Security Development Life Cycle Baking Security into Development September 2010

The Security Development Life Cycle 2 Source: Microsoft Security Development Lifecycle, 2010

Components Training: Understand fundamentals of secure development and coding – Secure design – Threat modeling – Secure coding and testing – Privacy, risk and best practices 3

Components Requirements: Define functional AND security requirements – Assess SDL applicability in respect to security and privacy implications – Assign SDL responsibilities – Identity SDL tools – Create security/privacy plan 4

Components Design: establish best security practices for project – Does the application design/functionality present vulnerabilities to common threats? – Focus on keeping functionality but reduce attack surface – Predefined prohibitions, e.g., firewall changes, weak cryptography ng.aspx 5

Components Implementation: Detect and remove security and privacy issues early in development – Static code analyzers – Identification of Banned APIs that are difficult to use correctly (e.g., strcpy C routine) – Use secure code libraries – Use operating system “defense in depth” protections, such as address space layout randomization and corrupted heap termination 6

Components Verification: Conduct attack surface analysis and threat modeling – Dynamic analysis tools such as AppScan – Use of fuzzers, e.g., OWASP jBROFuzz, to identify program failure or recovery with random or unexpected results 7

Components Release: Preparing for use of the software – Is there a final security review that tracks the above steps? – Is an exception needed – who approves? – Is there a pre-defined security incident response plan for rollout? – Archive all security documentation 8

Components Response: Ensure development team is available to response to possible security vulnerabilities or privacy issues – Execute security plan, if required 9

Questions Is the Security Development Lifecycle relevant to development at UC Davis? What if the SDL was integrated into IET development? 10