SDL PROCESS: IMPLEMENTATION

The focus of this phase is helping the end user make informed decisions about the most secure ways to deploy the software. It's also the time to establish best practices for detecting and removing security issues from the code.

CLICK ON A SDL PHASE OR PRACTICE BELOW TO LEARN MORE

  • Publishing a list of approved tools and associated security checks (such as compiler/linker options and warnings) helps automate and enforce security practices easily at a low cost. Keeping the list regularly updated means the latest tool versions are used and allows inclusion of new security analysis functionality and protections.

    When should this practice be implemented?

    Traditional Software development: Implementation Phase
    Agile development: Every Sprint

    RESOURCES SPECIFIC TO THIS PRACTICE

  • Analyzing the source code prior to compilation provides a scalable method of security code review and helps ensure that secure coding policies are being followed.

    When should this practice be implemented?

    Traditional Software development: Implementation Phase
    Agile development: Every Sprint

    RESOURCES SPECIFIC TO THIS PRACTICE

    • VIDEOS
      • FxCop
        FxCop
        Watch this short video to learn more about FxCop. FxCop is a tool that performs static code analysis of .NET code. It provides hundreds of rules that perform various types of analysis, to include Design, Globalization, Interoperability, Maintainability, Mobility, Naming, Performance, Portability, Reliability, Security, and Usage. For more detailed information please consult the Visual Studio 2010 MSDN documentation. The FxCop functionality is fully integrated into Visual Studio 2010 Premium and Ultimate editions.
        Run Time:        5:37
        Uploaded:        12/07/10
        Share it:          Linked InTwitterFacebookDiggEmail
      • Code Analysis for C/C++
        Code Analysis for C/C++
        Watch this short video to learn more about Code Analysis for C++. The C/C++ Code Analysis tool is a static analyzer that is provided with the installation of Visual Studio Team System or Visual Studio Team Suite, that provides information to developers about possible vulnerabilities in their C/C++ source code. Common coding errors reported by the tool include buffer overruns, un-initialized memory, null pointer dereferences, and memory and resource leaks.
        Run Time:        9:54
        Uploaded:        12/07/10
        Share it:          Linked InTwitterFacebookDiggEmail