1. Security Development Lifecycle

2. Microsoft SDL 概觀 The SDL is composed of proven security practices It works in development organizations regardless of their size or platform. SDL does not necessarily change existing processes. SDL adds security to your existing processes. It consists of multiple phases in which core software assurance activities are defined.

3. 資安是一種態度 ! Just add some security steps and rules!

4. SDL 進程 Process EducationAccountability Ongoing Process Improvements

5. Microsoft SDL 基本精神 The Microsoft SDL is a holistic and comprehensive approach. SDL ensures that you get your work done securely! How to get rid of bad habits? Replace it by good ones! SDL helps you to identify ALL attack vectors to be constantly vigilant to look at your code and environment from the attackers point of view

6. 安全設計原則 Threat Modeling 威脅模型

7. Threat Model 綜觀 A security-based analysis that helps people determine the highest level security risks posed to the product and how attacks can manifest themselves. The goal is to determine which threats require mitigation and how to mitigate the threats. Important You cannot build a secure system until you understand your threats. It’s as simple as that. The key point is to get you to think about the security of your application in a relatively formal way.

8. Threat Model 基本精神 Core SDL secure design principles Attack Surface Reduction Basic Privacy Threat Modeling A part of your architecture Defense in Depth Least Privilege Secure Defaults

9. 使用 TM 的好處 TM help you understand your application. You will know better about the makeup of your app. TM help you find complex design defects. TM should be read by other product team that build on your product. Help other team to find threat in your product. TM help you find bugs. In fact, 50% bugs are found through threat analysis. TM help new team members understand the app in detail. TM can serve as a vehicle to expedite learning curve. TMs are useful for testers. Testers should test against the threat model, which will help them develop new tools.

10. 如何進行 TM Rank the threats by decreasing risk. Choose how to respond to the threats. Decompose the application.Determine the threats to the system. Assemble the threat- modeling team. Choose techniques to mitigate the threats.

11. STRIDE 威脅型態 Desired PropertyThreatDefinition Authentication S poofing Impersonating something or someone else Integrity T ampering Modifying code or data without authorization Non-repudiation R epudiation The ability to claim to have not performed some action against an application Confidentiality Information Disclosure The exposure of information to unauthorized users Availability D enial of Service The ability to deny or degrade a service to legitimate users Authorization E levation of Privilege The ability of a user to elevate their privileges with an application without authorization

12. 如何反應威脅 Option 2: Warn the User Also be problematic: many users don’t know what the right decision is. User will ignore warnings if they come up too often. Option 1: Do nothing Incorrect, because the problem is latent. If you decide to do nothing, whether the feature could be disabled by default? Option 4: Fix the problem Remedy the problem with technology. The most difficult one and will involve more work. Option 3: Remove the Problem Don’t ship with security flaw, rather pull the feature from the product. Don’t want to do that? Remember, there’s always the next version!

13. Books related to SDL Threat Modeling (Microsoft Professional) by Frank Swiderski, Window Snyder July 14, 2004 ISBN-10: 0735619913 ISBN-13: 978-0735619913 The Security Development Lifecycle by Michael Howard, Steve Lipner June 28, 2006 ISBN-10: 0735622140 ISBN-13: 978-0735622142 Writing Secure Code, Second Edition by Michael Howard, David C. LeBlanc December 4, 2002 ISBN-10: 0735617228 ISBN-13: 978-0735617223 Writing Secure Code for Vista by Michael Howard, David C. LeBlanc April 11, 2007 ISBN-10: 0735623937 ISBN-13: 978-0735623934