• Copyright

  Page 3

• Contents at a Glance

  Page 6

• Table of Contents

  Page 8

• Introduction

  Page 18

• + Part I. The Need for the SDL

  Page 24

  • + Chapter 1. Enough Is Enough: The Threats Have Changed

    Page 26

    • Worlds of Security and Privacy Collide

      Page 28

    • Another Factor That Influences Security: Reliability

      Page 31

    • It’s Really About Quality

      Page 33

    • Why Major Software Vendors Should Create MoreSecure Software

      Page 34

    • Why In-House Software Developers Should Create More Secure Software

      Page 35

    • Why Small Software Developers Should Create More Secure Software

      Page 35

    • Summary

      Page 36

    • References

      Page 36

  • + Chapter 2. Current Software Development Methods Fail to Produce Secure Software

    Page 40

    • “Given enough eyeballs, all bugs are shallow”

      Page 41

    • Proprietary Software Development Methods

      Page 44

    • Agile Development Methods

      Page 45

    • Common Criteria

      Page 45

    • Summary

      Page 46

    • References

      Page 47

  • + Chapter 3. A Short History of the SDL at Microsoft

    Page 50

    • First Steps

      Page 50

    • New Threats, New Responses

      Page 52

    • Windows 2000 and the Secure Windows Initiative

      Page 53

    • Seeking Scalability: Through Windows XP

      Page 55

    • Security Pushes and Final Security Reviews

      Page 56

    • Formalizing the Security Development Lifecycle

      Page 59

    • A Continuing Challenge

      Page 60

    • References

      Page 61

  • + Chapter 4. SDL for Management

    Page 64

    • Commitment for Success

      Page 64

    • Managing the SDL

      Page 71

    • Summary

      Page 74

    • References

      Page 74

• + Part II. The Security Development Lifecycle Process

  Page 76

  • + Chapter 5. Stage 0: Education and Awareness

    Page 78

    • A Short History of Security Education at Microsoft

      Page 79

    • Ongoing Education

      Page 81

    • Types of Training Delivery

      Page 83

    • Exercises and Labs

      Page 84

    • Tracking Attendance and Compliance

      Page 85

    • Measuring Knowledge

      Page 86

    • Implementing Your Own In-House Training

      Page 86

    • Key Success Factors and Metrics

      Page 87

    • Summary

      Page 88

    • References

      Page 88

  • + Chapter 6. Stage 1: Project Inception

    Page 90

    • Determine Whether the Application Is Covered by SDL

      Page 90

    • Assign the Security Advisor

      Page 91

    • Build the Security Leadership Team

      Page 94

    • Make Sure the Bug-Tracking Process Includes Security and Privacy Bug Fields

      Page 95

    • Determine the “Bug Bar”

      Page 97

    • Summary

      Page 97

    • References

      Page 97

  • + Chapter 7. Stage 2: Define and FollowDesign Best Practices

    Page 98

    • Common Secure-Design Principles

      Page 99

    • Attack Surface Analysis and Attack Surface Reduction

      Page 101

    • Summary

      Page 112

    • References

      Page 113

  • + Chapter 8. Stage 3: Product Risk Assessment

    Page 116

    • Security Risk Assessment

      Page 117

    • Privacy Impact Rating

      Page 119

    • Pulling It All Together

      Page 121

    • Summary

      Page 122

    • References

      Page 122

  • + Chapter 9. Stage 4: Risk Analysis

    Page 124

    • Threat-Modeling Artifacts

      Page 126

    • What to Model

      Page 127

    • Building the Threat Model

      Page 127

    • The Threat-Modeling Process

      Page 128

    • Using a Threat Model to Aid Code Review

      Page 151

    • Using a Threat Model to Aid Testing

      Page 152

    • Key Success Factors and Metrics

      Page 152

    • Summary

      Page 153

    • References

      Page 153

  • + Chapter 10. Stage 5: Creating Security Documents, Tools, and Best Practices for Customers

    Page 156

    • Why Documentation and Tools?

      Page 158

    • Creating Prescriptive Security Best PracticeDocumentation

      Page 158

    • Creating Tools

      Page 162

    • Summary

      Page 163

    • References

      Page 163

  • + Chapter 11. Stage 6: Secure Coding Policies

    Page 166

    • Use the Latest Compiler and Supporting Tool Versions

      Page 166

    • Use Defenses Added by the Compiler

      Page 167

    • Use Source-Code Analysis Tools

      Page 168

    • Do Not Use Banned Functions

      Page 171

    • Reduce Potentially Exploitable CodingConstructs or Designs

      Page 172

    • Use a Secure Coding Checklist

      Page 173

    • Summary

      Page 173

    • References

      Page 173

  • + Chapter 12. Stage 7: Secure Testing Policies

    Page 176

    • Fuzz Testing

      Page 176

    • Penetration Testing

      Page 187

    • Run-Time Verification

      Page 188

    • Reviewing and Updating Threat Models if Needed

      Page 188

    • Reevaluating the Attack Surface of the Software

      Page 189

    • Summary

      Page 189

    • References

      Page 189

  • + Chapter 13. Stage 8: The Security Push

    Page 192

    • Preparing for the Security Push

      Page 193

    • Training

      Page 194

    • Code Reviews

      Page 195

    • Threat Model Updates

      Page 197

    • Security Testing

      Page 198

    • Attack-Surface Scrub

      Page 198

    • Documentation Scrub

      Page 199

    • Are We Done Yet?

