The security development lifecycle : SDL, a process for developing demonstrably more secure software

Your customers demand and deserve better security and privacy in their software. This book is the first to detail a rigorous, proven methodology that measurably minimizes security bugs-the Security Development Lifecycle (SDL). In this long-awaited book, security experts Michael Howard and Steve Lipner from the Microsoft Security Engineering Team guide you through each stage of the SDL-from education and design to testing and post-release. You get their first-hand insights, best practices, a practical history of the SDL, and lessons to help you implement the SDL in any development organization. Discover how to: Use a streamlined risk-analysis process to find security design issues before code is committed Apply secure-coding best practices and a proven testing process Conduct a final security review before a product ships Arm customers with prescriptive guidance to configure and deploy your product more securely Establish a plan to respond to new security vulnerabilities Integrate security discipline into agile methods and processes, such as Extreme Programming and Scrum Includes a CD featuring: A six-part security class video conducted by the authors and other Microsoft security experts Sample SDL documents and fuzz testing tool PLUS-Get book updates on the Web. For customers who purchase an ebook version of this title, instructions for downloading the CD files can be found in the ebook.

Part 1: The Need for the SDL Enough is Enough: The Threats Have Changed Current Software Development Methods Fail to Produce Secure Software A Short History of the SDL at Microsoft SDL for Management Part 2: The Security Development Lifecycle Process Stage 0: Education and Awareness Stage 1: Project Inception Stage 2: Define and Follow Design Best Practices Stage 3: Product Risk Assessment Stage 4: Risk Analysis Stage 5: Creating Security Documents, Tools, and Best Practices for Customers Stage 6: Secure Coding Policies Stage 7: Secure Testing Policies Stage 8: The Security Push Stage 9: The Final Security Review Stage 10: The Security Response Planning Stage 11: Product Release Stage 12: Security Response Execution Part 3: SDL Reference Material Integrating SDL with Agile Methods SDL Banned Function Calls SDL Minimum Cryptographic Standards SDL-Required Tools and Compiler options Threat Tree Patterns