The Security Development Lifecycle

Microsoft SDL Conforms to ISO/IEC 27034-1:2011

SDL Team — Tue, 14 May 2013 16:00:00 GMT

Steve Lipner here. This morning Scott Charney announced in his keynote at the Security Development Conference that the Microsoft Security Development Lifecycle (SDL) meets or exceeds the guidance published in ISO/IEC 27034-1. The full text from this announcement was as follows:

Microsoft has used a risk based approach to guide software security investments through a program of continuous improvement and processes since the Security Development Lifecycle (SDL) became a company-wide mandatory policy in 2004. In 2012, Microsoft used ISO/IEC 27034-1, an international application security standard as a baseline to evaluate mandatory engineering policies, standards, and procedures along with their supporting people, processes, and tools.

All current mandatory application security related policies, standards, and procedures along with their supporting people, processes, and tools meet or exceed the guidance in ISO/IEC 27034-1 as published in 2011.

ISO/IEC 27034 provides guidance for a risk based and continuously improving software security management system applied across the application lifecycle. ISO/IEC 27034-1, Annex A contains a case study illustrating how the SDL conforms to the components and processes of ISO/IEC 27034. ISO/IEC 27034-1 is published on the ISO website http://www.iso.org/iso/home/store/catalogue_tc/catalogue_detail.htm?csnumber=44378.

If you are interested in finding out more about ISO/IEC 27034, the paper “The emergence of software security standards: ISO/IEC 27034-1:2011 and your organization” from Reavis Consulting Group covers the value and importance of ISO 27034 for the software industry.

Register Now for SDC 2013 and Save!

SDL Team — Wed, 01 May 2013 18:00:00 GMT

In less than two weeks, the world’s best and brightest security professionals will converge on the InterContinental Hotel San Francisco, CA for the second annual Security Development Conference! Don’t miss this opportunity to hear from industry experts who will discuss current security topics and issues.

Register Now using this discount code: IND@SDC#12

For more information, visit our website at www.securitydevelopmentconference.com or
contact us at sdc@eventpoint.com

Speakers and topics include:

Howard Schmidt

Join Howard Schmidt, executive director of the Software Assurance Forum for Excellence in Code (SAFECODE), partner in the strategic advisory firm, Ridge Schmidt Cyber, and former cyber security advisor to the president, in this fireside chat to learn more about the important role developers can play in shaping the future of security. After a brief introduction and interview with Steve Lipner, Partner Director of Software Security at Microsoft, Howard Schmidt will take questions from the audience.

Scott Charney

Scott Charney serves as Microsoft's Corporate Vice President for Trustworthy Computing, Engineering Excellence, and Environmental Sustainability. Scott will be presenting on Building Market Demand for Security Development Through Standards – Hear Microsoft’s perspective on how security development standards and developer transparency can help drive greater trust in software devices and services.

Edna M. Conway

Edna M. Conway serves as Cisco’s Chief Security Strategist for the company’s Global Supply Chain. In this capacity, she is leading Cisco’s strategy to assess, monitor, and continuously improve the security of its global value chain. She also leads Cisco’s supply chain cyber protection plan, serving on the company’s Cybersecurity Board and Risk and Resiliency Operating Committee. Edna will be presenting on the importance of Supply Chain Integrity, and security disciplines to drive visibility and security in each node of the value chain.

Brad Arkin

Brad Arkin is the Senior Director of Security for Adobe products and services. Brad’s keynote, titled “Accepting Defeat and Changing the Battle Plan,” will explore new approaches to achieve desired results for information security, based on Adobe’s own experiences abandoning “best-practices” in favor of innovative alternative strategies which were able to deliver results where tradition failed.

In addition to the above keynotes, the conference will include over 20 breakout sessions, which cover the latest in security development techniques and processes for reducing risk and protecting organizations in the rapidly evolving technology landscape. Equally importantly, the conference provides an opportunity to compare notes with professionals in software development and critical infrastructures regarding SDL processes at their organizations.

Register Now and Save

SDL Team — Wed, 17 Apr 2013 17:13:00 GMT

Join us for the second annual Security Development Conference in San
Francisco, May 14-15, 2013. Learn about proven security
development practices through interactions with peers, industry luminaries and
other organizations. Sessions will cover the latest security development
techniques and processes that can reduce risk and help protect organizations in
this rapidly evolving technology landscape.

Act now and get this limited time offer; register for just $300 by using this discount code: IND@SDC#12

Keynote Speakers

The 2013 Security Development Conference
would like to welcome our featured speakers: Scott Charney, Corporate VP
Trustworthy Computing, Microsoft; Edna M Conway, Chief Security Strategist
Global Supply Chain, Cisco Systems; Brad Arkin, Senior Director of Security
Adobe Secure Software, Engineering Team (ASSET). And a new addition to our keynote
line up, Howard Schmidt, Executive Director, SAFECode Partner, Ridge
Schmidt Cyber.

Agenda & Content

This year we are excited to bring you even
more expert knowledge to help you effectively manage your business’ security.
Conference specialty tracks target three different types of professionals:
Engineers, Project Management, and Leadership. Combining keynotes from thought
leaders as well as specialized breakout sessions, this conference is a
can’t-miss for security professionals at any level.

Join us in San Francisco!

Registration Now Live! Security Development Conference 2013

SDL Team — Tue, 18 Dec 2012 17:00:00 GMT

Registration is now live for the Security Development Conference 2013, hosted in San Francisco, CA on May 14 – 15, 2013. If you register today you’ll save 50% off the normal registration fee.

