scanning tools
  • Conducting code reviews and security testing

For more information about the SDL, see the Microsoft Security Development Lifecycle.

Threat Models

Conducting a threat model analysis can help you discover potential points of attack in your code. For more information about threat model analysis, see Howard, Michael and LeBlanc, David [2003], Writing Secure Code, 2d ed., ISBN 0-7356-1722-8, Microsoft Press, Redmond, Washington. (This resource may not be available in some languages and countries.)

Service Packs and Security Updates

Build and test environments should mirror the same levels of service packs and security updates of the targeted user base. We recommend that you install the latest service packs and security updates for any Microsoft platform or application that is part of your build and test environment and encourage your users to do the same for the finished application environment. For more information about service packs and security updates, see Microsoft Windows Update and Microsoft Security.

Authorization

You should create applications that require the least possible privilege. Using the least possible privilege reduces the risk of malicious code compromising your computer system. For more information about running code in least possible privilege level, see Running with Special Privileges.

More Information

For more information about best practices, see the following topics.

Topic Description
Running with Special Privileges
Discusses security implications of privileges.
Avoiding Buffer Overruns
Provides information about avoiding buffer overruns.
Control Flow Guard (CFG)
Discusses memory corruption vulnerabilities.
Creating a DACL
Shows how to create a discretionary access control list (DACL) by using the Security Descriptor Definition Language (SDDL).
Handling Passwords
Discusses security implications of using passwords.
Dynamic Access Control developer extensibility
Basic orientation to some of the developer extensibility points for the new Dynamic Access Control solutions.