Pittaway Implementing SDL

8/12/2019 Pittaway Implementing SDL

1/17

Implementing SDL

Glenn Pittaway

Trustworthy Computing, Microsoft Corporation


2/17

Help you understand how to measure yourcurrent secure development stance, andhow to improve it

Provide an understanding of the SimplifiedSDL

Provide an overview of resources available

Goals


3/17

Where are you now, and how do you improve?

The SDL Optimization Model


4/17

A technical road map designed to help those responsible for implementing the Security DevelopmentLifecycle understand the state of their current practices and move their organizations towards full

adoption of the SDL

SDL Optimization Model

Organizational Maturity


5/17

Simplified SDL


6/17

A minimum threshold for SDL compliance at

the Advanced maturity level as defined in theOptimization Model A concise statement of

The roles and responsibilities for individuals

involved in the application development process Mandatory security activities Optional security activities The application security verification process

What is the Simplified SDL?


7/17

Applications exhibiting one or more of thefollowing characteristics should be subject tothe SDL:

Deployed in a business or enterprise environment Processes personally identifiable information (PII) or

other sensitive information Communicates regularly over the Internet or other

networks

SDL Applicability


8/17

A centralized, internal advisory group is preferable Reviewer/Advisory Roles

Provide security and privacy oversight, have the authority to accept or reject security and privacy plansfrom a project team. Security Advisor/Privacy Advisor - filled by subject-matter experts (SMEs) from outside the project team,

fulfills two sub-roles: Auditor - monitoring each phase of the development process and attest to successful completion security

requirements Expert - providing verifiable subject-matter expertise in security.

Combination of Advisory Roles - the security advisor role may be combined with the role of privacyadvisor if possible

Team Champions Should be filled by SMEs from the project team Responsible for negotiation, acceptance, and tracking of minimum security and privacy requirements

and maintaining clear lines of communication with advisors and decision makers Security Champion/Privacy Champion - responsible for coordinating and tracking security issues for the

project, reporting it to the security advisor and to other relevant parties

SDL Roles and Responsibilities


9/17

Assess organizational knowledge establish training program as necessary

Establish training criteria Content choices - covering secure design, development, test and privacy

Establish minimum training frequency Employees must attend classes per year

Establish minimum acceptable group training thresholds

Organizational training targets (e.g. 80% of all technical personnel trained prior to product RTM)

Pre-SDL Requirement: Security Training


10/17

Opportunity to consider security at the outset of a project

Establish Security Requirements One time, project wide requirements security leads identified, security bug tracking process mandated,

architectural requirements set given the planned operational environment Create Quality Gates / Bug Bars

Minimum performance and quality criteria for each stage and for the project as a whole, Security and Privacy Risk Assessment

Risk assessment performed to determine critical components for the purposes of deep security and privacyreview

Phase One: Requirements


11/17

Define and document security architecture, identify security critical components

Establish Design Requirements Required activities which include creation of design specifications, analysis of proposed security technologies (e.g.

crypto requirements) and reconciliation of plans against functional specs.

Analyze Attack Surface Defense in depth strategies employed use of layered defenses used to mitigate severity .

Threat Modeling Structured, component-level analysis of the security implications of a proposed design.

Phase Two: Design


12/17

Determine processes, documentation and tools necessary to ensure secure development

Use approved tools Approved list for compilers, security test tools, switches and flags; enforced project wide.

Deprecate Unsafe Functions Prohibition of unsafe functions , APIs, when using native (C/C++) code.

Static Code Analysis Scalable in-depth code review , augmentation by other methods as necessary to address weaknesses in static

analysis tools.

Phase Three: Implementation


13/17

Verification of SDL security and privacy activities performed earlier in the process

Dynamic Analysis Runtime verification and analysis of programs to identify critical security problems

Fuzz Testing Specialized dynamic analysis technique used to deliberately cause program failure by injection of random, deliberately

malformed inputs.

Attack Surface / TM review Re-review of attack surface and threat models when the program is code complete to ensure security assumptions and

mitigations specified at design time are still relevant .

Phase Four: Verification


14/17

Satisfaction of clearly defined release criteria consistent with organizational policy

Incident Response Plan Creation of a response plan that outlines engineering, management and on -call contacts, security servicing

plans for all code, including 3rd party artifacts. Final Security Review

Deliberate examination of all security and privacy activities conducted during development Release Archive

SDL compliance certification and archival of all information and data necessary for post-release servicing of thesoftware.

Phase Five: Release


15/17

Plan the work work the plan

Execute Incident Response Plan Performance of activities outlined in response plan created during Release phase

Other non-development, post-release process requirements Root cause analysis of found vulnerabilities: Is it a human, process, or automation failure?

Addressed immediately and tagged for inclusion in next revision of SDL

Post-SDL Requirement: Response


16/17

SDL Portalhttp://www.microsoft.com/sdl

SDL Blog

http://blogs.msdn.com/sdl/

SDL Process on MSDN Web) http://msdn.microsoft.com/en-us/library/cc307748.aspx

Simplified Implementation of theMicrosoft SDLhttp://go.microsoft.com/?linkid=9708425

Resources
http://www.microsoft.com/sdlhttp://blogs.msdn.com/sdl/http://msdn.microsoft.com/en-us/library/cc307748.aspxhttp://msdn.microsoft.com/en-us/library/cc307748.aspxhttp://msdn.microsoft.com/en-us/library/cc307748.aspxhttp://blogs.msdn.com/sdl/http://go.microsoft.com/?linkid=9708425http://go.microsoft.com/?linkid=9708425http://msdn.microsoft.com/en-us/library/cc307748.aspxhttp://go.microsoft.com/?linkid=9708425http://go.microsoft.com/?linkid=9708425http://blogs.msdn.com/sdl/http://msdn.microsoft.com/en-us/library/cc307748.aspxhttp://msdn.microsoft.com/en-us/library/cc307748.aspxhttp://msdn.microsoft.com/en-us/library/cc307748.aspxhttp://msdn.microsoft.com/en-us/library/cc307748.aspxhttp://blogs.msdn.com/sdl/http://www.microsoft.com/sdl


17/17

!

Thank you!

Documents

Pittaway Implementing SDL