This year’s conference will include keynote speakers Edna M. Conway, Chief Security Strategist, Cisco Systems Inc.; Brad Arkin, senior director, Security, Adobe products and services; and Scott Charney, corporate vice president, Trustworthy Computing, Microsoft Corp. Event tracks will include: Engineering for Secure Data, Security Development Lifecycle & Data Security, and Business Risk & Data Security. Track sessions will cover the latest in proven security development techniques that help reduce risk and protect organizations in the ever-changing technology landscape.

The Security Development Conference brings together IT security professionals to network, learn and discuss secure development best practices. Attendees from around the world will hear from leading security experts, build their professional networks, and learn how to implement or accelerate adoption of secure development practices within their own organizations.

For more information, I encourage you to check out the website at www.securitydevelopmentconference.com.

Steve Lipner
Partner Director of Program Management
Microsoft Trustworthy Computing

Elevation of Privilege: Drawing Developers into Threat Modeling

SDL Team — Tue, 18 Dec 2012 16:30:00 GMT

Adam Shostack here. In the holiday spirit I wanted to share an academic-style paper on the Elevation of Privilege Threat Modeling card game (EoP_Whitepaper.pdf). The paper describes the motivation, experience and lessons learned in creating the game.

As we’ve shared the game at conferences, we’ve seen their eyes light up at the idea of a game. We think of this as enticement, which is a great compliment to the many other reasons to get involved in secure development. As someone once said, a spoonful of sugar helps the medicine go down.

We think of Elevation of Privilege as an important demonstration that enticing people into secure development lifecycle is possible. We certainly don’t think that it’s the only game that’s possible, and so hope that sharing our experiences will help you understand the game, how to use it, and how to build on it, maybe making a game of your own to help you with challenges you face bringing secure
development to your organization.

Download all of the Elevation of Privilege content here: http://www.microsoft.com/en-us/download/details.aspx?id=20303

SDL and Compliance: New Blog Series at Security Blogs

SDL Team — Fri, 07 Dec 2012 20:18:00 GMT

Arjuna Shunn here. Our friends over on the security blog have done up a series of posts about SDL and compliance which are worth reading. Using data from numerous sources, ranging from our SDL and HIPAA whitepaper, our SDL and PCI DSS/PA-DSS whitepaper, and from our SDL Chronicles among others, they’ve compiled some valuable data on the use of SDL to support multiple compliance requirements during software development. Feel free to take a look and grab the whitepapers if you’ve not already got them.

The SDL Chronicles: Diverse Companies and Industries Share the ROI of Security Development Processes

SDL Team — Wed, 05 Dec 2012 02:24:00 GMT

Doug Cavit here. I’m happy to announce that we have now released The SDL Chronicles. We have been working with many outside institutions to help document their secure application development journey and what they learned. Together, these stories make up The SDL Chronicles. It is really interesting to me to see all these stories collectively rather than as individual pieces. It is much easier now to see the similarities in what all of these institutions underwent in understanding the new challenging threat landscape. They then built consensus for not just doing the “quick fix” but for solving the problem systemically through a cultural shift. From this effort they were able to realize not only the benefits of enhanced security but also reaping direct benefits for doing the right thing in terms of more productivity and an excellent ROI. All of these stories conclusively show that process and culture matters and while it may take some time and resources the net result is worth the investment.

The Chronicles include stories from groups as diverse as MidAmerican Energy, the State of India, Itron and Good Harbor Consulting giving us a comprehensive view across different scenarios but with many common themes. These institutions, who implemented the SDL, have all leveraged the guidance and tools supplied freely by Microsoft. Microsoft’s experience has allowed them to get a head start on their own program. That is one of the important reasons why we put these stories together: to help you jumpstart a program in your institution by showing how it can be done and the kinds of results that can be realized. The Security Development Lifecycle helps unite diverse groups in a common process and framework to work more efficiently and to focus resources on the most important objectives. It is also very interesting to see how the SDL is being extended by Itron in the case of low level hardware design and by the government of India in helping train their forensic police forces. The SDL has grown and adapted to fit the requirements of not only Microsoft but needs as disparate as low level hardware design and forensic police work.

We hope you enjoy reading the Chronicles and come away with your own powerful lessons from these collective stories. Please share your thoughts and experiences with us.

Security Development Conference 2013 - Call for Content has been extended

SDL Team — Fri, 09 Nov 2012 20:39:59 GMT

The Call for Content for the Security Development Conference 2013 (SDC2013) has been extended to Nov 16^th. If you are interested in presenting at one of the sessions during SDC2013, please submit your content proposal here. Note that the call for content now closes on Friday, November 16, 2012 at midnight. If you have questions, please feel free to reach out to the Security Development Conference team.

Security Development Conference 2013 – Call for Content

SDL Team — Wed, 31 Oct 2012 18:26:00 GMT

Planning is underway for the Security Development Conference (SDC) 2013, scheduled to take place in San Francisco, CA on May 14 and 15 2013. There will be four tracks for SDC 2013 – Engineering for Secure Data, Advanced Engineering for Secure Data, Security Development Lifecycle & Data Security, and Business Risk & Data Security.

If you are interested in presenting at SDC 2013, the Call for Content will be open through November 9, 2012.

Submit Your Content Proposal!

Necessary, Explained, Actionable, and Tested (NEAT) Cards

SDL Team — Tue, 09 Oct 2012 17:46:00 GMT

Previously, we blogged about “Adding Usable Security to the SDL.” Feedback as we hand out the cards at a variety of conferences has been amazingly positive. We wanted to make it easier for folks outside of Microsoft to take advantage of NEAT, and so today, we’re putting those cards under a CC-BY license so you can print your own.

Click here to download a high-resolution PDF of the cards and the NEAT whitepaper.

If you have success improving your products or websites with this advice, we’d love to hear about it in the comments.