J.D. Meier's Blog

Software Engineering, Project Management, and Effectiveness

patterns & practices Security Engineering Explained

patterns & practices Security Engineering Explained

  • Comments 4

I don't think our patterns & practices Security Engineering Explained guide is very findable, so I'm blogging it.  This could very well be the short guide that forever changes how you do security engineering.  The techniques in the guide are timeless and time-tested.

TOC

  • Chapter 1: Security Engineering Approach
  • Chapter 2: Security Objectives
  • Chapter 3: Security Design Guidelines
  • Chapter 4: Threat Modeling
  • Chapter 5: Security Architecture and Design Review
  • Chapter 6: Security Code Review
  • Chapter 7: Security Deployment Review

It's not a complicated methodology.  Instead, it's a set of techniques that have proven to  be the most valuable. How do we know?  Customer case after customer case.

Incremental Adoption
The beauty of this approach is that you don't have to adopt them all at once.  You can pick and choose the technique you see fits your software life style.  Here's some examples:

  • If I was a developer, I might start with the Security Code Inspections.
  • If I was an independent security consultant, I might first master Threat Modeling or perhaps build services around Security Design Inspections or Security Code Inspections.
  • If I was an architect, I might first master Threat Modeling and Security Design Inspections, as well as how to identify security objectives.
  • If I was a dev manager, I might find an iterative and incremental way to integrate  Threat Modeling, Security Design Inspections, Security Code Inspections, and Security Deployment Inspections into my software development life cycle.
  • If I was in charge of system administration, I would adopt Security Deployment Inspections.  I would also build threat models of the network and servers that the application teams can reuse for their application or product-line threat models.

(Sorry - we don't have a set of patterns & practices guidance on performing specific security testing techniques at this time, though I think it's important and I have done some R&D projects in this area.)

It's worth pointing out that the security techniques baked into Visual Studio Team System use our security engineering approach.  For example, you'll find our threat modeling templates in the MSF Agile and MSF for CMMI process guidance.

How to Get the Guidance

Team
Here's members of the original team that have blogs:

  • This is an oldie but a goodie. Alex (from our original team) walks through our patterns & practices

  • This is an oldie but a goodie. Alex (from our original team) walks through our patterns & practices

  • Here's a quick rundown of my take on key trends. Trends are different from fads since they're longer-lasting

  • Here's a quick rundown of my take on key trends. Trends are different from fads since they're

Page 1 of 1 (4 items)