DCSIMG
Microsoft Secure Development Lifecycle [SDL] - אליק לוין

אליק לוין

עולמו של יועץ ממיקרוסופט

Microsoft Secure Development Lifecycle [SDL]

It all started back in 2002 with BIll Gates' famous memo:

From: Bill Gates Sent: Tuesday, January 15, 2002 5:22 PM

To: Microsoft and Subsidiaries: All FTE

Subject: Trustworthy computing

"...Great features won't matter unless customers trust our software. So now, when we face a choice between adding features and resolving security issues, we need to choose security..."

SDL was born, more on it read here. One of the tenets of SDL is that it's integrated tightly into dev process. But is dev process the same with all dev shops, just like at MS? Are these shops posses same security skills and resources? What are secuirty objectives? The real question here I believe "does MS one-size SDL fit  all?". I do not think so. At least not for Line Of Business [LOB] information systems. Even inside MS there is separate team [ACE] that implements SDL-IT for MS internal LOB apps.

One of ACE members, Akshay Aggarwal is going to give Threat Modeling [TM] session @TechEd, presenting very cool new free tool MAS TAM. The session was presented recently @RSA conference with great feedback. More on TM in the next post.

So MS has SDL for its products groups, SDL-IT for internal LOB apps... What about customers? Surprise!! MSDN has it all there since 2003. That is Security Engineering from Practices and Patterns team:
- .NET Security
- Threat Modeling Web Applications
- Security Engineering Explained
- Lots more

More than 2,500 pages of guidance for practices, techniques, how-to's, and more

@TechEd, on May 9th I am going to give the Securiyt Engineering session where I'll present the topic spiced with examples from the field where these practices were successfuly implemented

See you there

פורסם: Apr 13 2006, 11:11 AM by alikl | with no comments
תגים:,