I recently gave a talk at the UK’s Cloud Circle Security Forum in which I included material on the Security Development Lifecycle and was quite amazed at the number of people who came up to me afterwards and expressed an interest in this formalised and process-oriented way of developing secure code. It struck me how deadly seriously folks were taking the security of their apps when deployed to the cloud, as opposed to merely the security of the cloud operator’s infrastructure. If only they’d been this interested in application security when they were running apps on-premise!
…so Microsoft has this thing called the Security Development Lifecycle, or SDL and unless you’re a security guy, just the acronym puts you off. Another thing with an “L” on the end that has to be learned and implemented somehow. Oh, and have you heard of STRIDE? Yes, probably heard the acronym, seen a couple of guys getting a bit too excited about it over a coffee and thought “Note to self – must find out what on earth that’s all about. One day. Just not today”.
The 2 ideas are linked. At this stage I could put a hyperlink in to take you to much better sites that describe it, but will you take the link? Un-flipping-likely. So how can I get across what these things are and how relevant they are to you, Mr. Technologist in the next 2 minutes before something else on your screen grabs your attention and you leave this page never to return? How about we play a game? A card game? I know how much you enjoyed that kind of thing when you were a kid – didn’t you? It’s a card game called Elevation of Privilege designed by Adam Shostack.
The game: you draw a diagram of the proposed architecture for the app you’re working on. The dealer deals the cards and we’re off. First card – Tampering: An attacker can replay data without detection because your code doesn’t provide timestamps or sequence numbers. Look at the diagram; is that true? Well, if it is – it’s just as well you identified that now, rather than found out when doing the forensics after some kind of attack? So – who’s going to deal with that problem?
In this card game there are a bunch of rules about how you get points and who should go next, but it’s not that important. It might sound a little crass, but it’s really quite a novel and interesting way to get a development team actually interested and involved in the security of the app. You can see people playing the game in this minute video. Wind forward to 1 minute 28 seconds where Adam says “…you start by drawing a diagram”.
The game is called “Elevation of Privilege”. It’s a game based on the STRIDE (Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege) threat modelling methodologies. It is the gentlest introduction to the SDL I can think of. You might later want to get in to a bit more detail and check out the SDL threat modelling tool. Why you might even become interested enough in the security of your application to read the whitepaper and have a deeper look at the SDL. But whatever you do – please play the game.
Send me an email or leave a comment with your email address and I’ll even send you some Elevation of Privilege playing cards… Alternatively, if I’ve run out, you can download them from here.
Planky – GBR-257