Security Development Lifecycle Whitepaper Available

From: Michael Howard (mikehow_at_MICROSOFT.COM)
Date: 03/23/05

  • Next message: Erik Pace Birkholz: "FREE TOOL: SQLRecon released by Special Ops Labs!!!"
    Date:         Tue, 22 Mar 2005 15:11:51 -0800
    To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
    
    

    Microsoft has made publicly available our Security Development Lifecycle
    (SDL) paper at http://msdn.microsoft.com/security/sdl.

    The SDL is the process that Microsoft has implemented for the
    development of software that needs to withstand malicious attack. The
    process encompasses the addition of a series of security-focused
    activities and deliverables to each of the phases of Microsoft's
    software development process. These activities and deliverables include
    the development of threat models during software design, the use of
    static analysis code-scanning tools during implementation, and the
    conduct of code reviews and security testing during a focused "security
    push". Before software developed under the SDL can be released, it must
    undergo a Final Security Review by a team independent from its
    development group. When compared to software that has not been subject
    to the SDL, software that has undergone the SDL has experienced a
    significantly reduced rate of external discovery of security
    vulnerabilities. This paper describes the SDL and discusses experience
    with its implementation across Microsoft software.

    Cheers, Michael

    [Writing Secure Code] http://www.microsoft.com/mspress/books/5957.asp
    [Protect Your PC] http://www.microsoft.com/protect
    [Blog] http://blogs.msdn.com/michael_howard

    --
    NTBugtraq Editor's Note:
    Most viruses these days use spoofed email addresses. As such, using an Anti-Virus product which automatically notifies the perceived sender of a message it believes is infected may well cause more harm than good. Someone who did not actually send you a virus may receive the notification and scramble their support staff to find an infection which never existed in the first place. Suggest such notifications be disabled by whomever is responsible for your AV, or at least that the idea is considered.
    --
    

  • Next message: Erik Pace Birkholz: "FREE TOOL: SQLRecon released by Special Ops Labs!!!"