Friday, July 25, 2008

Software Quality Assurance: SDL (Secure Development Lifecycle

At work, I've been helping one of my teams implement portions of Microsoft's Secure Development Lifecycle (SDL). SDL is more than just plinking around attempting some penetration testing--it's a committed approach to secure software design. Here are some of the takeaways from our work:

  1. The first point I made with my team is that security features DO NOT EQUAL secure features. Having SSL encrypted communications does not make a web application secure! It just means you have an encrypted communications channel. Secure software isn't secure because of features such as Acegi security, RSA encryption or anything like it. Secure software is produced when developers think secure from the start. Secure software comes when code is written safely, when developers write solid, secure code, and when testers are helping with the planning and testing of the software with a secure focus.
  2. Next point we emphasized: threat modeling. As we wrapped up a two-hour threat modeling session, one of the developers commented "Why didn't we do this months ago, before our code was written!". Good point!! It's never too early to threat model. Analyze your product, paying special attention to where data crosses boundaries: user to Internet, Internet to server, server to database, etc. Model threats, wild and crazy or down-to-earth. Our threat modeling has resulted in 9 potential threats so far, and we expect several more as we continue.
  3. Security comes in layers. Back when I lived in India, I toured the Delhi fort. This fort was built by professionals. It has a deep moat around it. Tall, thick walls surround an inner wall, and inside that inner wall lies the fort. That's how our code should be! OK - so you're authenticated via Acegi and LDAP. You're encrypted with SSL. That's great - but what if someone logs in with a valid account, then tries to hijack another session? Your layered security will catch hacks like this--authorize anytime someone tries to access sensitive data. Even if you've already authenticated and authorized, do it again! Layers bring security.
  4. Reduce your footprint: in Agra, where the Taj Majal is, there's another fort (these Moguls were building forts everywhere!). This fort is on the edge of town, in the hills. Compared to the Taj, the fort is tiny. This is referred to as attack surface reduction. Only allow public access to a few of your resources. If you have features which suffer from weak security, disable them by default or remove them completely. Give hackers as little space as you can.
  5. Train your engineers (dev and test). There's common training needed by both (elements of secure design, running a threat model, etc.) and there are discipline-specific trainings such as penetration testing or the application of specific technologies. The SDL is called a lifecycle because it's a continuous process. Lather, rinse, repeat and all that.

Our training has produced benefits. For starters, developers have a new security-focused mind set. We've found a few security bugs already, and our threat model has exposed some potential issues. This is great progress, and it comes from just one day of work. Imagine what we'll be like in a few months after a day or two of training and a complete milestone with security in mind!

It's never too early or too late to take a step back and start thinking security. I designed our course based on my experience at Microsoft, which was neatly documented in Michael Howard's new book "SDL: Secure Development Lifecycle". I cannot recommend reading this book enough!

Got a security question? Post it here...

18 comments:

  1. This comment has been removed by the author.

    ReplyDelete
  2. I would like to know the SQA role in SDLC phase. In the standard practice is that without SQA approve development team cannot go to the next phase.
    How can a SQA Engineer assure that design phase is accurate as per requirement analysis phase and coding is going as per design document? Basically SQA Engineer is not working as designer or programmer. So, how come SQA will be able ensure the quality?

    ReplyDelete
  3. Software Company In Agra
    A professional Software development company in IT field Agra. MAURYASOFTWARE Company provides offshore, mobile Applications, crystal report,.NET Technology, custom software and applications in Agra India.
    Software company and Software development company India, SEO India, Professional offering Search Engine Optimization and Software Development Company Agra Maurya Software.
    Software Development Company In Agra

    ReplyDelete
  4. SRS Info Connect SRS Info Connect was incepted with the objective to deliver solutions for outstanding Software Development, Software Implementation, Website Designing, Time Management, Multimedia Presentations, Flash Animations, Search Engine Optimization( SEO). SRS has a team of engineers, computer professionals, web designers, developers, creative artists, graphic visualizes and web content writers to offer complete one-stop I.T. solutions.
    Software Company

    ReplyDelete
  5. In secure software development planning is an objective of each and every activity, where we want to discover things that belong to the project and more useful for SDLC.

    ReplyDelete
  6. I am to an incredible degree thankful to examine your blog.I trust you would give the monstrous associations in the field of web designing and change and Search Engine Optimization. Thank for the offer..
    experts of professional web designer services in bangalore

    expert in seo service company in india

    best web developer company in bangalore

    ReplyDelete
  7. Thanks for providing your information, Keep share and update AWS Online Training

    ReplyDelete
  8. This blog gives very important info about Tableau Thanks for sharing Tableau Online Training

    ReplyDelete
  9. A place where you can find everything you need and high quality products,that is find secured market place. From where you can hire chef, personal shoppers, travelers guide or any other services you need,then you can contact with Konsorts. They are doing really good. Their service quality is really good.

    ReplyDelete
  10. Really nice topics you had discussed above. I am much impressed. Thank you for providing this nice information here. And if you are looking for the best game compatibility testing choose with our

    Mobile Game Testing Company

    Console Compliance Testing

    Game UI Testing Services

    Games Functionality Testing

    ReplyDelete
  11. Really I enjoy your blog with an effective and useful information. Very nice post with loads of information. Thanks for sharing with us..!!..Azure Online Course India

    ReplyDelete
  12. The article is really very interesting! I will continue to try me here to keep you informed. Thank you! SQE Jobs

    ReplyDelete
  13. You have provided very nice information. Thanks for sharing. Learn more about Game Qa Services

    ReplyDelete

  14. Amazing write-up! , i Request you to write more blogs like this Blockchain Online course Bangalore

    ReplyDelete
  15. Thanks for the post, its very interesting.
    If you want to know Top Software Testing Companies USA and Top Big Data Companies USA. DataWider has curated this list after broad research dependent on their client reviews, quality, loyalty, flexibility and capacity.

    ReplyDelete
  16. I am glad to discover this page : i have to thank you for the time i spent on this especially great reading !! i really liked each part and also bookmarked you for new information on your site.

    QA Companies
    Top Security Testing Companies
    Top Mobile Testing Companies
    Top Test Automation Companies
    Top Performance Testing Companies
    Website testing services

    ReplyDelete