Sexy Development Lifecycle

MSDN Blog Postings » Sexy Development Lifecycle

MSDN Blog Postings » Sexy Development Lifecycle — Wed, 30 Jan 2008 06:51:01 GMT

PingBack from http://msdnrss.thecoderblogs.com/2008/01/29/sexy-development-lifecycle/

Couple of good posts

David LeBlanc's Web Log — Wed, 30 Jan 2008 07:30:59 GMT

The SDL blog has some good comments - http://blogs.msdn.com/sdl/archive/2008/01/29/sexy-development-lifecycle.aspx

Couple of good posts

Noticias externas — Wed, 30 Jan 2008 08:31:31 GMT

The SDL blog has some good comments - http://blogs.msdn.com/sdl/archive/2008/01/29/sexy-development-lifecycle

re: Sexy Development Lifecycle

ParanoidCanuck — Wed, 30 Jan 2008 23:34:14 GMT

The more of these "automations" that can be integrated into the FxCop/VS2008 "Code Analysis" engine, the better off we'll be.

This complements the /GS flag, and helps reduce the need for "band-aids" around vulnerable code such as ValidateRequest(), by helping the developer flag potential issues in their code the first time they check it in (or whenever their build process automatically runs their chosen FxCop ruleset).

re: Sexy Development Lifecycle

douglen — Thu, 31 Jan 2008 16:10:41 GMT

So, it comes down to one core facet of the SDL - tools.

Microsoft is in a unique position (as usual) to supply those tools - I would expect SDL aspects to be rolled right into Visual Studio, Foundation Server, maybe even Project... (and btw, I would expect better integration between the last two...)

I hope that the next version of these products will include this?

re: Sexy Development Lifecycle

sdl — Thu, 31 Jan 2008 22:50:53 GMT

Hi Douglen, (Eric Bidstrup here)

Let me jump in to respond. Short answer is: Yes, tools are very important to enable automation and scaling SDL. Actually several tool with origins in SDL have already been released publicly, and you can expect to see more over time. /GS and /SAFESEH support are present in Visual 2005 and later for stack protection and safe exception handling respectively. Leveraging Address Space Layout Randomization is Vista can be enabled using the /DYNAMICBASE flag in Visual Studio 2005 SP1 (or later) linker. For code analysis, FxCop (for managed code) and /analyze (aka "PREfast") are available in Visual Studio 2005 as well.

As we continue to refine and improve tools that do prove effective, we plan to get those into the pipeline for external release in order to enable the development community to create more secure code to help better secure the broader ecosystem...

re: Sexy Development Lifecycle

Patrick_Boyd — Fri, 01 Feb 2008 23:20:53 GMT

So why not start a secure development con? Get hackers and developers in the same room. I for one had a blast when you guys had a bunch of your OEMs up for training about the SDL. And then you can have the best of the hacker con and the developer con under one roof.

SDL Sessions at BlueHat

The Security Development Lifecycle — Thu, 25 Sep 2008 19:14:19 GMT

Bryan here. Last January, I wrote a post on this blog bemoaning the difficulty of making security interesting

Writing Secure Code -- Links -- October 31,2008

blogs.oracle.com — Mon, 03 Nov 2008 21:10:15 GMT

A little late because of travel. Secure database authentication in  ADO.NET applications -- This