Security Development Lifecycle Whitepaper Available

From: Michael Howard (mikehow_at_MICROSOFT.COM)
Date: 03/23/05

  • Next message: Erik Pace Birkholz: "FREE TOOL: SQLRecon released by Special Ops Labs!!!"
    Date:         Tue, 22 Mar 2005 15:11:51 -0800
    To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
    
    

    Microsoft has made publicly available our Security Development Lifecycle
    (SDL) paper at http://msdn.microsoft.com/security/sdl.

    The SDL is the process that Microsoft has implemented for the
    development of software that needs to withstand malicious attack. The
    process encompasses the addition of a series of security-focused
    activities and deliverables to each of the phases of Microsoft's
    software development process. These activities and deliverables include
    the development of threat models during software design, the use of
    static analysis code-scanning tools during implementation, and the
    conduct of code reviews and security testing during a focused "security
    push". Before software developed under the SDL can be released, it must
    undergo a Final Security Review by a team independent from its
    development group. When compared to software that has not been subject
    to the SDL, software that has undergone the SDL has experienced a
    significantly reduced rate of external discovery of security
    vulnerabilities. This paper describes the SDL and discusses experience
    with its implementation across Microsoft software.

    Cheers, Michael

    [Writing Secure Code] http://www.microsoft.com/mspress/books/5957.asp
    [Protect Your PC] http://www.microsoft.com/protect
    [Blog] http://blogs.msdn.com/michael_howard

    --
    NTBugtraq Editor's Note:
    Most viruses these days use spoofed email addresses. As such, using an Anti-Virus product which automatically notifies the perceived sender of a message it believes is infected may well cause more harm than good. Someone who did not actually send you a virus may receive the notification and scramble their support staff to find an infection which never existed in the first place. Suggest such notifications be disabled by whomever is responsible for your AV, or at least that the idea is considered.
    --
    

  • Next message: Erik Pace Birkholz: "FREE TOOL: SQLRecon released by Special Ops Labs!!!"

    Relevant Pages

    • Security Development Lifecycle Whitepaper Available
      ... Microsoft has made publicly available our Security Development Lifecycle ... The SDL is the process that Microsoft has implemented for the ... undergo a Final Security Review by a team independent from its ...
      (Bugtraq)
    • Re: Attention Windows Users
      ... The Trustworthy Computing Security Development Lifecycle ... Security Engineering and Communications ... Development Lifecycle (or SDL), a process that Microsoft has ...
      (rec.aviation.piloting)
    • [REVS] Trustworthy Computing Security Development Lifecycle of Microsoft
      ... Get your security news from a reliable source. ... The SDL is the process that Microsoft has implemented for the development ... The information in this bulletin is provided "AS IS" without warranty of any kind. ... In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages. ...
      (Securiteam)
    • [NT] Cumulative Security Update for Internet Explorer (MS04-025)
      ... Get your security news from a reliable source. ... * Microsoft Windows NT Workstation 4.0 Service Pack 6a ... Navigation Method Cross-Domain Vulnerability ...
      (Securiteam)
    • SecurityFocus Microsoft Newsletter #75
      ... Microsoft's Internet Security & Acceleration Server with fault-tolerance ... The Microsoft UPnP Vulnerability ... Relevant URL: ...
      (Focus-Microsoft)