[update 3/22/10: The Excel spreadsheet referenced in this post is now available for download: http://go.microsoft.com/?linkid=9764798]
Hey everyone, Jeremy Dallman here with a new way to sort and view the SDL practices and implementation guidance. In April 2010, we worked closely with the Archer Corporation (since acquired by EMC) to integrate the Microsoft SDL into the RSA Archer eGRC Platform as an Authoritative Source. This integration allows any company using the RSA Archer eGRC Platform to download the Microsoft SDL Authoritative Source and manage their SDL efforts in parallel with any compliance activities they are already managing using the RSA Archer eGRC.
When we worked with Archer to integrate the SDL into their framework, the SDL practices had to be broken into a new taxonomy that would fit into their task-oriented model. In keeping with the Simplified Implementation of the SDL, the goal was to do more than just list “what security activities you should be doing" - we wanted actionable implementation guidance. To accomplish this, we assigned a numeric designation to each SDL Phase and Practice then filled in the supporting guidance for each activity in the Implementation Details section. These Implementation Details were copied directly from the Simplified SDL paper to retain the platform-independent nature of the SDL. In the practices where platform-specific guidance is widely used, we chose to appended that information as Additional Notes.
We have found that this task-oriented structure, built in a simple Excel spreadsheet, has become useful in some of our new documentation. We thought it might also be useful to share that simple Excel spreadsheet to simplify importing and adopting the 16 security practices of the SDL in your organization.
[The Microsoft Simplified SDL Practices spreadsheet is attached at the bottom of this blog post]
I would encourage you to use this spreadsheet alongside the Simplified SDL paper to find what best fits your organization or work-flow management process. If your task management system allows you to import from Excel, it might be as easy as importing the spreadsheet and assigning tasks.
However you choose to use this new way to parse the SDL Practices, I hope it will help you better understand the SDL for what it is - a set of 16 security practices with clear implementation guidance that can be spread across your software development lifecycle to improve the security of your applications.
If you have questions about the Simplified SDL or this simple spreadsheet view into the Simplfied SDL Practices, please don’t hesitate to shoot them our way either in the comments section or on the SDL Forums on MSDN.
Hello All, Dave again...
In addition to the Attack Surface Analyzer release at Blackhat DC, we have a variety of other releases to announce.
First, we are releasing the next version of the Microsoft SDL Threat Modeling Tool, as a beta. Consistent with the previous release of the tool, version 3.1.6 allows for early and structured analysis and proactive mitigation of potential security and privacy issues in new and existing applications. The Microsoft SDL Threat Modeling Tool beta is enhanced to support Microsoft Visio 2010 for diagram design and also contains bug fixes reported to Microsoft by members of the security developer community. The beta period is in place to solicit community feedback on the tool. The final version will ship in fall 2011. The tool is available for download at no cost. More information about the Microsoft SDL Threat Modeling Tool beta and a video demo are available at http://www.microsoft.com/sdl.
Next, we are also releasing the next version of the SDL Binscope Binary Analyzer - BinScope Binary Analyzer 1.2 is a Microsoft verification tool that analyzes binaries on a project-wide level to ensure they have been built in compliance with Microsoft Security Development Lifecycle (SDL) requirements and recommendations. Binscope Binary Analyzer now supports Visual Studio 2010, making validation tasks readily available in the development environment. In addition, it integrates with Microsoft Team Foundation Server 2008 and Microsoft Team Foundation Server 2010 to output results into work items. The BinScope tool is available in two forms: a stand-alone version and as noted above, an add-on that integrates fully with Visual Studio. Both versions of the tool will be made available for download on Jan. 18, 2011, on the SDL tools website and the Microsoft Download Center. The tool is available at no cost.
In addition to our tools releases, I am pleased to note that on Feb. 21, 2011, Microsoft Services will begin offering Security Development Lifecycle (SDL) consulting services for customers that want Microsoft involvement in their adoption of the Microsoft SDL. The services include a variety of training and guidance on the various aspects of the SDL. This is a paid consulting service and prices will vary according to the extent of Microsoft's consulting involvement. You can learn more about Microsoft Services at: http://www.microsoft.com/microsoftservices
Finally, we have been working with Forrester Research on a research report that investigates the potential return on investment by incorporating holistic security methodologies into the product development life cycle. There are a lot of interesting findings in the report that help validate the notion that addressing security early makes good business sense. You can find a copy of the report on the Microsoft Download Center.
Again, there are a lot of folks from our team at the Blackhat DC event, if you'd like to know more about any or all of these releases, we'd be happy to chat.
Dave
Hello All, Dave here...
I wanted to write a quick post to let you know of an interesting new tool that Microsoft is releasing at Blackhat DC.
Microsoft has required attack surface validation of applications prior to release for years - however assessing the attack surface of an application or software platform can be an intimidating process at first glance.
To help ease the process, we are releasing a tool called Attack Surface Analyzer to assist both testers and IT Pros in assessing the security of an application. The Attack Surface Analyzer is being released as a beta - to allow us time to gather feedback and real world usage data from our customers.
We have a number of folks from our team at Blackhat, including Jeremy Dallman, Solomon Lukie and Meng Li who will be in the Microsoft booth talking with customers about the SDL and demoing the tool. Solomon will follow up with detailed blog posts about Attack Surface Analyzer at a later date, but in the meantime, here is a brief description of the tool and its intended use:
The Attack Surface Analyzer beta is a Microsoft verification tool now available for ISVs and IT professionals to highlight the changes in system state, runtime parameters and securable objects on the Windows operating system. This analysis helps developers, testers and IT professionals identify increases in the attack surface caused by installing applications on a machine.
The tool takes snapshots of an organization's system and compares ("diffing") these to identify changes. The tool does not analyze a system based on signatures or known vulnerabilities; instead, it looks for classes of security weaknesses as applications are installed on the Windows operating system.
The tool also gives an overview of the changes to the system Microsoft considers important to the security of the platform and highlights these in the attack surface report. The Microsoft Security Development Lifecycle (SDL) requires development teams to define a given product's default and maximum attack surface during the design phase to reduce the likelihood of exploitation wherever possible. Additional information can be found in the Measuring Relative Attack Surface paper.
Some of the checks performed by the tool include analysis of changed or newly added files, registry keys, services, ActiveX Controls, listening ports, access control lists and other parameters that affect a computer's attack surface.
The Attack Surface Analyzer beta will be released for download Jan. 18, 2011, in conjunction with a number of updates to other Microsoft SDL tools, at Black Hat DC. The tool is available at no cost. More information on Attack Surface Analyzer beta by Microsoft and other tools supporting the Microsoft SDL is available at http://www.microsoft.com/security/sdl/getstarted/tools.aspx.
I'd encourage people to download the tool, and if you happen to be at Blackhat DC, swing by the Microsoft booth and take a look for yourself.