SlideShare a Scribd company logo

Introduction to the Microsoft Security Development Lifecycle (SDL).ppsx

Download as PPSX, PDF
M
MardhaniAR

The Microsoft Security Development Lifecycle (SDL) is a program that aims to embed security practices into software development processes. It was created in response to the increasing threats targeting applications. By following the SDL process, which includes requirements, design, implementation, verification and release phases, Microsoft has seen measurable improvements in security, with vulnerabilities reduced by 45% for Windows Vista and 91% for SQL Server 2005 compared to previous versions. The SDL approach outlines best practices for application security and is available to help developers outside of Microsoft as well.

Software
1 of 30
Download to read offline
1
2
3
4
5
6
7
8
Most read
9
10
11
Most read
12
Most read
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
Introduction to the Microsoft® Security Development Lifecycle (SDL) Secure software made easier
Agenda • Applications under attack • Origins of the Microsoft SDL • What is Microsoft doing about the threat? • Measurable improvements at Microsoft
Introduction to the Microsoft Security Development Lifecycle (SDL).ppsx
Cybercrime Evolution • LANs • First PC virus • Motivation: damage 1986–1995 • Internet Era • “Big Worms” • Motivation: damage 1995–2003 • OS, DB attacks • Spyware, Spam • Motivation: Financial 2004+ • Targeted attacks • Social engineering • Financial + Political 2006+ 2007 Market prices: Credit Card Number $0.50 - $20 Full Identity $1 - $15 Bank Account $10 - $1000  Cost of U.S. cybercrime: About $70B Source: U.S. Government Accountability Office (GAO), FBI
Attacks are focusing on applications 90% of vulnerabilities are remotely exploitable From the Microsoft Security Intelligence Report V7 Sources: IBM X-Force, 2008 % of vulnerability disclosures: Operating system vs browser and application vulnerabilities
Most vulnerabilities are in smaller ISV apps 11% 89% Vendors' accountability for vulnerabilities in 2008 Top 5 ISVs Others Sources: IBM X-Force 2008 Security Report
Introduction to the Microsoft Security Development Lifecycle (SDL).ppsx
Security Timeline at Microsoft… 2002-2003 2004 2005-2007 Now • Bill Gates writes “Trustworthy Computing” memo early 2002 • “Windows security push” for Windows Server 2003 • Security push and FSR extended to other products • Microsoft Senior Leadership Team agrees to require SDL for all products that: • Are exposed to meaningful risk and/or • Are Process sensitive data • SDL is enhanced • “Fuzz” testing • Code analysis • Crypto design requirements • Privacy • Banned APIs • and more… • Windows Vista is the first OS to go through full SDL cycle • Optimize the process through feedback, analysis and automation • Evangelize the SDL to the software development community: • SDL Process Guidance • SDL Optimization Model • SDL Pro Network • SDL Threat Modeling Tool • SDL Process Templates
Which apps are required to follow SDL? • Any release commonly used or deployed within an enterprise, business, or organization • Any release that regularly stores, processes, or communicates PII (as defined in Microsoft Privacy Guidelines for Developing Software Products and Services) or other sensitive customer information • Any release that regularly touches or listens on the Internet or other networks • Any release that accepts and/or processes data from an unauthenticated source • Any functionality that parses any file type that is not protected, (i.e. not limited to system administrators) • Any release that contains ActiveX and/or COM controls • All Microsoft, MSN and Live.com online services that are used by external customers and hosted in the MSN environment
Introduction to the Microsoft Security Development Lifecycle (SDL).ppsx
Working to protect our users… Education Accountability Administer and track security training Incident Response (MSRC) Establish release criteria and sign-off as part of FSR Ongoing Process Improvements Process Guide product teams to meet SDL requirements
Pre-SDL Requirements: Security Training Assess organizational knowledge on security and privacy – establish training program as necessary • Establish training criteria – Content covering secure design, development, test and privacy • Establish minimum training frequency – Employees must attend n classes per year • Establish minimum acceptable group training thresholds – Organizational training targets (e.g. 80% of all technical personnel trained prior to product RTM) Requirements Design Implementation Verification Release Response
Phase One: Requirements Opportunity to consider security at the outset of a project • Development team identifies security and privacy requirements • Development team identifies lead security and privacy contacts • Security Advisor assigned • Security Advisor reviews product plan, makes recommendations, may set additional requirements • Mandate the use of a bug tracking/job assignment system • Define and document security and privacy bug bars Design Implementation Verification Release Response
Phase Two: Design • Identify design techniques (layering, managed code, least privilege, attack surface minimization) • Document attack surface and limit through default settings • Define supplemental security ship criteria due to unique product issues – Cross-site scripting tests – Deprecation of weak crypto • Threat Modeling – Systematic review of features and product architecture from a security point of view – Identify threats and mitigations • Online services specific requirements Define and document security architecture, identify security critical components Implementation Verification Release Response
