Jeremy Dallman here. Earlier today, Errata Security released the results of their survey: Integrating Security into the Software Development LifeCycle. This survey was conducted over a two-week period and gathered information from 46 different companies both online and at events around the RSA 2010 Conference. It was specifically designed to ask people in the software development community about how they integrate security solutions into their development lifecycle.
We were very glad to see that most companies surveyed have integrated security activities into their development organizations. We were also very encouraged by the awareness and implementation of the Microsoft SDL and Microsoft SDL-Agile methodologies. This provides some great validation that the SDL we apply to Microsoft products is transferrable to other software development organizations. The result of more secure software is a more secure software ecosystem and more secure customers.
If you are using (or considering using) the Microsoft SDL or SDL-Agile methodologies in your organization, we welcome your feedback and recommendations for what you would like to see in the SDL moving forward.
Jeremy Dallman here. I wanted to let you know about a great paper from Fortify, one of our newest SDL Pro Network Tools members. The paper highlights the Microsoft SDL approach to secure software development and shows how Fortify’s security solutions can help you implement the SDL and create/deploy more secure software.
At RSA 2010 last week, Fortify published a paper titled Optimizing the Microsoft SDL for Secure Development: Fortify Solutions to strengthen and streamline a Microsoft SDL Implementation. This paper does an excellent job of explaining the challenges of developing secure software, detailing the Microsoft SDL approach to secure software development, and mapping Fortify’s solution offerings to each SDL Practice based on the Simplified Implementation of the SDL.
If you are looking for tools to support your implementation of the SDL, I would encourage you to read through Fortify’s paper to see if their solutions can help you.
Jeremy Dallman here to let you know we published a couple of new interesting Microsoft SDL stories last week in an effort to continue demonstrating in a tangible and easy-to-read way how Microsoft teams implement the SDL.
We hear about more companies investigating how they can integrate the Microsoft SDL into their software development process in order to ship more secure software. At Microsoft, we have been doing this for several years, but have only recently shared the stories behind how our product teams do the SDL (see SDL Publications – whitepapers). As Windows Internet Explorer 8 and the 2007 Microsoft Office System were publicly released, the security experts that guided those products through the full Security Development Lifecycle saw an opportunity to share some details about how each of these products executed on the SDL. They have written the stories of the SDL for each of these products.
How the Security Development Lifecycle helped improve the security of the 2007 Microsoft Office System
Internet Explorer 8 and the Security Development Lifecycle
These papers can serve as a reference tool as you begin to think about the implementation of the SDL in your own software development lifecycle. The Microsoft SDL has been in place at Microsoft for almost six years and has demonstrated its effectiveness in improving software security. We hope that these papers along with the SDL Optimization Model, the Simplified Implementation of the Microsoft SDL whitepaper, and our other resources on the SDL portal will help you as you begin integrating the Microsoft SDL into your own software development process.
If you are starting to think about adopting the SDL or already have created your own version of the SDL, we would love to hear from you! Feel free to either tell us in the Comments section of this post or email us directly.
Adam Shostack here. I’m pleased to announce that at RSA this week, Microsoft is releasing Elevation of Privilege, the Threat Modeling Game. Elevation of Privilege is the easiest way to get started threat modeling. EoP is a card game for 3-6 players. Card decks are available at Microsoft’s RSA booth, or for download here. The deck contains 74 playing cards in 6 suits: one suit for each of the STRIDE threats (Spoofing, Tampering, Repudiation, Information disclosure, Denial of Service and Elevation of Privilege). Each card has a more specific threat on it. For example, here’s the 5 of Tampering.
The threat is “an attacker can replay data without detection because your code doesn’t provide timestamps or sequence numbers.”
Because we want everyone developing software to threat model, and there’s no better way to get people to do what you want than to ensure they have fun while doing it.
Everyone in software draws diagrams. From pictures on napkins or whiteboards to DFDs, UML or other formalisms, everyone diagrams.
When you’re done (all the cards have been played), count up the points, give the winner a pat on the back, and have someone file bugs.
That may seem a little complex, but it’s pretty simple when you have cards in hand. There’s a video of me explaining the game here and of people playing on the launch page. There’s also a strategy card in the deck with a flowchart to help you decide what card to play.
Right now! If you’re at RSA, come by the Microsoft booth, or download the cards here
If you’re developing software, this is for you. We’d love to hear your feedback here, we’d love for you to blog about it, but most of all we’d love for you to play Elevation of Privilege.
Once you have, we’d also like you to play with the idea of serious games for threat modeling and security. To help you get started, we’re making Elevation of Privilege available under a Creative Commons Attribution license which gives you freedom to share, adapt and remix the game.
I want to thank Austin Hill of Akoha for introducing me to the wide field of serious games (see http://www.seriousgames.org/ or http://en.wikipedia.org/wiki/Serious_game for some more on the broad concept), and Laurie Williams of North Carolina State University for designing “Protection Poker,” which inspired me to design Elevation of Privilege.
On Friday, the team at Microsoft that’s driving our End to End Trust initiative launched a new web site that provides an update on the End to End Trust vision for a more trustworthy and accountable Internet. The site’s launch was timed to precede Scott Charney’s keynote next Tuesday at the RSA Security Conference in San Francisco. The site will be updated later that day with a video of Scott’s keynote.
One of the key components of the End to End Trust vision is what we refer to as “Security and Privacy Fundamentals” – the recognition that better authentication and accountability are only effective if the underlying computer systems are built to resist attack and the intrusion of unwanted software. At Microsoft, the way we build systems to resist attack is by implementing the SDL for any products or online services that expose our users to risk. The End to End Trust site includes several videos about the SDL and its role in End to End Trust, as well as links to details posted on the SDL web site. I’d encourage you to review the End to End Trust site, Scott’s video when it’s posted, and of course the SDL information on both the End to End Trust and SDL web sites.
Steve Lipner