Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security Development Life Cycle Baking Security into Development September 2010.

Published bySylvia McDonald Modified over 9 years ago

Similar presentations

Presentation on theme: "Security Development Life Cycle Baking Security into Development September 2010."— Presentation transcript:

1 Security Development Life Cycle Baking Security into Development September 2010

2 The Security Development Life Cycle 2 Source: Microsoft Security Development Lifecycle, 2010

3 Components Training: Understand fundamentals of secure development and coding – Secure design – Threat modeling – Secure coding and testing – Privacy, risk and best practices 3

4 Components Requirements: Define functional AND security requirements – Assess SDL applicability in respect to security and privacy implications – Assign SDL responsibilities – Identity SDL tools – Create security/privacy plan 4

5 Components Design: establish best security practices for project – Does the application design/functionality present vulnerabilities to common threats? – Focus on keeping functionality but reduce attack surface – Predefined prohibitions, e.g., firewall changes, weak cryptography http://www.microsoft.com/security/sdl/getstarted/threatmodeli ng.aspx 5

6 Components Implementation: Detect and remove security and privacy issues early in development – Static code analyzers – Identification of Banned APIs that are difficult to use correctly (e.g., strcpy C routine) – Use secure code libraries – Use operating system “defense in depth” protections, such as address space layout randomization and corrupted heap termination 6

7 Components Verification: Conduct attack surface analysis and threat modeling – Dynamic analysis tools such as AppScan – Use of fuzzers, e.g., OWASP jBROFuzz, to identify program failure or recovery with random or unexpected results 7

8 Components Release: Preparing for use of the software – Is there a final security review that tracks the above steps? – Is an exception needed – who approves? – Is there a pre-defined security incident response plan for rollout? – Archive all security documentation 8

9 Components Response: Ensure development team is available to response to possible security vulnerabilities or privacy issues – Execute security plan, if required 9

10 Questions Is the Security Development Lifecycle relevant to development at UC Davis? What if the SDL was integrated into IET development? 10

Download ppt "Security Development Life Cycle Baking Security into Development September 2010."

Similar presentations

For SIGAda Conference, 2005 November, Atlanta 1 A New Standards Project on Avoiding Programming Language Vulnerabilities Jim Moore Liaison Representative.

For SIGAda Conference, 2005 November, Atlanta 1 A New Standards Project on Avoiding Programming Language Vulnerabilities Jim Moore Liaison Representative.
For C Language WG, 2006 March, Berlin 1 A New Standards Project on Avoiding Programming Language Vulnerabilities Jim Moore Liaison Representative from.

For C Language WG, 2006 March, Berlin 1 A New Standards Project on Avoiding Programming Language Vulnerabilities Jim Moore Liaison Representative from.
SDL in an Agile World MSSD-3 третья по счету конференция, посвященная всестороннему обсуждению популярной и важной темы – минимизация уязвимостей программного.

SDL in an Agile World MSSD-3 третья по счету конференция, посвященная всестороннему обсуждению популярной и важной темы – минимизация уязвимостей программного.
2002-2003 2004 2005-2007 Now Bill Gates writes “Trustworthy Computing” memo early 2002 “Windows security push” for Windows Server 2003 Security push.

Now Bill Gates writes “Trustworthy Computing” memo early 2002 “Windows security push” for Windows Server 2003 Security push.
12 November 2009 Bryan Sullivan Senior Security Program Manager, Microsoft SDL.

12 November 2009 Bryan Sullivan Senior Security Program Manager, Microsoft SDL.
Achieving (and Maintaining) Compliance With Secure Software Development Compliance Requirements (ISC)² SecureSDLC May 17, 2012.

Achieving (and Maintaining) Compliance With Secure Software Development Compliance Requirements (ISC)² SecureSDLC May 17, 2012.
Security Controls – What Works

Security Controls – What Works
Planning and Managing Information Security Randall Sutton, President Elytra Enterprises Inc. April 4, 2006.

Planning and Managing Information Security Randall Sutton, President Elytra Enterprises Inc. April 4, 2006.
August 9, 2005 UCCSC -- 2005 IT Security at the University of California A New Initiative Jacqueline Craig. Director of Policy Information Resources and.

August 9, 2005 UCCSC IT Security at the University of California A New Initiative Jacqueline Craig. Director of Policy Information Resources and.
Security Engineering II. Problem Sources 1.Requirements definitions, omissions, and mistakes 2.System design flaws 3.Hardware implementation flaws, such.

Security Engineering II. Problem Sources 1.Requirements definitions, omissions, and mistakes 2.System design flaws 3.Hardware implementation flaws, such.
Software Security Testing by Gary McGraw, Bruce Potter presented by Edward Bonver 11/07/2005.

Software Security Testing by Gary McGraw, Bruce Potter presented by Edward Bonver 11/07/2005.
Computer Security: Principles and Practice

Computer Security: Principles and Practice
Stephen S. Yau CSE 465-591, Fall 2006 1 Security Strategies.

Stephen S. Yau CSE , Fall Security Strategies.

Patch Management Strategy

Patch Management Strategy
Introduction to Network Defense

Introduction to Network Defense
1 Business Continuity. 2 Continuity strategy Business impact Incident response Disaster recovery Business continuity.

1 Business Continuity. 2 Continuity strategy Business impact Incident response Disaster recovery Business continuity.
Resiliency Rules: 7 Steps for Critical Infrastructure Protection.

Resiliency Rules: 7 Steps for Critical Infrastructure Protection.
Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.

Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.
Effective Methods for Software and Systems Integration

Effective Methods for Software and Systems Integration

Similar presentations

Ads by Google