SDL Mandatory Security Activities in a Traditional (or should that be Legacy) Software Development Lifecycle Includes project plans and security risk assessment templates.Accommodates third-party tool integration, e.g.
Generates auditable Final Security Review report.Includes extensive SDL how-to and guidance documentation.Installs SDL requirements as work items.So Just What’s So Good about theSDL Process Template for VSTS? Example tool: SDL Process Template for VSTS.Set of policies, processes, tools, resources.Encapsulated “S3+C”: Security (and privacy) by design Security (and privacy) by default Security (and privacy) in deployment Communications.Trustworthy Computing – Directive issued by Bill Gates, January 2002.C is for ConfidentialityData cannot be disclosed to unauthorized individuals / systems.A is for AvailabilityData must be available when needed.I is for IntegrityData cannot be modified undetectably.A is for ConfidentialityData cannot be disclosed to unauthorized individuals / systems.I is for AvailabilityData must be available when needed.C is for IntecrityData cannot be modified undetectably.Mitigation - any strategy, technique or circumstance that reduces the threat posed by a vulnerability.Attack - application of an exploit any action designed to harm an asset.Exploit - the implementation of a threat against a vulnerability (previously synonymous with Attack).Vulnerability - any weakness which makes possible a threat to an asset.Threat - any potential occurrence (malicious or inadvertent) that could harm or impede an asset.database data, file system data, system resource. Pause: Michael wipes his hand down his face and forces a smile. Michael: You mean you're going to design something, build it, pretend to test it, and then ask me to find the security vulnerabilities? Paige: Don't be so grumpy. Michael: So? Paige: Seriously, I want your help building this system I'm working on. Scene I A small hallway between two sets of cubicles, supposedly designed to enhance agile software development and communication. Michael: a simple security guy at Microsoft. Day O’ Security An Introduction to the Microsoft Security Development Lifecycle Day 1: Threat Modelling - CIA and STRIDEĪ Threat Modelling Conversation The Thespians Paige: a young, bright software developer.