The Security Development Lifecycle

Description

Your customers demand and deserve better security and privacy in their software. This book is the first to detail a rigorous, proven methodology that measurably minimizes security bugs - the Security Development Lifecycle (SDL). In this long-awaited book, security experts Michael Howard and Steve Lipner from the Microsoft Security Engineering Team guide you through each stage of the SDL - from education and design to testing and post-release. You get their first-hand insights, best practices, a practical history of the SDL, and lessons to help you implement the SDL in any development organization.

Discover how to:

* Use a streamlined risk-analysis process to find security design issues before code is committed
* Apply secure-coding best practices and a proven testing process
* Conduct a final security review before a product ships
* Arm customers with prescriptive guidance to configure and deploy your product more securely
* Establish a plan to respond to new security vulnerabilities
* Integrate security discipline into agile methods and processes, such as Extreme Programming and Scrum

Includes a CD featuring:

* A six-part security class video conducted by the authors and other Microsoft security experts
* Sample SDL documents and fuzz testing tool

PLUS - Get book updates on the Web.

CONTENTS:

ForewordIntroductionPart I: The Need for the SDL
* Chapter 1: Enough Is Enough: The Threats Have Changed
* Chapter 2: Current Software Development Methods Fail to Produce Secure Software
* Chapter 3: A Short History of the SDL at Microsoft
* Chapter 4: SDL for ManagementPart II: The Security Development Lifecycle Process
* Chapter 5: Stage 0: Education and Awareness
* Chapter 6: Stage 1: Project Inception
* Chapter 7: Stage 2: Define and Follow Design Best Practices
* Chapter 8: Stage 3: Product Risk Assessment
* Chapter 9: Stage 4: Risk Analysis
* Chapter 10: Stage 5: Creating Security Documents, Tools, and Best Practices for Customers
* Chapter 11: Stage 6: Secure Coding Policies
* Chapter 12: Stage 7: Secure Testing Policies
* Chapter 13: Stage 8: The Security Push
* Chapter 14: Stage 9: The Final Security Review
* Chapter 15: Stage 10: Security Response Planning
* Chapter 16: Stage 11: Product Release
* Chapter 17: Stage 12: Security Response ExecutionPart III: SDL Reference Material
* Chapter 18: Integrating SDL with Agile Methods
* Chapter 19: SDL Banned Function Calls
* Chapter 20: SDL Minimum Cryptographic Standards
* Chapter 21: SDL-Required Tools and Compiler Options
* Chapter 22: Threat Tree PatternsAppendix : Appendix