Phase Three: Implementation Full spectrum review – used to determine processes, documentation and tools necessary to ensure secure deployment and operation • Specification of approved build tools and options • Static analysis (PREFix, /analyze (PREfast), FXCop) • Banned APIs • Use of operating system “defense in depth” protections (NX, ASLR and HeapTermination) • Online services specific requirements (e.g., Cross-site scripting , SQL Injection etc) • Consider other recommendations (e.g., Standard Annotation Language (SAL)) Verification Release Response
Phase Four: Verification Started as early as possible – conducted after “code complete” stage • Start security response planning – including response plans for vulnerability reports • Re-evaluate attack surface • Fuzz testing – files, installable controls and network facing code • Conduct “security push” (as necessary, increasingly rare) – Not a substitute for security work done during development – Code review – Penetration testing and other security testing – Review design and architecture in light of new threats • Online services specific requirements Release Response
Phase Five: Release – Response Plan Creation of a clearly defined support policy – consistent with MS corporate policies • Provide Software Security Incident Response Plan (SSIRP) – Identify contacts for MSRC and resources to respond to events – 24x7x365 contact information for 3-5 engineering, 3-5 marketing, and 1-2 management (PUM and higher) individuals • Ensure ability to service all code including “out of band” releases and all licensed 3rd party code. Response
Phase Five: Release – Final Security Review Verify SDL requirements are met and there are no known security vulnerabilities • Provides an independent view into “security ship readiness” • The FSR is NOT: – A penetration test – no “penetrate and patch” allowed – The first time security is reviewed – A signoff process – Key Concept: The tasks for this phase are used as a determining factor on whether or not to ship – not used as a “catchall” phase for missed work in earlier phases Response
Phase Five: Release – Archive Security response plan complete • Customer documentation up-to-date • Archive RTM source code, symbols, threat models to a central location • Complete final signoffs on Checkpoint Express – validating security, privacy and corporate compliance policies Response
Post-SDL Requirement: Response “Plan the work, work the plan…” • Execution on response tasks outlined during Security Response Planning and Release Phases
Training Requirements Design Implementation Verification Release LOB-specific training Risk assessment • Application portfolio • Application Risk assessment • Determine service level Asset-centric threat modeling • Threat model • Design review Internal review • Incorporate security checklists and standards • Conduct self code review • Security Code analysis Pre-production assessment • Comprehensive security assessment • Bug remediation Post-production assessment • Host level scan SDL Process Guidance for LOB Apps • Line-of-Business applications are a set of critical computer applications that are vital to running an enterprise, such as accounting, human resources (HR), payroll, supply chain management, and resource planning applications. • Many of the requirements and recommendations in the SDL for online services are closely related to what is required for Line-of-Business applications. • Line-of-Business SDL process guidance allows you to tailor a process specific to your LOB application development while meeting SDL requirements. The Microsoft SDL includes online services and Line-of-Business application development guidance.
SDL Guidance for Agile Methodologies • Requirements defined by frequency, not phase – Every-Sprint (most critical) – One-Time (non-repeating) – Bucket (all others) • Great for projects without end dates, like cloud services
Secure Software Development Requires Process Improvement • Key Concepts – Simply “looking for bugs” doesn’t make software secure – Must reduce the chance vulnerabilities enter into design and code – Requires executive commitment – Requires ongoing process improvement – Requires education & training – Requires tools and automation – Requires incentives and consequences
Introduction to the Microsoft Security Development Lifecycle (SDL).ppsx
Microsoft SDL and Windows Source: Windows Vista One Year Vulnerability Report, Microsoft Security Blog 23 Jan 2008 119 66 400 242 157 Windows XP Windows Vista OS I OS II OS III Before SDL After SDL 45% reduction in Vulnerabilities Total Vulnerabilities Disclosed One Year After Release
Microsoft SDL and SQL Server Sources: Analysis by Jeff Jones (Microsoft technet security blog) 34 3 187 SQL Server 2000 SQL Server 2005 Competing commercial DB Before SDL After SDL 91% reduction in Vulnerabilities Total Vulnerabilities Disclosed 36 Months After Release
Summary Attacks are moving to the application layer SDL = embedding security into software and culture Measurable results for Microsoft software Microsoft is committed to making SDL widely available and accessible
SDL Portal http://www.microsoft.com/sdl SDL Blog http://blogs.msdn.com/sdl/ SDL Process on MSDN (Web) http://msdn.microsoft.com/en- us/library/cc307748.aspx SDL Process on MSDN (MS Word) http://www.microsoft.com/downloa ds/details.aspx?FamilyID=d045a 05a-c1fc-48c3-b4d5- b20353f97122&displaylang=en Resources
Questions?
© 2008 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

