SEARCH RESULTS
 
Showing 1-10 of 54 records
 
Expand article

"Walking" with the SDL - Part 3

2008-07-23 16:43:00 by sdl in The Security Development Lifecycle
 
...SDL) [ Part 1 , Part 2 ]. So far I have discussed getting management approval and expanding security training. In this post I will discuss formalizing requirements and effective ways to reuse your threat model and attack surface review data. Ill wrap up with a look into final security reviews and managing post-release documentation Formalize...
 
Tags: security requirements serve, security requirements, security development lifecycle, security development, requirements, lifecycle, security lifecycle, security, security ecosystem
 
 
 
 
Expand article

SDL and Filtering

2008-03-13 15:00:00 by sdl in The Security Development Lifecycle
 
...SDL blog post. Ive been a program manager at Microsoft for almost nine years. In past roles at Microsoft I was the lead program manager for security response in the Windows Sustained Engineering group, and in my last role I was a project manager in the Microsoft Auto group that partnered with Ford Motor Company to create the SYNC device. I...
 
Tags: sdl, sdl requirements, product cycle, product, product team, sdl team, product type, type, code type
 
 
 
 
Expand article

Recent Symantec and IBM vulnerabilities, giblets, banned APIs and the SDL

2008-01-04 23:37:00 by sdl in The Security Development Lifecycle
 
...SDL hardens Microsoft products, we are seeing attackers move elsewhere Third, I like to think about how the SDL might have caught the bugs. There is always a chance to learn from these occurrences, and we sometimes make tweaks to the SDL after vulnerabilities are discovered on other platforms or third-party code. And because the SDL is far...
 
Tags: linker sdl requirements, sdl requirements, ibm, sdl, requirements, symantec, bugs affect ibm, bugs, sdl refers
 
 
 
 
Expand article

"Walking" with the SDL - Part 1

2008-07-18 16:55:00 by sdl in The Security Development Lifecycle
 
...SDL . I used the imagery of learning to crawl, walk and run as a way to provide some basic starting points that would move your organization toward implementing a version of Microsofts Security Development Lifecycle (SDL In this series I am going to talk about Walking with the SDL. Walking is the point where your security development...
 
Tags: development, secure development practices, development culture, security development practices, sdl, security, security practices, perform security analysis, application security
 
 
 
 
Expand article

More trustworthy election systems via SDL?

2008-02-04 23:34:00 by sdl in The Security Development Lifecycle
 
...SDL could help contribute towards societys need for trustworthy computing in a very visible and important application Lets start with the Source Code Review of the Sequoia Voting System . Two examples from the executive summary are interesting Cryptography . Many cryptographic functions are implemented incorrectly, based on weak algorithms...
 
Tags: machine security concerns, security concerns, election systems, election, security, security researchers, election systems margin, margin, election management system
 
 
 
 
Expand article

Is Microsofts SDL Working?

2008-05-16 11:05:09 by Burton Group in Security and Risk Management Strategies Blog
 
...SDL) is the main product of its Trustworthy Computing Initiative, launched from the now-famous Bill Gates memo in 2002. Six years into the initiative, Microsoft surely must be reaping the benefits of, for example, the well-publicized security training every developer went through So, how do we determine whether the SDL is working? Microsoft...
 
Tags: sdl, sdl efforts, sdl effectiveness, microsoft, microsoft surely, specific microsoft platform, effectiveness, effectiveness level, microsoft suggests
 
 
 
 
Expand article

Is Microsoft???s SDL Working?

2008-05-16 11:05:09 by Burton Group in Security and Risk Management Strategies Blog
 
...SDL) is the main product of its Trustworthy Computing Initiative, launched from the now-famous Bill Gates memo in 2002. Six years into the initiative, Microsoft surely must be reaping the benefits of, for example, the well-publicized security training every developer went through So, how do we determine whether the SDL is working? Microsoft...
 
Tags: sdl, microsoft, sdl efforts, sdl effectiveness, microsoft surely, specific microsoft platform, microsoft suggests, effectiveness, effectiveness level
 
 
 
 
Expand article

"Crawling" Toward SDL

2008-03-06 22:13:00 by sdl in The Security Development Lifecycle
 
...SDL into their development lifecycles, this "crawl" phase toward full adoption of SDL is very important. Usually some person in an organization picks up on the principles of SDL and is ready to roll them out immediately. However, that person usually is faced with competing interests that complicate full adoption: the team is mid-stream in...
 
Tags: sdl, security, perform security analysis, application security, application, applications security, security issues, issues, non-microsoft sdl engagements
 
 
 
 
Expand article

Microsoft SDL Process in detail

2008-04-09 19:13:00 by sdl in The Security Development Lifecycle
 
...SDL and I think we have done a reasonably good job. Michael Howard has written some pretty interesting pieces on a wide variety of subjects; bug post-mortems, philosophical notes and the like. Adam Shostack did a fabulous job on the threat modeling series ; Eric Bidstrup took a deeper look at the perceived vs. real benefits of the Common...
 
Tags: sdl, microsoft sdl, sdl process, microsoft, sdl guidance, guidance, secure, secure software development, development
 
 
 
 
Expand article

Walking with the SDL Part 2

2008-07-21 16:56:00 by sdl in The Security Development Lifecycle
 
...SDL. In Part One , I provided a snapshot of Crawling and discussed getting management approval. In Part Two, I will cover a couple more Walk components: expanding security training and formalizing requirements This blog gives us a place to talk about our experiences from using the SDL here at Microsoft and hopefully provide useful information...