SDL Process: Implementation

The focus of this phase is helping the end user make informed decisions about the most secure ways to deploy the software. It's also the time to establish best practices for detecting and removing security issues from the code.

Training
  • Core Security Training
Requirements
  • Establish Security Requirements
  • Create Quality Gates/Bug Bars
  • Perform Security and Privacy Risk Assessments
Design
  • Establish Design Requirements
  • Perform Attack Surface Analysis/ Reduction
  • Use Threat Modeling
Implementation
  • Use Approved Tools
  • Deprecate Unsafe Functions
  • Perform Static Analysis
Verification
  • Perform Dynamic Analysis
  • Perform Fuzz Testing
  • Conduct Attack Surface Review
Release
  • Create an Incident Response Plan
  • Conduct Final Security Review
  • Certify Release and Archive
Response
  • Execute Incident Response Plan

SDL Practice #8: Use Approved Tools

Publishing a list of approved tools and associated security checks (such as compiler/linker options and warnings) helps automate and enforce security practices easily at a low cost. Keeping the list regularly updated means the latest tool versions are used and allows inclusion of new security analysis functionality and protections.

When should this practice be implemented?

Traditional Software development: Implementation Phase
Agile development: Every Sprint

SDL Practice #9: Deprecate Unsafe Functions

Analyzing all project functions and APIs and banning those determined to be unsafe helps reduce potential security bugs with very little engineering cost. Specific actions include using header files, newer compilers, or code scanning tools to check code for functions on the banned list, and then replacing them with safer alternatives.

When should this practice be implemented?

Traditional Software development: Implementation Phase
Agile development: Every Sprint

SDL Practice #10: Perform Static Analysis

Analyzing the source code prior to compilation provides a scalable method of security code review and helps ensure that secure coding policies are being followed.

When should this practice be implemented?

Traditional Software development: Implementation Phase
Agile development: Every Sprint

    • VIDEOS
      • CAT.NET 32-bit
        CAT.NET
        Watch this short video on CAT.NET. CAT.NET tool is one of the many free tools that are available as part of the Microsoft SDL Toolset. It's available in both 32-bit and 64-bit versions. CAT.NET is a command line tool that helps you identify security flaws within a managed code (C#, Visual Basic .NET, J#) application you are developing. It does so by scanning the binary and/or assembly of the application, and tracing the data flow among its statements, methods, and assemblies. CAT.NET also helps identify common variants of certain prevailing vulnerabilities that can give rise to common attack vectors such as Cross-Site Scripting (XSS), SQL Injection, and XPath Injection.
        Run Time:        4:59
        Uploaded:        12/06/10
        Share it:          Linked InTwitterFacebookDiggEmail
      • CAT.NET 64-bit
        CAT.NET
        Watch this short video on CAT.NET. CAT.NET tool is one of the many free tools that are available as part of the Microsoft SDL Toolset. It's available in both 32-bit and 64-bit versions. CAT.NET is a command line tool that helps you identify security flaws within a managed code (C#, Visual Basic .NET, J#) application you are developing. It does so by scanning the binary and/or assembly of the application, and tracing the data flow among its statements, methods, and assemblies. CAT.NET also helps identify common variants of certain prevailing vulnerabilities that can give rise to common attack vectors such as Cross-Site Scripting (XSS), SQL Injection, and XPath Injection.
        Run Time:        4:59
        Uploaded:        12/06/10
        Share it:          Linked InTwitterFacebookDiggEmail
      • Anti-XSS
        Anti-Cross Site Scripting (XSS) Library
        Watch this short video to learn about Anti-XSS library. It's one of many tools available in the Microsoft SDL Toolset that can help you automate and implement the Microsoft SDL Process Guidance.
        Run Time:        10:58
        Uploaded:        12/07/10
        Share it:          Linked InTwitterFacebookDiggEmail
      • FxCop
        FxCop
        Watch this short video to learn more about FxCop. FxCop is a tool that performs static code analysis of .NET code. It provides hundreds of rules that perform various types of analysis, to include Design, Globalization, Interoperability, Maintainability, Mobility, Naming, Performance, Portability, Reliability, Security, and Usage. For more detailed information please consult the Visual Studio 2010 MSDN documentation. The FxCop functionality is fully integrated into Visual Studio 2010 Premium and Ultimate editions.
        Run Time:        5:37
        Uploaded:        12/07/10
        Share it:          Linked InTwitterFacebookDiggEmail
      • Code Analysis for C/C++
        Code Analysis for C/C++
        Watch this short video to learn more about Code Analysis for C++. The C/C++ Code Analysis tool is a static analyzer that is provided with the installation of Visual Studio Team System or Visual Studio Team Suite, that provides information to developers about possible vulnerabilities in their C/C++ source code. Common coding errors reported by the tool include buffer overruns, un-initialized memory, null pointer dereferences, and memory and resource leaks.
        Run Time:        9:54
        Uploaded:        12/07/10
        Share it:          Linked InTwitterFacebookDiggEmail