More Related Content

PPT
Software Engineering (Introduction to Software Engineering)
ShudipPal
 
PDF
Software development process
Space-O Technologies
 
PDF
Software Engineering Lab Manual
Neelamani Samal
 
PPT
Introduction to Software Engineering
Zahoor Khan
 
PDF
2- THE CHANGING NATURE OF SOFTWARE.pdf
bcanawakadalcollege
 
PPTX
Lecture 01 Introduction to Software Engineering
Achmad Solichin
 
PPT
Chapter 3 requirements
Golda Margret Sheeba J
 
PDF
Attacks, Concepts and Techniques - Cisco: Intro to Cybersecurity Chap-2
Mukesh Chinta
 
Software Engineering (Introduction to Software Engineering)
ShudipPal
 
Software development process
Space-O Technologies
 
Software Engineering Lab Manual
Neelamani Samal
 
Introduction to Software Engineering
Zahoor Khan
 
2- THE CHANGING NATURE OF SOFTWARE.pdf
bcanawakadalcollege
 
Lecture 01 Introduction to Software Engineering
Achmad Solichin
 
Chapter 3 requirements
Golda Margret Sheeba J
 
Attacks, Concepts and Techniques - Cisco: Intro to Cybersecurity Chap-2
Mukesh Chinta
 

What's hot (20)

PPTX
What is software engineering
Jennifer Polack
 
PPTX
Software Development Methodologies
Nicholas Davis
 
PPT
Android Architecture
deepakshare
 
PPTX
Mobile Application Development-Android and It’s Tools
Dr. Chandrakant Divate
 
PPTX
Software Process Models
Hassan A-j
 
PPTX
Control Flow Testing
Hirra Sultan
 
PPTX
Software Testing 4/5
Damian T. Gordon
 
PDF
Software Engineering : Requirement Analysis & Specification
Ajit Nayak
 
PPTX
Introduction to Android ppt
Taha Malampatti
 
PDF
Android life cycle
瑋琮 林
 
PPT
Software Engineering ppt
shruths2890
 
PPTX
Need for Software Engineering
Upekha Vandebona
 
PPTX
Software testing life cycle
Garuda Trainings
 
PPTX
Unit 3 - URLs and URIs
Chandan Gupta Bhagat
 
PPT
Software Engineering (Process Models)
ShudipPal
 
PPTX
Lect4 software economics
meena466141
 
PPT
Artificial Intelligence: The Nine Phases of the Expert System Development Lif...
The Integral Worm
 
PPTX
Introduction to Software Quality & its' Challenges
International Turneky Systems
 
