Security Development Lifecycle

Security Development Lifecycle

by Michael Howard, Steve Lipner
Released June 2006
Publisher(s): Microsoft Press
ISBN: 9780735622142

Read it now on the O’Reilly learning platform with a 10-day free trial.

O’Reilly members get unlimited access to books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Book description

Your customers demand and deserve better security and privacy in their software. This book is the first to detail a rigorous, proven methodology that measurably minimizes security bugs—the Security Development Lifecycle (SDL). In this long-awaited book, security experts Michael Howard and Steve Lipner from the Microsoft Security Engineering Team guide you through each stage of the SDL—from education and design to testing and post-release. You get their first-hand insights, best practices, a practical history of the SDL, and lessons to help you implement the SDL in any development organization.

Discover how to:

  • Use a streamlined risk-analysis process to find security design issues before code is committed
  • Apply secure-coding best practices and a proven testing process
  • Conduct a final security review before a product ships
  • Arm customers with prescriptive guidance to configure and deploy your product more securely
  • Establish a plan to respond to new security vulnerabilities
  • Integrate security discipline into agile methods and processes, such as Extreme Programming and Scrum

Includes a CD featuring:

  • A six-part security class video conducted by the authors and other Microsoft security experts
  • Sample SDL documents and fuzz testing tool

PLUS—Get book updates on the Web.

A Note Regarding the CD or DVD

The print version of this book ships with a CD or DVD. For those customers purchasing one of the digital formats in which this book is available, we are pleased to offer the CD/DVD content as a free download via O'Reilly Media's Digital Distribution services. To download this content, please visit O'Reilly's web site, search for the title of this book to find its catalog page, and click on the link below the cover image (Examples, Companion Content, or Practice Files). Note that while we provide as much of the media content as we are able via free download, we are sometimes limited by licensing restrictions. Please direct any questions or concerns to booktech@oreilly.com.

