Upload
tarasul
View
220
Download
0
Embed Size (px)
Citation preview
8/12/2019 Pittaway Implementing SDL
1/17
Implementing SDL
Glenn Pittaway
Trustworthy Computing, Microsoft Corporation
8/12/2019 Pittaway Implementing SDL
2/17
Help you understand how to measure yourcurrent secure development stance, andhow to improve it
Provide an understanding of the SimplifiedSDL
Provide an overview of resources available
Goals
8/12/2019 Pittaway Implementing SDL
3/17
Where are you now, and how do you improve?
The SDL Optimization Model
8/12/2019 Pittaway Implementing SDL
4/17
A technical road map designed to help those responsible for implementing the Security DevelopmentLifecycle understand the state of their current practices and move their organizations towards full
adoption of the SDL
SDL Optimization Model
Organizational Maturity
8/12/2019 Pittaway Implementing SDL
5/17
Simplified SDL
8/12/2019 Pittaway Implementing SDL
6/17
A minimum threshold for SDL compliance at
the Advanced maturity level as defined in theOptimization Model A concise statement of
The roles and responsibilities for individuals
involved in the application development process Mandatory security activities Optional security activities The application security verification process
What is the Simplified SDL?
8/12/2019 Pittaway Implementing SDL
7/17
Applications exhibiting one or more of thefollowing characteristics should be subject tothe SDL:
Deployed in a business or enterprise environment Processes personally identifiable information (PII) or
other sensitive information Communicates regularly over the Internet or other
networks
SDL Applicability
8/12/2019 Pittaway Implementing SDL
8/17
A centralized, internal advisory group is preferable Reviewer/Advisory Roles
Provide security and privacy oversight, have the authority to accept or reject security and privacy plansfrom a project team. Security Advisor/Privacy Advisor - filled by subject-matter experts (SMEs) from outside the project team,
fulfills two sub-roles: Auditor - monitoring each phase of the development process and attest to successful completion security
requirements Expert - providing verifiable subject-matter expertise in security.
Combination of Advisory Roles - the security advisor role may be combined with the role of privacyadvisor if possible
Team Champions Should be filled by SMEs from the project team Responsible for negotiation, acceptance, and tracking of minimum security and privacy requirements
and maintaining clear lines of communication with advisors and decision makers Security Champion/Privacy Champion - responsible for coordinating and tracking security issues for the
project, reporting it to the security advisor and to other relevant parties
SDL Roles and Responsibilities
8/12/2019 Pittaway Implementing SDL
9/17
Assess organizational knowledge establish training program as necessary
Establish training criteria Content choices - covering secure design, development, test and privacy
Establish minimum training frequency Employees must attend classes per year
Establish minimum acceptable group training thresholds
Organizational training targets (e.g. 80% of all technical personnel trained prior to product RTM)
Pre-SDL Requirement: Security Training
8/12/2019 Pittaway Implementing SDL
10/17
Opportunity to consider security at the outset of a project
Establish Security Requirements One time, project wide requirements security leads identified, security bug tracking process mandated,
architectural requirements set given the planned operational environment Create Quality Gates / Bug Bars
Minimum performance and quality criteria for each stage and for the project as a whole, Security and Privacy Risk Assessment
Risk assessment performed to determine critical components for the purposes of deep security and privacyreview
Phase One: Requirements
8/12/2019 Pittaway Implementing SDL
11/17
Define and document security architecture, identify security critical components
Establish Design Requirements Required activities which include creation of design specifications, analysis of proposed security technologies (e.g.
crypto requirements) and reconciliation of plans against functional specs.
Analyze Attack Surface Defense in depth strategies employed use of layered defenses used to mitigate severity .
Threat Modeling Structured, component-level analysis of the security implications of a proposed design.
Phase Two: Design
8/12/2019 Pittaway Implementing SDL
12/17
Determine processes, documentation and tools necessary to ensure secure development
Use approved tools Approved list for compilers, security test tools, switches and flags; enforced project wide.
Deprecate Unsafe Functions Prohibition of unsafe functions , APIs, when using native (C/C++) code.
Static Code Analysis Scalable in-depth code review , augmentation by other methods as necessary to address weaknesses in static
analysis tools.
Phase Three: Implementation
8/12/2019 Pittaway Implementing SDL
13/17
Verification of SDL security and privacy activities performed earlier in the process
Dynamic Analysis Runtime verification and analysis of programs to identify critical security problems
Fuzz Testing Specialized dynamic analysis technique used to deliberately cause program failure by injection of random, deliberately
malformed inputs.
Attack Surface / TM review Re-review of attack surface and threat models when the program is code complete to ensure security assumptions and
mitigations specified at design time are still relevant .
Phase Four: Verification
8/12/2019 Pittaway Implementing SDL
14/17
Satisfaction of clearly defined release criteria consistent with organizational policy
Incident Response Plan Creation of a response plan that outlines engineering, management and on -call contacts, security servicing
plans for all code, including 3rd party artifacts. Final Security Review
Deliberate examination of all security and privacy activities conducted during development Release Archive
SDL compliance certification and archival of all information and data necessary for post-release servicing of thesoftware.
Phase Five: Release
8/12/2019 Pittaway Implementing SDL
15/17
Plan the work work the plan
Execute Incident Response Plan Performance of activities outlined in response plan created during Release phase
Other non-development, post-release process requirements Root cause analysis of found vulnerabilities: Is it a human, process, or automation failure?
Addressed immediately and tagged for inclusion in next revision of SDL
Post-SDL Requirement: Response
8/12/2019 Pittaway Implementing SDL
16/17
SDL Portalhttp://www.microsoft.com/sdl
SDL Blog
http://blogs.msdn.com/sdl/
SDL Process on MSDN Web) http://msdn.microsoft.com/en-us/library/cc307748.aspx
Simplified Implementation of theMicrosoft SDLhttp://go.microsoft.com/?linkid=9708425
Resources
http://www.microsoft.com/sdlhttp://blogs.msdn.com/sdl/http://msdn.microsoft.com/en-us/library/cc307748.aspxhttp://msdn.microsoft.com/en-us/library/cc307748.aspxhttp://msdn.microsoft.com/en-us/library/cc307748.aspxhttp://blogs.msdn.com/sdl/http://go.microsoft.com/?linkid=9708425http://go.microsoft.com/?linkid=9708425http://msdn.microsoft.com/en-us/library/cc307748.aspxhttp://go.microsoft.com/?linkid=9708425http://go.microsoft.com/?linkid=9708425http://blogs.msdn.com/sdl/http://msdn.microsoft.com/en-us/library/cc307748.aspxhttp://msdn.microsoft.com/en-us/library/cc307748.aspxhttp://msdn.microsoft.com/en-us/library/cc307748.aspxhttp://msdn.microsoft.com/en-us/library/cc307748.aspxhttp://blogs.msdn.com/sdl/http://www.microsoft.com/sdl8/12/2019 Pittaway Implementing SDL
17/17
!
Thank you!