PPTX
Software Engineering concept
Atamjitsingh92
 
PPTX
Designing applications with web access capabilities
K Senthil Kumar
 
What is software engineering
Jennifer Polack
 
Software Development Methodologies
Nicholas Davis
 
Android Architecture
deepakshare
 
Mobile Application Development-Android and It’s Tools
Dr. Chandrakant Divate
 
Software Process Models
Hassan A-j
 
Control Flow Testing
Hirra Sultan
 
Software Testing 4/5
Damian T. Gordon
 
Software Engineering : Requirement Analysis & Specification
Ajit Nayak
 
Introduction to Android ppt
Taha Malampatti
 
Android life cycle
瑋琮 林
 
Software Engineering ppt
shruths2890
 
Need for Software Engineering
Upekha Vandebona
 
Software testing life cycle
Garuda Trainings
 
Unit 3 - URLs and URIs
Chandan Gupta Bhagat
 
Software Engineering (Process Models)
ShudipPal
 
Lect4 software economics
meena466141
 
Artificial Intelligence: The Nine Phases of the Expert System Development Lif...
The Integral Worm
 
Introduction to Software Quality & its' Challenges
International Turneky Systems
 
Software Engineering concept
Atamjitsingh92
 
Designing applications with web access capabilities
K Senthil Kumar
 
Ad

Similar to Introduction to the Microsoft Security Development Lifecycle (SDL).ppsx (20)

PPTX
Microsoft Security Development Lifecycle
Razi Rais
 
PPTX
Agile and Secure SDLC
Nazar Tymoshyk, CEH, Ph.D.
 
PDF
Managing Application Security Risk in Enterprises - Thoughts and recommendations
Thierry Zoller
 
PPTX
Security Culture from Concept to Maintenance: Secure Software Development Lif...
Dilum Bandara
 
PPTX
Security Best Practices
Clint Edmonson
 
PPTX
SDL: Secure design principles
sluge
 
DOCX
Criterion 1A - 4 - MasteryPros and Cons Thoroughly compares the
CruzIbarra161
 
PPTX
Security in the Development Lifecycle - lessons learned
Boaz Shunami
 
PDF
SDLC & DevSecOps
Irina Kostina
 
PPTX
Security best practices
AVEVA
 
PDF
Beyond security testing
Cu Nguyen
 
PPTX
Week 4.1 Building security into the software development lifecycle copy.pptx
azida3
 
DOCX
case analysis 2.1.docxby Urusha PandeySubmission date 2.docx
cowinhelen
 
PPT
Software Security Engineering
Marco Morana
 
PDF
A journey into Application Security
Christian Martorella
 
PPT
Software Security in the Real World
Mark Curphey
 
PDF
Agile Secure Development
Bosnia Agile
 
PPTX
How can you deliver a secure product
Michael Furman
 
PDF
ACS-security-2821-001 Lecture Note 13.pdf
Mostafa Taghizade
 
PPT
Software security engineering
AHM Pervej Kabir
 
Microsoft Security Development Lifecycle
Razi Rais
 
Agile and Secure SDLC
Nazar Tymoshyk, CEH, Ph.D.
 
Managing Application Security Risk in Enterprises - Thoughts and recommendations
Thierry Zoller
 
Security Culture from Concept to Maintenance: Secure Software Development Lif...
Dilum Bandara
 
Security Best Practices
Clint Edmonson
 
SDL: Secure design principles
sluge
 
Criterion 1A - 4 - MasteryPros and Cons Thoroughly compares the
CruzIbarra161
 
Security in the Development Lifecycle - lessons learned
Boaz Shunami
 
SDLC & DevSecOps
Irina Kostina
 
Security best practices
AVEVA
 
Beyond security testing
Cu Nguyen
 
Week 4.1 Building security into the software development lifecycle copy.pptx
azida3
 
case analysis 2.1.docxby Urusha PandeySubmission date 2.docx
cowinhelen
 
Software Security Engineering
Marco Morana
 
A journey into Application Security
Christian Martorella
 
Software Security in the Real World
Mark Curphey
 
Agile Secure Development
Bosnia Agile
 
How can you deliver a secure product
Michael Furman
 
ACS-security-2821-001 Lecture Note 13.pdf
Mostafa Taghizade
 
Software security engineering
AHM Pervej Kabir
 
Ad

Recently uploaded (20)

