"Crawling" Toward SDL

A szoftver minőségbiztosítási eszközök valós lehetőségei és korlátai

Termékinformációk fejlesztőknek — Wed, 04 Feb 2009 08:04:16 GMT

[Nacsa Sándor, 2009. január 13. – február 3.]  A minőségbiztosítás kérdésköre szinte alig ismert

re: "Crawling" Toward SDL

Philip.Agcaoili — Sat, 31 Jan 2009 20:54:08 GMT

Thanks for the info.These are the examples that Michael Howard forwarded to me as well. Go figure.

We're driving SOA security standards, so anything that you have to assist us here as well would be appreciated.

re: "Crawling" Toward SDL

SDL Team — Sat, 16 Aug 2008 00:01:47 GMT

Phil, to your other question about good references, I would point you to the below links. Please also watch the new SDL website for more information:

http://www.microsoft.com/sdl

Compiler defenses: http://msdn.microsoft.com/en-us/magazine/cc337897.aspx

Banned APIs: http://msdn.microsoft.com/en-us/library/bb288454.aspx

Secure libraries: http://msdn.microsoft.com/en-us/library/e942ksxt.aspx

re: "Crawling" Toward SDL

jdallman — Fri, 15 Aug 2008 23:57:51 GMT

Phil, my apologies for the delayed response. Thank you for taking the time and please feel free to keep up the conversation!

You make some good points about raising awareness through training and education. Based on what I've seen, that is typically quite a challenge for a company (or small group of people within a company) to get going... so I left it as an informal component until "Walking".

Although Fuzzing and Threat Modeling may be perceived as more advanced practices, I think that Threat Modeling in particular is one of the most effective ways to raise awareness of security risks in your products. I would encourage anyone crawling to perform threat modeling as a way to educate themselves in security practices as well as the practical security of their own product.

At "crawl", I suspect any fuzzing would need to be either outsourced or basic and manual. However, any amount of fuzzing that can be done will likely find bugs to fix. These bugs in turn becomes your evidence for broader fuzzing efforts as you mature.

re: "Crawling" Toward SDL

Philip.Agcaoili — Tue, 29 Jul 2008 20:50:41 GMT

Do you have good references for compiler defenses, banned APIs, and secure, reusable libraries?

A basic, publicly available reference wil help many in the Crawling phase.

Thanks,

Phil Agcaoili

re: "Crawling" Toward SDL

Philip.Agcaoili — Tue, 29 Jul 2008 20:48:48 GMT

Fizzing and Threat Modeling are little advance for Crawling.

I'd also add that Awareness, Training, and Education are necessary in this phase.

The adoption of tools to Verify what was trained is a great idea for this phase. Many folks are still evolving from Blackbox, application security testing tools, so the move to source code analysis is major hurdle and an organizational shift.

There is a huge element that is resistant to this shift, so good luck Crawling!

"Walking" with the SDL - Part 1

The Security Development Lifecycle — Fri, 18 Jul 2008 20:03:45 GMT

Jeremy Dallman here. Back in March I wrote a post about “Crawling” Toward SDL . I used the imagery of

Security Thoughts from TechEd 2008

The Security Development Lifecycle — Thu, 26 Jun 2008 18:16:13 GMT

Hi, this week is a post from Michael Howard and Laura Machado de Wright, who both attended and presented

Microsoft SDL Process – in detail

The Security Development Lifecycle — Thu, 10 Apr 2008 00:45:35 GMT

Hello all – Dave here… I am currently at RSA and decided to take a few moments to blog about some updates

"Crawling" Toward SDL | Secure Software Engineering Blog

"Crawling" Toward SDL | Secure Software Engineering Blog — Fri, 07 Mar 2008 05:32:34 GMT

PingBack from http://www.secure-software-engineering.com/2008/03/06/crawling-toward-sdl/