      Page 200

    • Summary

      Page 201

    • References

      Page 202

  • + Chapter 14. Stage 9: The Final Security Review

    Page 204

    • Product Team Coordination

      Page 205

    • Threat Models Review

      Page 205

    • Unfixed Security Bugs Review

      Page 206

    • Tools-Use Validation

      Page 207

    • After the Final Security Review Is Completed

      Page 207

    • Summary

      Page 208

  • + Chapter 15. Stage 10: Security Response Planning

    Page 210

    • Why Prepare to Respond?

      Page 210

    • Preparing to Respond

      Page 213

    • Security Response and the Development Team

      Page 231

    • Summary

      Page 236

    • References

      Page 236

  • + Chapter 16. Stage 11: Product Release

    Page 238

    • References

      Page 238

  • + Chapter 17. Stage 12: Security Response Execution

    Page 240

    • Following Your Plan

      Page 240

    • Making It Up as You Go

      Page 243

    • Knowing What to Skip

      Page 244

    • Summary

      Page 245

    • References

      Page 245

• + Part III. SDL Reference Material

  Page 246

  • + Chapter 18. Integrating SDL with Agile Methods

    Page 248

    • Using SDL Practices with Agile Methods

      Page 249

    • Augmenting Agile Methods with SDL Practices

      Page 257

    • Summary

      Page 262

    • References

      Page 262

  • + Chapter 19. SDL Banned Function Calls

    Page 264

    • The Banned APIs

      Page 265

    • Why the “n” Functions Are Banned

      Page 268

    • Important Caveat

      Page 269

    • Choosing StrSafe vs. Safe CRT

      Page 269

    • Using StrSafe

      Page 269

    • Using Safe CRT

      Page 270

    • Other Replacements

      Page 271

    • Tools Support

      Page 271

    • ROI and Cost Impact

      Page 272

    • Metrics and Goals

      Page 272

    • References

      Page 272

  • + Chapter 20. SDL Minimum Cryptographic Standards

    Page 274

    • High-Level Cryptographic Requirements

      Page 274

    • Cryptographic Algorithm Usage

      Page 276

    • Data Storage and Random Number Generation

      Page 279

    • References

      Page 280

  • + Chapter 21. SDL-Required Tools and Compiler Options

    Page 282

    • Required Tools

      Page 282

    • References

      Page 291

  • + Chapter 22. Threat Tree Patterns

    Page 292

    • Spoofing an External Entity or a Process

      Page 294

    • Tampering with a Process

      Page 296

    • Tampering with a Data Flow

      Page 297

    • Tampering with a Data Store

      Page 299

    • Repudiation

      Page 301

    • Information Disclosure of a Process

      Page 303

    • Information Disclosure of a Data Flow

      Page 304

    • Information Disclosure of a Data Store

      Page 305

    • Denial of Service Against a Process

      Page 307

    • Denial of Service Against a Data Flow

      Page 308

    • Denial of Service Against a Data Store

      Page 309

    • Elevation of Privilege

      Page 310

    • References

      Page 311

• Index

  Page 314

Your customers demand and deserve better security and privacy in their software. This book is the first to detail a rigorous, proven methodology that measurably minimizes security bugs--the Security Development Lifecycle (SDL). In this long-awaited book, security experts Michael Howard and Steve Lipner from the Microsoft Security Engineering Team guide you through each stage of the SDL--from education and design to testing and post-release. You get their first-hand insights, best practices, a practical history of the SDL, and lessons to help you implement the SDL in any development organization.

Discover how to:

• Use a streamlined risk-analysis process to find security design issues before code is committed

• Apply secure-coding best practices and a proven testing process

• Conduct a final security review before a product ships

• Arm customers with prescriptive guidance to configure and deploy your product more securely

• Establish a plan to respond to new security vulnerabilities

• Integrate security discipline into agile methods and processes, such as Extreme Programming and Scrum

Includes a CD featuring:

• A six-part security class video conducted by the authors and other Microsoft security experts

• Sample SDL documents and fuzz testing tool

PLUS--Get book updates on the Web.

A Note Regarding the CD or DVD

The print version of this book ships with a CD or DVD. For those customers purchasing one of the digital formats in which this book is available, we are pleased to offer the CD/DVD content as a free download via O'Reilly Media's Digital Distribution services. To download this content, please visit O'Reilly's web site, search for the title of this book to find its catalog page, and click on the link below the cover image (Examples, Companion Content, or Practice Files). Note that while we provide as much of the media content as we are able via free download, we are sometimes limited by licensing restrictions. Please direct any questions or concerns to booktech@oreilly.com.