PPTX
Transform Your Business with a Software ERP System
Canada Software Company
 
PDF
Raksha Bandhan Grocery Pricing Trends in India 2025.pdf
Actowiz Solustions
 
PDF
Odoo Companies in India – Driving Business Transformation.pdf
azhuhardeen1968
 
PDF
Addressing The Cult of Project Management Tools-Why Disconnected Work is Hold...
OnePlan Solutions
 
PPTX
ai tools demonstartion for schools and inter college
harshavardhanreddyka11
 
PDF
Understanding Forklifts - TECH EHS Solution
TECH EHS Solution
 
PDF
Design an Analysis of Algorithms I-SECS-1021-03
DilanEscobar1
 
PDF
Design an Analysis of Algorithms II-SECS-1021-03
DilanEscobar1
 
PPTX
Agentic AI : A Practical Guide. Undersating, Implementing and Scaling Autono...
IT IDOL Technologies
 
PDF
Adobe Premiere Pro 2025 (v24.5.0.057) Crack free
ghrom2211g
 
PDF
Digital Strategies for Manufacturing Companies
Virendra Rai, PMP
 
PPTX
Introduction to Artificial Intelligence
lohedi9363
 
PPTX
Reimagine Home Health with the Power of Agentic AI​
AutomationEdge Technologies
 
PDF
Why TechBuilder is the Future of Pickup and Delivery App Development (1).pdf
TechBuilder
 
PPTX
history of c programming in notes for students .pptx
Vijayakumari829030
 
PPTX
Operating system designcfffgfgggggggvggggggggg
rmskumara09
 
PDF
AI in Product Development-omnex systems
omnex systems
 
PDF
How to Migrate SBCGlobal Email to Yahoo Easily
raymondjones7273
 
PDF
T3DD25 TYPO3 Content Blocks - Deep Dive by André Kraus
Andre Kraus
 
PDF
PTS Company Brochure 2025 (1).pdf.......
pts464036
 
Transform Your Business with a Software ERP System
Canada Software Company
 
Raksha Bandhan Grocery Pricing Trends in India 2025.pdf
Actowiz Solustions
 
Odoo Companies in India – Driving Business Transformation.pdf
azhuhardeen1968
 
Addressing The Cult of Project Management Tools-Why Disconnected Work is Hold...
OnePlan Solutions
 
ai tools demonstartion for schools and inter college
harshavardhanreddyka11
 
Understanding Forklifts - TECH EHS Solution
TECH EHS Solution
 
Design an Analysis of Algorithms I-SECS-1021-03
DilanEscobar1
 
Design an Analysis of Algorithms II-SECS-1021-03
DilanEscobar1
 
Agentic AI : A Practical Guide. Undersating, Implementing and Scaling Autono...
IT IDOL Technologies
 
Adobe Premiere Pro 2025 (v24.5.0.057) Crack free
ghrom2211g
 
Digital Strategies for Manufacturing Companies
Virendra Rai, PMP
 
Introduction to Artificial Intelligence
lohedi9363
 
Reimagine Home Health with the Power of Agentic AI​
AutomationEdge Technologies
 
Why TechBuilder is the Future of Pickup and Delivery App Development (1).pdf
TechBuilder
 
