At work, I've been helping one of my teams implement portions of Microsoft's Secure Development Lifecycle (SDL). SDL is more than just plinking around attempting some penetration testing--it's a committed approach to secure software design. Here are some of the takeaways from our work:
- The first point I made with my team is that security features DO NOT EQUAL secure features. Having SSL encrypted communications does not make a web application secure! It just means you have an encrypted communications channel. Secure software isn't secure because of features such as Acegi security, RSA encryption or anything like it. Secure software is produced when developers think secure from the start. Secure software comes when code is written safely, when developers write solid, secure code, and when testers are helping with the planning and testing of the software with a secure focus.
- Next point we emphasized: threat modeling. As we wrapped up a two-hour threat modeling session, one of the developers commented "Why didn't we do this months ago, before our code was written!". Good point!! It's never too early to threat model. Analyze your product, paying special attention to where data crosses boundaries: user to Internet, Internet to server, server to database, etc. Model threats, wild and crazy or down-to-earth. Our threat modeling has resulted in 9 potential threats so far, and we expect several more as we continue.
- Security comes in layers. Back when I lived in India, I toured the Delhi fort. This fort was built by professionals. It has a deep moat around it. Tall, thick walls surround an inner wall, and inside that inner wall lies the fort. That's how our code should be! OK - so you're authenticated via Acegi and LDAP. You're encrypted with SSL. That's great - but what if someone logs in with a valid account, then tries to hijack another session? Your layered security will catch hacks like this--authorize anytime someone tries to access sensitive data. Even if you've already authenticated and authorized, do it again! Layers bring security.
- Reduce your footprint: in Agra, where the Taj Majal is, there's another fort (these Moguls were building forts everywhere!). This fort is on the edge of town, in the hills. Compared to the Taj, the fort is tiny. This is referred to as attack surface reduction. Only allow public access to a few of your resources. If you have features which suffer from weak security, disable them by default or remove them completely. Give hackers as little space as you can.
- Train your engineers (dev and test). There's common training needed by both (elements of secure design, running a threat model, etc.) and there are discipline-specific trainings such as penetration testing or the application of specific technologies. The SDL is called a lifecycle because it's a continuous process. Lather, rinse, repeat and all that.
Our training has produced benefits. For starters, developers have a new security-focused mind set. We've found a few security bugs already, and our threat model has exposed some potential issues. This is great progress, and it comes from just one day of work. Imagine what we'll be like in a few months after a day or two of training and a complete milestone with security in mind!
It's never too early or too late to take a step back and start thinking security. I designed our course based on my experience at Microsoft, which was neatly documented in Michael Howard's new book "SDL: Secure Development Lifecycle". I cannot recommend reading this book enough!
Got a security question? Post it here...
This comment has been removed by the author.
ReplyDeleteI would like to know the SQA role in SDLC phase. In the standard practice is that without SQA approve development team cannot go to the next phase.
ReplyDeleteHow can a SQA Engineer assure that design phase is accurate as per requirement analysis phase and coding is going as per design document? Basically SQA Engineer is not working as designer or programmer. So, how come SQA will be able ensure the quality?
Software Company In Agra
ReplyDeleteA professional Software development company in IT field Agra. MAURYASOFTWARE Company provides offshore, mobile Applications, crystal report,.NET Technology, custom software and applications in Agra India.
Software company and Software development company India, SEO India, Professional offering Search Engine Optimization and Software Development Company Agra Maurya Software.
Software Development Company In Agra
SRS Info Connect SRS Info Connect was incepted with the objective to deliver solutions for outstanding Software Development, Software Implementation, Website Designing, Time Management, Multimedia Presentations, Flash Animations, Search Engine Optimization( SEO). SRS has a team of engineers, computer professionals, web designers, developers, creative artists, graphic visualizes and web content writers to offer complete one-stop I.T. solutions.
ReplyDeleteSoftware Company
In secure software development planning is an objective of each and every activity, where we want to discover things that belong to the project and more useful for SDLC.
ReplyDeleteI am to an incredible degree thankful to examine your blog.I trust you would give the monstrous associations in the field of web designing and change and Search Engine Optimization. Thank for the offer..
ReplyDeleteexperts of professional web designer services in bangalore
expert in seo service company in india
best web developer company in bangalore
Thanks for providing your information, Keep share and update AWS Online Training
ReplyDeleteThis blog gives very important info about Tableau Thanks for sharing Tableau Online Training
ReplyDeleteA place where you can find everything you need and high quality products,that is find secured market place. From where you can hire chef, personal shoppers, travelers guide or any other services you need,then you can contact with Konsorts. They are doing really good. Their service quality is really good.
ReplyDeleteReally nice topics you had discussed above. I am much impressed. Thank you for providing this nice information here. And if you are looking for the best game compatibility testing choose with our
ReplyDeleteMobile Game Testing Company
Console Compliance Testing
Game UI Testing Services
Games Functionality Testing
Really I enjoy your blog with an effective and useful information. Very nice post with loads of information. Thanks for sharing with us..!!..Azure Online Course India
ReplyDeleteThe article is really very interesting! I will continue to try me here to keep you informed. Thank you! SQE Jobs
ReplyDeleteYou have provided very nice information. Thanks for sharing. Learn more about Game Qa Services
ReplyDelete
ReplyDeleteAmazing write-up! , i Request you to write more blogs like this Blockchain Online course Bangalore
There are many things I agree with in this post. Enjoyed the simplicity. Thanks for the post. If you want to learn
ReplyDeleteOffshore software testing services
software testing services company
software testing services
Software Qa Services
quality assurance service providers
Thanks for the post, its very interesting.
ReplyDeleteIf you want to know Top Software Testing Companies USA and Top Big Data Companies USA. DataWider has curated this list after broad research dependent on their client reviews, quality, loyalty, flexibility and capacity.
kind information to learn keep growth article.
ReplyDeleteMicrosoft Windows Azure Training | Online Course | Certification in chennai | Microsoft Windows Azure Training | Online Course | Certification in bangalore | Microsoft Windows Azure Training | Online Course | Certification in hyderabad | Microsoft Windows Azure Training | Online Course | Certification in pune
I am glad to discover this page : i have to thank you for the time i spent on this especially great reading !! i really liked each part and also bookmarked you for new information on your site.
ReplyDeleteQA Companies
Top Security Testing Companies
Top Mobile Testing Companies
Top Test Automation Companies
Top Performance Testing Companies
Website testing services