Georgeo Pulikkathara's Microsoft Blog : Security Development Lifecycle (SDL) Model

Microsoft Trustworthy Developer Content Strategy

Georgeo Pulikkathara — Thu, 24 Jul 2008 10:29:07 GMT

Technorati Tags: developer content strategy,privacy,security

I was at my Vice President's (Scott Charney) all hands meeting last month. Scott was talking about the need to discuss online safety and Green IT to IT Pros and developers. I was taking some notes and Maslow's Hierarchy of Needs pyramid came to mind.

I thought of what Scott was saying and realized that there was a order to what we need to communicate and drive awareness for. Before we can talk about data privacy to developers and IT Professionals, it was necessary to ensure that the customers platform and applications were secure. Only then can you even think of approaching data privacy.

If an ISV or a corporate development team is to consider data privacy as a requirement, then Security is mandatory. If you're a ISV or a independent software vendor, then you're going to have to answer the questions to your customers who are going to ask you the obvious question, "Am I safe online?".

Online Safety is comprised of Privacy and Security. Let's say you want to provide online safety to your customers who buy your software. You'll probably want to ensure that there is legislation/compliance in place to drive the online safety to protect the customer as well as independent software vendors to limit your liability when you've taken the time and due diligence to ensure your application development efforts coincide with the Microsoft Development Lifecycle.

The way we drive awareness and provide privacy and security for customers is by ensuring that independent software vendors are utilizing the Microsoft SDL in their software development efforts along with organization that expose customer data through online banking portals, or online account access.

Microsoft Security Development Lifecycle (SDL) download now available

Georgeo Pulikkathara — Fri, 02 May 2008 05:02:47 GMT

As part of its commitment to a more secure and trustworthy computing ecosystem, Microsoft is making the details of the SDL process generally available online for the first time. IT policy makers and software development organizations can leverage this 78 page document to enhance and inform their own software security and privacy assurance programs.

Microsoft Security Development Lifecycle (SDL) document download

"The Microsoft Security Development Lifecycle (SDL) is an industry-leading software security assurance process. A Microsoft-wide initiative and a mandatory policy since 2004, the SDL has played a critical role in embedding security and privacy in Microsoft software and culture. Combining a holistic and practical approach, the SDL introduces security and privacy early and throughout all phases of the development process. It has led Microsoft to measurable and widely-recognized security improvements in flagship products such as Windows Vista and SQL Server. Microsoft is publishing the detailed SDL process guidance as part of its commitment to enable a more secure and trustworthy computing ecosystem.

The following documentation provides an in-depth description of the Microsoft SDL methodology and requirements. Proprietary technologies and resources that are only available internally at Microsoft have been omitted from these guidelines."

TechEd 2008 is coming!

Georgeo Pulikkathara — Wed, 30 Apr 2008 23:28:12 GMT

Are you going to TechEd 2008? If so, please stop by our Security Development Lifecycle booth and chat with us about how you plan for security and threat modeling in your application design and development.

Microsoft TechEd 2008 Website

In the mean time check out Adam's post on SDL and threat modeling. He's attached a PDF of his slides from his presentation at Toorcon last weekend.

Security Development Lifecycle Blog

Security tools will not make your software secure...

Georgeo Pulikkathara — Tue, 29 Apr 2008 01:55:22 GMT

Be sure to read Howard's article, and pay attention to this section. Here's an excerpt from Michael's" A Look Inside the Security Development Lifecycle at Microsoft"....

//======================================//

Security tools will not make your software secure. They will help, but tools alone do not make code resilient to attack. There is simply no replacement for having a knowledgeable work force that will use the tools to enforce policy. The new version of Visual Studio® 2005 Team System Developer's Edition includes some very, very useful security tools:

PREfast PREfast is a static analysis tool for C/C++ code. It can find some pretty subtle security defects, and some egregious bugs, too. This is lint on security steroids.

Standard Annotation Language (SAL) Of all the tools we have added to Visual Studio 2005, this is the technology that excites me the most because it can help find some hard to spot bugs. Imagine you have a function like this:

Copy Code

void *function(
    char *buffer, 
    DWORD cbBufferLength);

You know that buffer and dwBufferLength are tied at the hip; buffer is cbBufferLength bytes long. But the compiler does not know that—all it sees is a pointer and a 32-bit unsigned integer. Using SAL, you can link the two. So the header that includes this function prototype might look like the following:

Copy Code

void *function(
    _in_bytecount(cbBufferLength) char *buffer, 
    DWORD cbBufferLength);

Please note the final syntax used for SAL may change before Visual Studio 2005 ships.

FxCop You may already know of FxCop—it's a tool to find defects, including security defects in managed code. It's available as a download from www.gotdotnet.com, but the version in Visual Studio 2005 is fully integrated, and includes some new issues to watch out for.

Application Verifier AppVerifier is a runtime tool that operates on a running application. It can be used to trap memory-related issues at run time, including heap-based buffer overruns.

Other tools and requirement at Microsoft include:

All unmanaged C/C++ code must be compiled with the /GS stack overrun detection capability.
All unmanaged C/C++ code must be linked using the /SafeSEH option.
All RPC code must be compiled with the MIDL /robust flag.
Security issues flagged by FxCop and PREfast must be fixed.
The functions shown in Figure 4 are banned for new code, and should be removed over time for legacy code.

Figure 4 Sample Banned Functions

Banned API
Strsafe Replacement
Safe C and C++ Libraries

strcpy, wcscpy, _tcscpy, _mbscpy, lstrcpy, lstrcpyA, lstrcpyW, strcpyA, strcpyW
String*Copy or String*CopyEx
strcpy_s

strcat, wcscat
String*Cat or String*CatEx
strcat_s

wnsprintf, wnsprintfA, wnsprintfW
String*Printf or String*PrintfEx
sprintf_s

_snwprintf, _snprintf
String*Printf or String*PrintfEx
_snprintf_s or _snwprintf_s

wvsprintf, wvsprintfA, wvsprintfW, vsprintf
String*VPrintf or String*VPrintfEx
_vstprintf_s

_vsnprintf, _vsnwprintf
String*VPrintf or String*VPrintfEx
vsntprintf_s

strncpy, wcsncpy
String*CopyN or String*CopyNEx
strncpy_s

strncat, wcsncat
String*CatN or String*CatNEx
strncat_s

scanf, wscanf
None
sscanf_s

strlen, wcslen, _mbslen, _mbstrlen
String*Length
strlen_s

You can read about the Strsafe string replacement code in "Strsafe.h: Safer String Handling in C". The Safe C library is the new C runtime library replacement built into Visual Studio 2005. You can read about it at "Safe! Repel Attacks on Your Code with the Visual Studio 2005 Safe C and C++ Libraries".

//======================================//

How Do I: Export and Import Certificates?

Georgeo Pulikkathara — Fri, 25 Apr 2008 09:22:00 GMT

We've got a series of short how to videos at the msdn security developer center that provides you quick overviews on topics such as how to import/export certificates, and how to get started with encryption. by Lamees Ayman.

Let us know what you think of these videos. Helpful, too basic, or just right. I'm thinking of making more videos like this for our developer community to consume.

Technorati Tags: developer security videos

Thanks,

George

georgeop@microsoft.com or (425) 707-6912