Security Development Life Cycle

Baking Security into Development

September 2010

The Security Development Life Cycle

2

Source: Microsoft Security Development Lifecycle, 2010

Components

• Training: Understand fundamentals of secure development and coding– Secure design– Threat modeling– Secure coding and testing– Privacy, risk and best practices

3

Components

• Requirements: Define functional AND security requirements– Assess SDL applicability in respect to security

and privacy implications– Assign SDL responsibilities– Identity SDL tools – Create security/privacy plan

4

Components

• Design: establish best security practices for project– Does the application design/functionality present

vulnerabilities to common threats?– Focus on keeping functionality but reduce attack

surface– Predefined prohibitions, e.g., firewall changes, weak

cryptography http://www.microsoft.com/security/sdl/getstarted/threatmodeling.aspx

5

Components

• Implementation: Detect and remove security and privacy issues early in development– Static code analyzers– Identification of Banned APIs that are difficult to use

correctly (e.g., strcpy C routine)– Use secure code libraries– Use operating system “defense in depth”

protections, such as address space layout randomization and corrupted heap termination

6

Components

• Verification: Conduct attack surface analysis and threat modeling– Dynamic analysis tools such as AppScan– Use of fuzzers, e.g., OWASP jBROFuzz, to identify

program failure or recovery with random or unexpected results

7

Components

• Release: Preparing for use of the software– Is there a final security review that tracks the

above steps?– Is an exception needed – who approves?– Is there a pre-defined security incident response

plan for rollout?– Archive all security documentation

8

Components

• Response: Ensure development team is available to response to possible security vulnerabilities or privacy issues– Execute security plan, if required

9

Questions

• Is the Security Development Lifecycle relevant to development at UC Davis?

• What if the SDL was integrated into IET development?

10