SEARCH RESULTS
 
Showing 1-10 of 234 records
 
Expand article

"Walking" with the SDL - Part 3

2008-07-23 16:43:00 by sdl in The Security Development Lifecycle
 
...requirements and effective ways to reuse your threat model and attack surface review data. Ill wrap up with a look into final security reviews and managing post-release documentation Formalize Requirements for long-term use Now that you are making security development a lifecycle, it is time to lock down and formalize your security...
 
Tags: security requirements serve, security requirements, security development lifecycle, security development, requirements, lifecycle, security lifecycle, security, security ecosystem
 
 
 
 
Expand article

How Secure is Secure?

2008-05-08 16:46:00 by sdl in The Security Development Lifecycle
 
...requirements and security engineering quality requirements . While the SDL is focused primarily (but not exclusively) on the latter, both are ultimately important when assessing the security of a given bit of software. However, for reasons Ill elaborate on below, the SDL does focus on trying to prevent the most common causes of...
 
Tags: security metrics, software security metrics, implementation vulnerabilities, potential implementation vulnerabilities, metrics, secure, software, discretionary security protection, security protection
 
 
 
 
Expand article

SDL and Filtering

2008-03-13 15:00:00 by sdl in The Security Development Lifecycle
 
...requirements and associated tools to try and determine what was applicable to our environment. While we eventually made the right decisions on what SDL requirements we needed to focus upon, we spent more time than we would have liked trying to figure it all out With our most recent update to the SDL at Microsoft weve made one significant...
 
Tags: sdl, sdl requirements, product cycle, product, product team, sdl team, product type, type, code type
 
 
 
 
Expand article

"Walking" with the SDL - Part 4

2008-07-25 20:49:00 by sdl in The Security Development Lifecycle
 
...requirements and effective ways to reuse your threat model or attack surface review data. In this post, I will wrap up with a look into setting up final security reviews and managing post-release documentation Formalize your Final Security Review (FSR) Process A Final Security Review is your final security audit to ensure your software is...
 
Tags: team, product team, requirements, define requirements, security requirements, security, final security report, threat models, re-review threat models
 
 
 
 
Expand article

More trustworthy election systems via SDL?

2008-02-04 23:34:00 by sdl in The Security Development Lifecycle
 
...requirements in Microsofts Security Development Lifecycle. The studies performed in California (prepared at UC Berkeley but created by teams of academics from across the United States) included detailed source code analysis. Ill select out a few examples from those studies and describe them here. (Note: Im deliberately picking a few examples...
 
Tags: machine security concerns, security concerns, election systems, election, security, security researchers, election systems margin, margin, election management system
 
 
 
 
Expand article

Security Thoughts from TechEd 2008

2008-06-26 15:07:00 by sdl in The Security Development Lifecycle
 
...requirements, we usually start with a few teams so we can refine the requirement and supporting tools before expanding the requirements to a broader group. Similarly, while we have a core set of requirements that all teams have to meet, there are other requirements that are specific to a platform, scenario, or functionality. For example,...
 
Tags: security, numerous developer questions, questions, highly specific questions, requirements, security knowledge, sdl requirements, maturity, security maturity
 
 
 
 
Expand article

CISA and CISSP Preparation

The Article has images
2008-07-31 13:14:07 by Erik T. Heidt in Art of Information Security
...requirements, exam requirements, etc. can be found at Certified Information Systems Auditor (CISA) : http://www.isaca.org/cisa Certified Information Systems Security Professional : https://www.isc2.org/cissp Are You Ready A few basic questions to ask yourself to gauge how ready you are Do I meet the spirit, and not just the letter, of the...
 
Tags: exam, exam requirements, cissp exam preparation, half-length exam, exam cram series, certification exam, exam preparation materials, preparation materials, cissp
 
 
 
 
Expand article

SDL and the XSS Filter, Revisited

2008-09-08 20:18:00 by sdl in The Security Development Lifecycle
 
...requirements around server-side XSS defense? Of course not. For one reason, the SDL requirements are effective in preventing forms of XSS that XSS Filter does not address, like persistent XSS. For another, not everyone uses IE 8. If we were to relax server-side requirements now, we would jeopardize IE 7 users, as well as Firefox, Safari,...
 
Tags: xss, xss filter, persistent xss, server-side xss defense, development teams include, development teams, development, sdl, sdl requirements
 
 
 
 
Expand article

Recent Symantec and IBM vulnerabilities, giblets, banned APIs and the SDL

2008-01-04 23:37:00 by sdl in The Security Development Lifecycle
 
...requirements have significantly helped reduce the number of parsing-related vulnerabilities in our products As I mentioned, the vulnerabilities are not in Symantec code; they are in dependencies, in DLLs provided by another company. The SDL refers to these as "giblets," a term coined by Steve Lipner, a Senior Director at Microsoft and my...
 
Tags: linker sdl requirements, sdl requirements, ibm, sdl, requirements, symantec, bugs affect ibm, bugs, sdl refers
 
 
 
 
Expand article

Giving SQL Injection the Respect it Deserves

2008-05-15 18:45:00 by sdl in The Security Development Lifecycle