SDL (Security Development Lifecycle) has just become a mainstream

     You probably heard about SDL few times. This is the process that MS apply when developing its products to make sure it is secure.

MS has released  lately all the materials to the Internet so that the customers can apply similar successful practices and make their own products more secure:

• Introduction to the Microsoft SDL
• SDL Stage 0: Security and Privacy Education and Awareness
• SDL Stage 1: Project Inception
• SDL Stage 2: Cost Analysis
• SDL Stage 3: Design Best Practices
• SDL Stage 4: Risk Analysis
• SDL Stage 5: Creating Documentation and Tools for Users that Address Security and Privacy
• SDL Stage 6: Establish and Follow Best Practices for Development
• SDL Stage 7: Security and Privacy Testing
• SDL Stage 8: Security Push
• SDL Stage 9: Public Release Privacy Review
• SDL Stage 10: Response Planning
• SDL Stage 11: Final Security and Privacy Review
• SDL Stage 12: Release to Manufacturing (RTM)/Release to Web (RTW)
• SDL Stage 13: Response Execution

Here is the punch line. ICS2 has joust announced its own certification for Security Development Lifecycle Professional. This is the excerpt from the email I've just received:

Dear Valued Member,

I am pleased to inform you that (ISC)2 launched a brand new certification program designed to validate secure software development practices and expertise and address the increasing number of application vulnerabilities.  The need for education and certification in this area has become an overwhelming global concern in the industry and as a certifying body and proponent of continuing professional education we were presented the opportunity to provide a solution to address the issue. The Certified Secure Software Lifecycle Professional (CSSLP) aims to stem the proliferation of security vulnerabilities resulting from insufficient development processes by establishing best practices and validating an individual's competency in addressing security issues throughout the software lifecycle (SLC).

Here is the opportunity for security consultants:

• Pass the test - use it for your sales pitch.
• Grab the content above from MS and deliver your services according to it. Use MS credibility.

My related posts:

• Security Engineering Big Rocks
• Threat Modeling Big Chunks
• Security Code Review – String Search Patterns For Finding Vulnerabilities In ASP.NET Web Application

SDL has just become a main stream! Whoa!

Two wrongs that make a right

A while ago, a friend told me that he would like to upgrade his SPS 2003 to MOSS 2007.

He tried upgrading, but was unable to get his custom 2003 list in 2007.

Looking deeper, we discovered that when he created the list, he made sure to copy an existing list definition before modifying it (good for him!), but he took a little shortcut, and added the custom list definition to an existing site definition. This was causing him the headache now, as he was upgrading to 2007 … so we played with it for a while and came with the following plan which I would call: “the two wrongs that make a right”, and here is how it goes:

Important note regarding the screen captures (videos): the below are for demo purposes only. I do not use a production environment, hence I skip even basic steps like backup before copying a new DB. For this demo I concentrate on a single site/content DB. For comprehensive upgrade information – please see the TechNet: Upgrading to Office SharePoint Server 2007 ]

Another note: if you fail to see the videos (which are streamed from Windows Live Silverlight Streaming) – there are links to download them (in WMV format) at the bottom of the post.

And a critical note: don’t try to adjust your speakers – it’s just screen captures. No talking :)

Our story begins in SharePoint 2003 where we copy an existing list definition, modify it and add it to the built-in STS site definition (THIS IS WRONG #1)

We pre-scan and backup the 2003 database, and copy it outside of our demo machine

In SharePoint 2007 environment we copy a list feature, modify it, install and test it.

The feature that we choose is the one closest to our 2003 list.

Note that this is a 64bit environment.

We prepare the SharePoint 2007 environment for the upgrade process

We modify STS upgrade file (namely wssupgrade.xml) to map the old list definition to the new feature (THIS IS WRONG #2).

Please note that you should NOT modify this file, but copy it and modify the copy, as described in Step 4: Create an Upgrade Definition File .

We perform a DB upgrade and the sites got our feature activated !!!

After upgrade finishes - we get our long lost lists (THIS IS THE RIGHT :))

Links to download the WMV formatted screen captures:

1. Upgrade STS custom list - Part1 - build the list in 2003 [43 MB]
2. Upgrade STS custom list - Part2 - prepare to upgrade to 2007 [21 MB]
3. Upgrade STS custom list - Part3 - build a feature in 2007 [23 MB]
4. Upgrade STS custom list - Part4 - prepare to upgrade in 2007 26[ MB]
5. Upgrade STS custom list - Part5 - prepare wssupgrade.xml [22 MB]
6. Upgrade STS custom list - Part6 - do the upgrade [14 MB]

Enjoy SharePoint :)

Rona

המדריך המלא לארכיטקטורה ומימוש יישומים – 2.0

This post was made with PracticeThis.com blog post template plugin for Windows Live Writer

מתודולוגיות ניהול פיתוח ומודל קאנו – או מה סוד הכשלון של מערכת שלך

מהו מודל של ניהול תהליך הפיתוח הכי מתאים לך?
למה צריך מתודולוגיה של ניהול הפיתוח בכלל?

אתה צריך מתודולוגיה כדי שתוכל לספק תוצר סופי (תכנה או שירות) – לפי לו”ז, לפי דרישות, לפי תקציב ובאיכות סבירה.

התפיסה שלי היא שלתהליך פיתוח – ללא קשר מה המודל – יש שלב של איסוף דרישות, תכנון מענה, בניית הפתרון, בדיקות, הטמעה ותחזוקה. הסייקלים (המחזורים) הם שונים. בכל מקרה קשה לי לדמיין איזה מתודולוגיה ללא אחד השלבים.