Security Development Lifecycle (baking it in)

Security, like User Experience, is not something that can be bolted on, provided by an add-in, or added after the fact. Truly secure, survivable systems have to be designed in that manner all the time. The SDL focuses on Education, Process Improvement, and Accountability.

1. Education – teaching developers secure design principles and secure coding techniques
2. Process Improvement – Implementing SDL on product and project teams to reduce vulnerabilities and focus the team on security and privacy
3. Accountability – Keeping security requirements, design features, and defects traceable throughout the lifecycle

 

 

Microsoft offers tools for each step of the SDL that help your team focus on hardening your app through the development lifecycle.

• Requirements – Security Development Lifecycle templates to track security throughout the development lifecycle.
• Design – The SDL Threat Modeling Tool allows you to design your solution and track STRIDE threats against each component.
• Implementation – Static Analysis tools including FxCop and CAT.NET scan your code for insecure functions and suspect data flows.
• Verification – Attack Surface Analyzer looks at the deployment environment to ensure you are deploying into a secure environment.
• Release – SDL templates to document the security posture of the current version and track new requirements for the next release.

Even more information is available from the SDL team blog.