Publisher resources

View/Submit Errata

Table of contents

  1. The Security Development Lifecycle: SDL: A Process for Developing Demonstrably More Secure Software
  2. Foreword
  3. Introduction
    1. Why Should You Read This Book?
    2. Organization of This Book
      1. Part I, “The Need for the SDL”
      2. Part II, “The Security Development Lifecycle Process”
      3. Part III, “SDL Reference Material”
    3. The Future Evolution of the SDL
    4. What’s on the Companion Disc?
    5. System Requirements
    6. Acknowledgments
    7. References
      1. Bibliography
  4. I. The Need for the SDL
    1. 1. Enough Is Enough: The Threats Have Changed
      1. Worlds of Security and Privacy Collide
      2. Another Factor That Influences Security: Reliability
      3. It’s Really About Quality
      4. Why Major Software Vendors Should Create More Secure Software
        1. A Challenge to Large ISVs
      5. Why In-House Software Developers Should Create More Secure Software
      6. Why Small Software Developers Should Create More Secure Software
      7. Summary
      8. References
        1. Bibliography
    2. 2. Current Software Development Methods Fail to Produce Secure Software
      1. “Given enough eyeballs, all bugs are shallow”
        1. Incentive to Review Code
        2. Understanding Security Bugs
        3. Critical Mass
        4. “Many Eyeballs” Misses the Point Altogether
      2. Proprietary Software Development Methods
        1. CMMI, TSP, and PSP
      3. Agile Development Methods
      4. Common Criteria
      5. Summary
      6. References
        1. Bibliography
    3. 3. A Short History of the SDL at Microsoft
      1. First Steps
      2. New Threats, New Responses
      3. Windows 2000 and the Secure Windows Initiative
      4. Seeking Scalability: Through Windows XP
      5. Security Pushes and Final Security Reviews
      6. Formalizing the Security Development Lifecycle
      7. A Continuing Challenge
      8. References
        1. Bibliography
    4. 4. SDL for Management
      1. Commitment for Success
        1. Commitment at Microsoft
        2. Is the SDL Necessary for You?
        3. Effective Commitment
          1. Make a Statement
          2. Be Visible
          3. Provide Resources
          4. Stop Products
      2. Managing the SDL
        1. Resources
          1. Factors That Affect the Cost of SDL
          2. Rules of Thumb
        2. Is the Project on Track?
      3. Summary
      4. References
        1. Bibliography
  5. II. The Security Development Lifecycle Process
    1. 5. Stage 0: Education and Awareness
      1. A Short History of Security Education at Microsoft
      2. Ongoing Education
      3. Types of Training Delivery
      4. Exercises and Labs
      5. Tracking Attendance and Compliance
        1. Other Compliance Ideas
      6. Measuring Knowledge
      7. Implementing Your Own In-House Training
        1. Creating Education Materials “On a Budget”
      8. Key Success Factors and Metrics
      9. Summary
      10. References
        1. Bibliography
    2. 6. Stage 1: Project Inception
      1. Determine Whether the Application Is Covered by SDL
      2. Assign the Security Advisor
        1. Act as a Point of Contact Between the Development Team and the Security Team
        2. Holding an SDL Kick-Off Meeting for the Development Team
        3. Holding Design and Threat Model Reviews with the Development Team
        4. Analyzing and Triaging Security-Related and Privacy-Related Bugs
        5. Acting as a Security Sounding Board for the Development Team
        6. Preparing the Development Team for the Final Security Review
        7. Working with the Reactive Security Team
      3. Build the Security Leadership Team
      4. Make Sure the Bug-Tracking Process Includes Security and Privacy Bug Fields
      5. Determine the “Bug Bar”
      6. Summary
      7. References
        1. Bibliography
    3. 7. Stage 2: Define and Follow Design Best Practices
      1. Common Secure-Design Principles
      2. Attack Surface Analysis and Attack Surface Reduction
        1. Step 1: Is This Feature Really That Important?
        2. Step 2: Who Needs Access to the Functionality and from Where?
        3. Step 3: Reduce Privilege
          1. Services and Low Privilege
        4. More Attack Surface Elements
          1. UDP vs. TCP
          2. Weak Permissions vs. Strong Permissions
          3. .NET Code vs. ActiveX Code
          4. ActiveX “Safe for Scripting”
          5. ActiveX SiteLocked Controls
          6. Managed Code AllowPartiallyTrustedCallers Attribute
      3. Summary
      4. References
        1. Bibliography
    4. 8. Stage 3: Product Risk Assessment
      1. Security Risk Assessment
        1. Setup Questions
        2. Attack Surface Questions
        3. Mobile-Code Questions
        4. Security Feature–Related Questions
        5. General Questions
        6. Analyzing the Questionnaire
      2. Privacy Impact Rating
        1. Privacy Ranking 1
        2. Privacy Ranking 2
        3. Privacy Ranking 3
      3. Pulling It All Together
      4. Summary
      5. References
        1. Bibliography
    5. 9. Stage 4: Risk Analysis
      1. Threat-Modeling Artifacts
      2. What to Model