history of c programming in notes for students .pptx
Vijayakumari829030
 
Operating system designcfffgfgggggggvggggggggg
rmskumara09
 
AI in Product Development-omnex systems
omnex systems
 
How to Migrate SBCGlobal Email to Yahoo Easily
raymondjones7273
 
T3DD25 TYPO3 Content Blocks - Deep Dive by André Kraus
Andre Kraus
 
PTS Company Brochure 2025 (1).pdf.......
pts464036
 

Introduction to the Microsoft Security Development Lifecycle (SDL).ppsx

  • 1. Introduction to the Microsoft® Security Development Lifecycle (SDL) Secure software made easier
  • 2. Agenda • Applications under attack • Origins of the Microsoft SDL • What is Microsoft doing about the threat? • Measurable improvements at Microsoft
  • 4. Cybercrime Evolution • LANs • First PC virus • Motivation: damage 1986–1995 • Internet Era • “Big Worms” • Motivation: damage 1995–2003 • OS, DB attacks • Spyware, Spam • Motivation: Financial 2004+ • Targeted attacks • Social engineering • Financial + Political 2006+ 2007 Market prices: Credit Card Number $0.50 - $20 Full Identity $1 - $15 Bank Account $10 - $1000  Cost of U.S. cybercrime: About $70B Source: U.S. Government Accountability Office (GAO), FBI
  • 5. Attacks are focusing on applications 90% of vulnerabilities are remotely exploitable From the Microsoft Security Intelligence Report V7 Sources: IBM X-Force, 2008 % of vulnerability disclosures: Operating system vs browser and application vulnerabilities
  • 6. Most vulnerabilities are in smaller ISV apps 11% 89% Vendors' accountability for vulnerabilities in 2008 Top 5 ISVs Others Sources: IBM X-Force 2008 Security Report
  • 8. Security Timeline at Microsoft… 2002-2003 2004 2005-2007 Now • Bill Gates writes “Trustworthy Computing” memo early 2002 • “Windows security push” for Windows Server 2003 • Security push and FSR extended to other products • Microsoft Senior Leadership Team agrees to require SDL for all products that: • Are exposed to meaningful risk and/or • Are Process sensitive data • SDL is enhanced • “Fuzz” testing • Code analysis • Crypto design requirements • Privacy • Banned APIs • and more… • Windows Vista is the first OS to go through full SDL cycle • Optimize the process through feedback, analysis and automation • Evangelize the SDL to the software development community: • SDL Process Guidance • SDL Optimization Model • SDL Pro Network • SDL Threat Modeling Tool • SDL Process Templates
  • 9. Which apps are required to follow SDL? • Any release commonly used or deployed within an enterprise, business, or organization • Any release that regularly stores, processes, or communicates PII (as defined in Microsoft Privacy Guidelines for Developing Software Products and Services) or other sensitive customer information • Any release that regularly touches or listens on the Internet or other networks • Any release that accepts and/or processes data from an unauthenticated source • Any functionality that parses any file type that is not protected, (i.e. not limited to system administrators) • Any release that contains ActiveX and/or COM controls • All Microsoft, MSN and Live.com online services that are used by external customers and hosted in the MSN environment
  • 11. Working to protect our users… Education Accountability Administer and track security training Incident Response (MSRC) Establish release criteria and sign-off as part of FSR Ongoing Process Improvements Process Guide product teams to meet SDL requirements
  • 12. Pre-SDL Requirements: Security Training Assess organizational knowledge on security and privacy – establish training program as necessary • Establish training criteria – Content covering secure design, development, test and privacy • Establish minimum training frequency – Employees must attend n classes per year • Establish minimum acceptable group training thresholds – Organizational training targets (e.g. 80% of all technical personnel trained prior to product RTM) Requirements Design Implementation Verification Release Response
  • 13. Phase One: Requirements Opportunity to consider security at the outset of a project • Development team identifies security and privacy requirements • Development team identifies lead security and privacy contacts • Security Advisor assigned • Security Advisor reviews product plan, makes recommendations, may set additional requirements • Mandate the use of a bug tracking/job assignment system • Define and document security and privacy bug bars Design Implementation Verification Release Response
  • 14. Phase Two: Design • Identify design techniques (layering, managed code, least privilege, attack surface minimization) • Document attack surface and limit through default settings • Define supplemental security ship criteria due to unique product issues – Cross-site scripting tests – Deprecation of weak crypto • Threat Modeling – Systematic review of features and product architecture from a security point of view – Identify threats and mitigations • Online services specific requirements Define and document security architecture, identify security critical components Implementation Verification Release Response
