SecurityRatty: tag: requirements

"Walking" with the SDL - Part 3

2008-07-23 16:43:00 by sdl in The Security Development Lifecycle

...requirements and effective ways to reuse your threat model and attack surface review data. Ill wrap up with a look into final security reviews and managing post-release documentation Formalize Requirements for long-term use Now that you are making security development a lifecycle, it is time to lock down and formalize your security...

Tags: security requirements serve, security requirements, security development lifecycle, security development, requirements, lifecycle, security lifecycle, security, security ecosystem

Applying SDL Principles to Legacy Code

2008-10-27 17:24:00 by sdl in The Security Development Lifecycle

...requirements analysis to penetration testing. Other clients need help defining their security processes, and we help define and kickoff a program based on the Microsoft SDL, other defined processes, or variations thereof, depending on the clients needs and abilities. Whether participating in an existing process or helping define one, I...

Tags: legacy code, mature security processes, security processes, cross-component security requirements, security requirements, processes, code, requirements, legacy code poses

How Secure is Secure?

2008-05-08 16:46:00 by sdl in The Security Development Lifecycle

...requirements and security engineering quality requirements . While the SDL is focused primarily (but not exclusively) on the latter, both are ultimately important when assessing the security of a given bit of software. However, for reasons Ill elaborate on below, the SDL does focus on trying to prevent the most common causes of...

Tags: security metrics, software security metrics, implementation vulnerabilities, potential implementation vulnerabilities, metrics, secure, software, discretionary security protection, security protection

SDL and Filtering

2008-03-13 15:00:00 by sdl in The Security Development Lifecycle

...requirements and associated tools to try and determine what was applicable to our environment. While we eventually made the right decisions on what SDL requirements we needed to focus upon, we spent more time than we would have liked trying to figure it all out With our most recent update to the SDL at Microsoft weve made one significant...

Tags: sdl, sdl requirements, product cycle, product, product team, sdl team, product type, type, code type

"Walking" with the SDL - Part 4

2008-07-25 20:49:00 by sdl in The Security Development Lifecycle

...requirements and effective ways to reuse your threat model or attack surface review data. In this post, I will wrap up with a look into setting up final security reviews and managing post-release documentation Formalize your Final Security Review (FSR) Process A Final Security Review is your final security audit to ensure your software is...

Tags: team, product team, requirements, define requirements, security requirements, security, final security report, threat models, re-review threat models

More trustworthy election systems via SDL?

2008-02-04 23:34:00 by sdl in The Security Development Lifecycle

...requirements in Microsofts Security Development Lifecycle. The studies performed in California (prepared at UC Berkeley but created by teams of academics from across the United States) included detailed source code analysis. Ill select out a few examples from those studies and describe them here. (Note: Im deliberately picking a few examples...

Tags: machine security concerns, security concerns, election systems, election, security, security researchers, election systems margin, margin, election management system

Security Thoughts from TechEd 2008

2008-06-26 15:07:00 by sdl in The Security Development Lifecycle

...requirements, we usually start with a few teams so we can refine the requirement and supporting tools before expanding the requirements to a broader group. Similarly, while we have a core set of requirements that all teams have to meet, there are other requirements that are specific to a platform, scenario, or functionality. For example,...

Tags: security, numerous developer questions, questions, highly specific questions, requirements, security knowledge, sdl requirements, maturity, security maturity

CISA and CISSP Preparation

2008-07-31 13:14:07 by Erik T. Heidt in Art of Information Security

...requirements, exam requirements, etc. can be found at Certified Information Systems Auditor (CISA) : http://www.isaca.org/cisa Certified Information Systems Security Professional : https://www.isc2.org/cissp Are You Ready A few basic questions to ask yourself to gauge how ready you are Do I meet the spirit, and not just the letter, of the...

Tags: exam, exam requirements, cissp exam preparation, half-length exam, exam cram series, certification exam, exam preparation materials, preparation materials, cissp

SDL and the XSS Filter, Revisited

2008-09-08 20:18:00 by sdl in The Security Development Lifecycle

...requirements around server-side XSS defense? Of course not. For one reason, the SDL requirements are effective in preventing forms of XSS that XSS Filter does not address, like persistent XSS. For another, not everyone uses IE 8. If we were to relax server-side requirements now, we would jeopardize IE 7 users, as well as Firefox, Safari,...

Tags: xss, xss filter, persistent xss, server-side xss defense, development teams include, development teams, development, sdl, sdl requirements

Recent Symantec and IBM vulnerabilities, giblets, banned APIs and the SDL

2008-01-04 23:37:00 by sdl in The Security Development Lifecycle

...requirements have significantly helped reduce the number of parsing-related vulnerabilities in our products As I mentioned, the vulnerabilities are not in Symantec code; they are in dependencies, in DLLs provided by another company. The SDL refers to these as "giblets," a term coined by Steve Lipner, a Senior Director at Microsoft and my...

Tags: linker sdl requirements, sdl requirements, ibm, sdl, requirements, symantec, bugs affect ibm, bugs, sdl refers

Your name:
Your email:
Describe a problem:
AntiSPAM Validation:

	Favorites
	My AOL
	My Ask Jeeves
	Blinklist
	Blogmarks
	Del.icio.us
	Digg
	Facebook
	Faves
	Furl
	Google
	Live
	Magnolia
	Netvouz
	Slashdot
	Spurl
	Technorati
	Yahoo

	Favorites
	My AOL
	My Ask Jeeves
	Blinklist
	Blogmarks
	Del.icio.us
	Digg
	Facebook
	Faves
	Furl
	Google
	Live
	Magnolia
	Netvouz
	Slashdot
	Spurl
	Technorati
	Yahoo

	Favorites
	My AOL
	My Ask Jeeves
	Blinklist
	Blogmarks
	Del.icio.us
	Digg
	Facebook
	Faves
	Furl
	Google
	Live
	Magnolia
	Netvouz
	Slashdot
	Spurl
	Technorati
	Yahoo

	Favorites
	My AOL
	My Ask Jeeves
	Blinklist
	Blogmarks
	Del.icio.us
	Digg
	Facebook
	Faves
	Furl
	Google
	Live
	Magnolia
	Netvouz
	Slashdot
	Spurl
	Technorati
	Yahoo