Friday, July 25, 2008

Software Quality Assurance: SDL (Secure Development Lifecycle

At work, I've been helping one of my teams implement portions of Microsoft's Secure Development Lifecycle (SDL). SDL is more than just plinking around attempting some penetration testing--it's a committed approach to secure software design. Here are some of the takeaways from our work:

  1. The first point I made with my team is that security features DO NOT EQUAL secure features. Having SSL encrypted communications does not make a web application secure! It just means you have an encrypted communications channel. Secure software isn't secure because of features such as Acegi security, RSA encryption or anything like it. Secure software is produced when developers think secure from the start. Secure software comes when code is written safely, when developers write solid, secure code, and when testers are helping with the planning and testing of the software with a secure focus.
  2. Next point we emphasized: threat modeling. As we wrapped up a two-hour threat modeling session, one of the developers commented "Why didn't we do this months ago, before our code was written!". Good point!! It's never too early to threat model. Analyze your product, paying special attention to where data crosses boundaries: user to Internet, Internet to server, server to database, etc. Model threats, wild and crazy or down-to-earth. Our threat modeling has resulted in 9 potential threats so far, and we expect several more as we continue.
  3. Security comes in layers. Back when I lived in India, I toured the Delhi fort. This fort was built by professionals. It has a deep moat around it. Tall, thick walls surround an inner wall, and inside that inner wall lies the fort. That's how our code should be! OK - so you're authenticated via Acegi and LDAP. You're encrypted with SSL. That's great - but what if someone logs in with a valid account, then tries to hijack another session? Your layered security will catch hacks like this--authorize anytime someone tries to access sensitive data. Even if you've already authenticated and authorized, do it again! Layers bring security.
  4. Reduce your footprint: in Agra, where the Taj Majal is, there's another fort (these Moguls were building forts everywhere!). This fort is on the edge of town, in the hills. Compared to the Taj, the fort is tiny. This is referred to as attack surface reduction. Only allow public access to a few of your resources. If you have features which suffer from weak security, disable them by default or remove them completely. Give hackers as little space as you can.
  5. Train your engineers (dev and test). There's common training needed by both (elements of secure design, running a threat model, etc.) and there are discipline-specific trainings such as penetration testing or the application of specific technologies. The SDL is called a lifecycle because it's a continuous process. Lather, rinse, repeat and all that.

Our training has produced benefits. For starters, developers have a new security-focused mind set. We've found a few security bugs already, and our threat model has exposed some potential issues. This is great progress, and it comes from just one day of work. Imagine what we'll be like in a few months after a day or two of training and a complete milestone with security in mind!

It's never too early or too late to take a step back and start thinking security. I designed our course based on my experience at Microsoft, which was neatly documented in Michael Howard's new book "SDL: Secure Development Lifecycle". I cannot recommend reading this book enough!

Got a security question? Post it here...

14 comments:

  1. As a top-rated company in the world of ecommerce, Infyecommercesolution has carved out a niche for itself and with the ecommerce solution provided by the company receiving accolades from clients all over the world, it has, in the true sense of the word, grown up to be a top-notch outsourcing software development company. For details on all the services provided by the company, visit http://www.infyecommercesolution.com.

    ReplyDelete
  2. This comment has been removed by the author.

    ReplyDelete
  3. I would like to know the SQA role in SDLC phase. In the standard practice is that without SQA approve development team cannot go to the next phase.
    How can a SQA Engineer assure that design phase is accurate as per requirement analysis phase and coding is going as per design document? Basically SQA Engineer is not working as designer or programmer. So, how come SQA will be able ensure the quality?

    ReplyDelete
  4. Oes Tsetnoc one of the ways in which we can learn seo besides Mengembalikan Jati Diri Bangsa. By participating in the Oes Tsetnoc or Mengembalikan Jati Diri Bangsa we can improve our seo skills. To find more information about Oest Tsetnoc please visit my Oes Tsetnoc pages. And to find more information about Mengembalikan Jati Diri Bangsa please visit my Mengembalikan Jati Diri Bangsa pages. Thank you So much.

    ReplyDelete
  5. Great thoughts you got there, believe I may possibly try just some of it throughout my daily life.
    software product engineering

    ReplyDelete
  6. A professional Software development company in IT field. MAURYASOFTWARE Company provides offshore, mobile, crystal report, JAVA, .NET Technology, custom software and applications in Agra India.
    Software Development Company In Agra

    ReplyDelete
  7. Software Company In India
    A professional Software development company in IT field. MAURYASOFTWARE Company provides offshore, mobile, crystal report, JAVA, .NET Technology, custom software and applications in Agra India.Software company and Software development company India, SEO India, Professional SEO Company India offering Search Engine Optimization and Software Development Company Agra Maurya Software.
    Software Development Company In Agra

    ReplyDelete
  8. Software Development Company In Agra
    A professional Software development company in IT field. MAURYA SOFTWARE Company provides offshore, mobile, crystal report, JAVA, .NET Technology, custom software and applications in Agra India.Software company and Software development company India, SEO India, Professional offering Search Engine Optimization and Software Development Company Agra Maurya Software.
    Software Company In Agra

    ReplyDelete
  9. Software Company In Agra
    A professional Software development company in IT field Agra. MAURYASOFTWARE Company provides offshore, mobile Applications, crystal report,.NET Technology, custom software and applications in Agra India.
    Software company and Software development company India, SEO India, Professional offering Search Engine Optimization and Software Development Company Agra Maurya Software.
    Software Development Company In Agra

    ReplyDelete
  10. Online Internet Marketing and SEO Company in India. Search Engine Optimization services are Link Building, link exchange, website promotion on Google, yahoo in Agra India.

    fore more details please visit

    http://www.mauryasoftware.com

    ReplyDelete
  11. SWIFT Interview questions on

    http://testwithus.blogspot.in/p/swift.htm

    For selenium solution visit
    http://testwithus.blogspot.in/p/blog-page.html


    For QTP interview questions

    http://testwithus.blogspot.in/p/qtp-questions.html


    www.searchyourpolicy.com




    ReplyDelete
  12. SRS Info Connect
    SRS Info Connect was incepted with the objective to deliver solutions for outstanding Software Development, Software Implementation, Website Designing, Time Management, Multimedia Presentations, Flash Animations, Search Engine Optimization( SEO). SRS has a team of engineers, computer professionals, web designers, developers, creative artists, graphic visualizes and web content writers to offer complete one-stop I.T. solutions.

    Software Company

    ReplyDelete
  13. SRS Info Connect SRS Info Connect was incepted with the objective to deliver solutions for outstanding Software Development, Software Implementation, Website Designing, Time Management, Multimedia Presentations, Flash Animations, Search Engine Optimization( SEO). SRS has a team of engineers, computer professionals, web designers, developers, creative artists, graphic visualizes and web content writers to offer complete one-stop I.T. solutions.
    Software Company

    ReplyDelete
  14. In secure software development planning is an objective of each and every activity, where we want to discover things that belong to the project and more useful for SDLC.

    ReplyDelete