      3. Building the Threat Model
      4. The Threat-Modeling Process
        1. 1. Define Use Scenarios
        2. 2. Gather a List of External Dependencies
        3. 3. Define Security Assumptions
        4. 4. Create External Security Notes
          1. Pet Shop 4.0 External Dependencies
          2. Pet Shop 4.0 Security Assumptions
          3. Pet Shop 4.0 External Security Information
          4. What Is Modeled and What Do You Depend On?
        5. 5. Create One or More DFDs of the Application Being Modeled
        6. 6. Determine Threat Types
          1. Spoofing Identity
          2. Tampering
          3. Repudiation
          4. Information Disclosure
          5. Denial of Service
          6. Elevation of Privilege
        7. 7. Identify Threats to the System
        8. 8. Determine Risk
        9. 9. Plan Mitigations
          1. Do Nothing
          2. Remove the Feature
          3. Turn Off the Feature
          4. Warn the User
          5. Counter the Threat with Technology
          6. (1.0→4.2→1.0) Data Flow from Pet Shop User to Web Application and Back
          7. (4.7.10) Audit Log Data Store
          8. (4.7.1) Order Processor Process
      5. Using a Threat Model to Aid Code Review
      6. Using a Threat Model to Aid Testing
      7. Key Success Factors and Metrics
      8. Summary
      9. References
        1. Bibliography
    6. 10. Stage 5: Creating Security Documents, Tools, and Best Practices for Customers
      1. Why Documentation and Tools?
      2. Creating Prescriptive Security Best Practice Documentation
        1. Setup Documentation
        2. Mainline Product Use Documentation
        3. Help Documentation
        4. Developer Documentation
      3. Creating Tools
      4. Summary
      5. References
        1. Bibliography
    7. 11. Stage 6: Secure Coding Policies
      1. Use the Latest Compiler and Supporting Tool Versions
      2. Use Defenses Added by the Compiler
        1. Buffer Security Check: /GS
        2. Safe Exception Handling: /SAFESEH
        3. Compatibility with Data Execution Prevention: /NXCOMPAT
      3. Use Source-Code Analysis Tools
        1. Source-Code Analysis Tool Traps
        2. Benefits of Source-Code Analysis Tools
      4. Do Not Use Banned Functions
      5. Reduce Potentially Exploitable Coding Constructs or Designs
      6. Use a Secure Coding Checklist
      7. Summary
      8. References
        1. Bibliography
    8. 12. Stage 7: Secure Testing Policies
      1. Fuzz Testing
        1. Fuzzing File Formats
          1. A generic file-fuzzing process
            1. Identify all valid file formats
            2. Collect a library of valid files
            3. Malform a file
            4. Consume the file and observe the application
        2. Fuzzing Network Protocols
          1. Create bogus packets
          2. Record-fuzz-replay packets
          3. Malforming packets on the fly
        3. Miscellaneous Fuzzing
        4. Fixing Bugs Found Through Fuzz Testing
      2. Penetration Testing
      3. Run-Time Verification
      4. Reviewing and Updating Threat Models if Needed
      5. Reevaluating the Attack Surface of the Software
      6. Summary
      7. References
        1. Bibliography
    9. 13. Stage 8: The Security Push
      1. Preparing for the Security Push
        1. Push Duration
      2. Training
      3. Code Reviews
        1. Executable-File Owners
      4. Threat Model Updates
      5. Security Testing
      6. Attack-Surface Scrub
      7. Documentation Scrub
      8. Are We Done Yet?
      9. Summary
      10. References
        1. Bibliography
    10. 14. Stage 9: The Final Security Review
      1. Product Team Coordination
      2. Threat Models Review
      3. Unfixed Security Bugs Review
      4. Tools-Use Validation
      5. After the Final Security Review Is Completed
        1. Handling Exceptions
      6. Summary
    11. 15. Stage 10: Security Response Planning
      1. Why Prepare to Respond?
        1. Your Development Team Will Make Mistakes
        2. New Kinds of Vulnerabilities Will Appear
        3. Rules Will Change
      2. Preparing to Respond
        1. Building a Security Response Center
          1. Which Vulnerabilities Will You Respond To?
          2. Where Do Vulnerability Reports Come From?
          3. Security Response Process
            1. Vulnerability reporting
            2. Triaging
            3. Creating the fix
              1. Security fixes and regressions
              2. Security fixes for multiple product versions and locales
            4. Managing the security researcher relationship
            5. Testing
            6. Content creation
              1. Security advisories
              2. Press outreach
            7. Update release
            8. Lessons learned
          4. Emergency Response Process
            1. Watch phase
            2. Alert and Mobilize phase
            3. Assess and Stabilize phase
            4. Resolve phase
      3. Security Response and the Development Team
        1. Create Your Response Team
        2. Support Your Entire Product
        3. Support All Your Customers
        4. Make Your Product Updatable
        5. Find the Vulnerabilities Before the Researchers Do
      4. Summary
