J.D. Meier's Blog

Software Engineering, Project Management, and Effectiveness

This Blog
Search
Tags
Archives
Archives
My Books
My Blogs / Wikis
Best Of
Personal Development
My Articles
Methods
PM at Microsoft
Getting Results

patterns & practices Security Engineering Explained

MSDN Blogs > J.D. Meier's Blog > patterns & practices Security Engineering Explained

patterns & practices Security Engineering Explained

1 May 2007 12:47 PM
  • Comments 4

I don't think our patterns & practices Security Engineering Explained guide is very findable, so I'm blogging it.  This could very well be the short guide that forever changes how you do security engineering.  The techniques in the guide are timeless and time-tested.

TOC

  • Chapter 1: Security Engineering Approach
  • Chapter 2: Security Objectives
  • Chapter 3: Security Design Guidelines
  • Chapter 4: Threat Modeling
  • Chapter 5: Security Architecture and Design Review
  • Chapter 6: Security Code Review
  • Chapter 7: Security Deployment Review

It's not a complicated methodology.  Instead, it's a set of techniques that have proven to  be the most valuable. How do we know?  Customer case after customer case.

Incremental Adoption
The beauty of this approach is that you don't have to adopt them all at once.  You can pick and choose the technique you see fits your software life style.  Here's some examples:

  • If I was a developer, I might start with the Security Code Inspections.
  • If I was an independent security consultant, I might first master Threat Modeling or perhaps build services around Security Design Inspections or Security Code Inspections.
  • If I was an architect, I might first master Threat Modeling and Security Design Inspections, as well as how to identify security objectives.
  • If I was a dev manager, I might find an iterative and incremental way to integrate  Threat Modeling, Security Design Inspections, Security Code Inspections, and Security Deployment Inspections into my software development life cycle.
  • If I was in charge of system administration, I would adopt Security Deployment Inspections.  I would also build threat models of the network and servers that the application teams can reuse for their application or product-line threat models.

(Sorry - we don't have a set of patterns & practices guidance on performing specific security testing techniques at this time, though I think it's important and I have done some R&D projects in this area.)

It's worth pointing out that the security techniques baked into Visual Studio Team System use our security engineering approach.  For example, you'll find our threat modeling templates in the MSF Agile and MSF for CMMI process guidance.

How to Get the Guidance

Team
Here's members of the original team that have blogs:

Comments
  • J.D. Meier's Blog
    19 Dec 2007 9:39 PM

    This is an oldie but a goodie. Alex (from our original team) walks through our patterns & practices

  • Noticias externas
    19 Dec 2007 10:03 PM

    This is an oldie but a goodie. Alex (from our original team) walks through our patterns & practices

  • J.D. Meier's Blog
    1 Jan 2008 10:40 PM

    Here's a quick rundown of my take on key trends. Trends are different from fads since they're longer-lasting

  • Noticias externas
    1 Jan 2008 11:28 PM

    Here's a quick rundown of my take on key trends. Trends are different from fads since they're

Page 1 of 1 (4 items)