What is Security Development Lifecycle Checks option in Visual Studio?

Question

I am using Visual Studio 2013 Preview, although I'm sure I've seen it in earlier versions. When creating a new project using the wizard, I select C++, Win32 Console Application, and there is an option to enable Security Development Lifecycle Checks on my project. Could someone explain exactly what this option does to my code/project?

Answer 1

The /sdl switch is described here. It turns some warnings into errors, which does not affect your code. Furthermore, it applies the /GS check more aggresively.

Don't expect too much from it. The Microsoft SDL is really a workaround for 1980's style C programming. Even it you use 20th century C++, you don't need it. E.g. operator+(std::string, std::string) is both safe and portable. Microsoft's SDL solution here in contrast is not portable, nor is it safe - the idea behind /GS is to find errors with C string handling at runtime and abort the program, limiting the consequences but not making it safe.

Answer 2

The Microsoft Security Development Lifecycle is a software development process used and proposed by Microsoft to reduce software maintenance costs and increase reliability of software concerning software security related bugs.

These may helpful:

http://download.microsoft.com/download/B/5/A/B5A89F4C-D591-4AAB-BF45-D818D80527B6/SDLServices2011.pdf

http://msdn.microsoft.com/en-us/library/windows/desktop/84aed186-1d75-4366-8e61-8d258746bopq.aspx