      5. References
        1. Bibliography
    12. 16. Stage 11: Product Release
      1. References
        1. Bibliography
    13. 17. Stage 12: Security Response Execution
      1. Following Your Plan
        1. Stay Cool
        2. Take Your Time
        3. Watch for Events That Might Change Your Plans
        4. Follow Your Plan
      2. Making It Up as You Go
        1. Know Who to Call
        2. Be Able to Build an Update
        3. Be Able to Install an Update
        4. Know the Priorities When Inventing Your Process
      3. Knowing What to Skip
      4. Summary
      5. References
        1. Bibliography
  6. III. SDL Reference Material
    1. 18. Integrating SDL with Agile Methods
      1. Using SDL Practices with Agile Methods
        1. Security Education
        2. Project Inception
        3. Establishing and Following Design Best Practices
        4. Risk Analysis
        5. Creating Security Documents, Tools, and Best Practices for Customers
        6. Secure Coding and Testing Policies
        7. Security Push
        8. Final Security Review
        9. Product Release
        10. Security Response Execution
      2. Augmenting Agile Methods with SDL Practices
        1. User Stories
        2. Small Releases and Iterations
        3. Moving People Around
        4. Simplicity
        5. Spike Solutions
        6. Refactoring
        7. Constant Customer Availability
        8. Coding to Standards
        9. Coding the Unit Test First
        10. Pair Programming
        11. Integrating Often
        12. Leaving Optimization Until Last
        13. When a Bug Is Found, a Test Is Created
      3. Summary
      4. References
        1. Bibliography
    2. 19. SDL Banned Function Calls
      1. The Banned APIs
        1. Banned String Copy Functions and Replacements
        2. Banned String Concatenation Functions and Replacements
        3. Banned sprintf Functions and Replacements
        4. Banned “n” sprintf Functions and Replacements
        5. Banned Variable Argument sprintf Functions and Replacements
        6. Banned Variable Argument “n” sprintf Functions and Replacements
        7. Banned “n” String Copy Functions and Replacements
        8. Banned “n” String Concatenation Functions and Replacements
        9. Banned String Tokenizing Functions and Replacements
        10. Banned Makepath Functions and Replacements
        11. Banned Splitpath Functions and Replacements
        12. Banned scanf Functions and Replacements
        13. Banned “n” scanf Functions and Replacements
        14. Banned Numeric Conversion Functions and Replacements
        15. Banned gets Functions and Replacements
        16. Banned IsBad* Functions and Replacements
        17. Banned OEM Conversion Functions and Replacements
        18. Banned Stack Dynamic Memory Allocation Functions and Replacements
        19. Banned String Length Functions and Replacements
      2. Why the “n” Functions Are Banned
      3. Important Caveat
      4. Choosing StrSafe vs. Safe CRT
      5. Using StrSafe
        1. StrSafe Example
      6. Using Safe CRT
        1. Safe CRT Example
      7. Other Replacements
      8. Tools Support
      9. ROI and Cost Impact
      10. Metrics and Goals
      11. References
        1. Bibliography
    3. 20. SDL Minimum Cryptographic Standards
      1. High-Level Cryptographic Requirements
        1. Cryptographic Technologies vs. Low-Level Cryptographic Algorithms
        2. Use Cryptographic Libraries
        3. Cryptographic Agility
        4. Default to Secure Cryptographic Algorithms
      2. Cryptographic Algorithm Usage
        1. Symmetric Block Ciphers and Key Lengths
        2. Symmetric Stream Ciphers and Key Lengths
        3. Symmetric Algorithm Modes
        4. Asymmetric Algorithms and Key Lengths
        5. Hash Functions
        6. Message Authentication Codes
      3. Data Storage and Random Number Generation
        1. Storing Private Keys and Sensitive Data
        2. Generating Random Numbers and Cryptographic Keys
        3. Generating Random Numbers and Cryptographic Keys from Passwords or Other Keys
      4. References
        1. Bibliography
    4. 21. SDL-Required Tools and Compiler Options
      1. Required Tools
        1. PREfast
        2. FxCop
        3. Application Verifier
        4. Minimum Compiler and Build Tool Versions
          1. Unmanaged Compiler Flags
      2. References
        1. Bibliography
    5. 22. Threat Tree Patterns
      1. Spoofing an External Entity or a Process
      2. Tampering with a Process
      3. Tampering with a Data Flow
      4. Tampering with a Data Store
      5. Repudiation
      6. Information Disclosure of a Process
      7. Information Disclosure of a Data Flow
      8. Information Disclosure of a Data Store
      9. Denial of Service Against a Process
      10. Denial of Service Against a Data Flow
      11. Denial of Service Against a Data Store
      12. Elevation of Privilege
      13. References
        1. Bibliography
  7. Appendix
  8. Index
  9. About the Authors
  10. Copyright

Product information

  • Title: Security Development Lifecycle
  • Author(s): Michael Howard, Steve Lipner
  • Release date: June 2006
  • Publisher(s): Microsoft Press
  • ISBN: 9780735622142