  • 15. Phase Three: Implementation Full spectrum review – used to determine processes, documentation and tools necessary to ensure secure deployment and operation • Specification of approved build tools and options • Static analysis (PREFix, /analyze (PREfast), FXCop) • Banned APIs • Use of operating system “defense in depth” protections (NX, ASLR and HeapTermination) • Online services specific requirements (e.g., Cross-site scripting , SQL Injection etc) • Consider other recommendations (e.g., Standard Annotation Language (SAL)) Verification Release Response
  • 16. Phase Four: Verification Started as early as possible – conducted after “code complete” stage • Start security response planning – including response plans for vulnerability reports • Re-evaluate attack surface • Fuzz testing – files, installable controls and network facing code • Conduct “security push” (as necessary, increasingly rare) – Not a substitute for security work done during development – Code review – Penetration testing and other security testing – Review design and architecture in light of new threats • Online services specific requirements Release Response
  • 17. Phase Five: Release – Response Plan Creation of a clearly defined support policy – consistent with MS corporate policies • Provide Software Security Incident Response Plan (SSIRP) – Identify contacts for MSRC and resources to respond to events – 24x7x365 contact information for 3-5 engineering, 3-5 marketing, and 1-2 management (PUM and higher) individuals • Ensure ability to service all code including “out of band” releases and all licensed 3rd party code. Response
  • 18. Phase Five: Release – Final Security Review Verify SDL requirements are met and there are no known security vulnerabilities • Provides an independent view into “security ship readiness” • The FSR is NOT: – A penetration test – no “penetrate and patch” allowed – The first time security is reviewed – A signoff process – Key Concept: The tasks for this phase are used as a determining factor on whether or not to ship – not used as a “catchall” phase for missed work in earlier phases Response
  • 19. Phase Five: Release – Archive Security response plan complete • Customer documentation up-to-date • Archive RTM source code, symbols, threat models to a central location • Complete final signoffs on Checkpoint Express – validating security, privacy and corporate compliance policies Response
  • 20. Post-SDL Requirement: Response “Plan the work, work the plan…” • Execution on response tasks outlined during Security Response Planning and Release Phases
  • 21. Training Requirements Design Implementation Verification Release LOB-specific training Risk assessment • Application portfolio • Application Risk assessment • Determine service level Asset-centric threat modeling • Threat model • Design review Internal review • Incorporate security checklists and standards • Conduct self code review • Security Code analysis Pre-production assessment • Comprehensive security assessment • Bug remediation Post-production assessment • Host level scan SDL Process Guidance for LOB Apps • Line-of-Business applications are a set of critical computer applications that are vital to running an enterprise, such as accounting, human resources (HR), payroll, supply chain management, and resource planning applications. • Many of the requirements and recommendations in the SDL for online services are closely related to what is required for Line-of-Business applications. • Line-of-Business SDL process guidance allows you to tailor a process specific to your LOB application development while meeting SDL requirements. The Microsoft SDL includes online services and Line-of-Business application development guidance.
  • 22. SDL Guidance for Agile Methodologies • Requirements defined by frequency, not phase – Every-Sprint (most critical) – One-Time (non-repeating) – Bucket (all others) • Great for projects without end dates, like cloud services
  • 23. Secure Software Development Requires Process Improvement • Key Concepts – Simply “looking for bugs” doesn’t make software secure – Must reduce the chance vulnerabilities enter into design and code – Requires executive commitment – Requires ongoing process improvement – Requires education & training – Requires tools and automation – Requires incentives and consequences
  • 25. Microsoft SDL and Windows Source: Windows Vista One Year Vulnerability Report, Microsoft Security Blog 23 Jan 2008 119 66 400 242 157 Windows XP Windows Vista OS I OS II OS III Before SDL After SDL 45% reduction in Vulnerabilities Total Vulnerabilities Disclosed One Year After Release
  • 26. Microsoft SDL and SQL Server Sources: Analysis by Jeff Jones (Microsoft technet security blog) 34 3 187 SQL Server 2000 SQL Server 2005 Competing commercial DB Before SDL After SDL 91% reduction in Vulnerabilities Total Vulnerabilities Disclosed 36 Months After Release
  • 27. Summary Attacks are moving to the application layer SDL = embedding security into software and culture Measurable results for Microsoft software Microsoft is committed to making SDL widely available and accessible
  • 28. SDL Portal http://www.microsoft.com/sdl SDL Blog http://blogs.msdn.com/sdl/ SDL Process on MSDN (Web) http://msdn.microsoft.com/en- us/library/cc307748.aspx SDL Process on MSDN (MS Word) http://www.microsoft.com/downloa ds/details.aspx?FamilyID=d045a 05a-c1fc-48c3-b4d5- b20353f97122&displaylang=en Resources
  • 30. © 2008 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Editor's Notes