SDL Process: Requirements

The project inception phase is the best time for a development team to consider foundational security and privacy issues and to analyze how to align quality and regulatory requirements with costs and business needs.

Training
  • Core Security Training
Requirements
  • Establish Security Requirements
  • Create Quality Gates/Bug Bars
  • Perform Security and Privacy Risk Assessments
Design
  • Establish Design Requirements
  • Perform Attack Surface Analysis/ Reduction
  • Use Threat Modeling
Implementation
  • Use Approved Tools
  • Deprecate Unsafe Functions
  • Perform Static Analysis
Verification
  • Perform Dynamic Analysis
  • Perform Fuzz Testing
  • Conduct Attack Surface Review
Release
  • Create an Incident Response Plan
  • Conduct Final Security Review
  • Certify Release and Archive
Response
  • Execute Incident Response Plan

SDL Practice #2: Establish Security and Privacy Requirements

Defining and integrating security and privacy requirements early helps make it easier to identify key milestones and deliverables and minimize disruptions to plans and schedules.

Security and privacy analysis includes assigning security experts, defining minimum security and privacy criteria for an application, and deploying a security vulnerability/work item tracking system.

When should this practice be implemented?

Traditional Software development: Requirements Phase
Agile development: One Time

    • VIDEOS
      • SDL Process Template
        SDL Process Template
        Watch this short video to learn more about the SDL Process Template. The SDL Process Template is one of many free templates and tools available in the Microsoft SDL Toolset. The SDL Process teamplate is a downloadable template that leverages the technology of Visual Studio Team System (VSTS) and Team Foundation Server (TFS) to automatically integrate the policy, process and tools associated with the Security Development Lifecycle version into your software development environment.
        Run Time:        7:28
        Uploaded:        12/07/10
        Share it:          Linked InTwitterFacebookDiggEmail
      • MSF-Agile+SDL Process Template
        MSF-Agile + SDL Process Template
        Watch this short video to learn more about the MSF-Agile+SDL Process Template. The MSF-Agile+SDL Template is one of many templates and tools available to help you implement the Microsoft SDL. MSF-Agile+SDL Process Template is a Team Foundation Server downloadable template that automatically incorporates the policy, process and tools associated with the SDL for Agile development guidance into the familiar Microsoft Solutions Framework (MSF) for Agile software development (MSF-Agile) process template that ships with Visual Studio Team System.
        Run Time:        6:30
        Uploaded:        12/07/10
        Share it:          Linked InTwitterFacebookDiggEmail

SDL Practice #3: Create Quality Gates/Bug Bars

Defining minimum acceptable levels of security and privacy quality at the start helps a team understand risks associated with security issues, identify and fix security bugs during development, and apply the standards throughout the entire project.

Setting a meaningful bug bar involves clearly defining the severity thresholds of security vulnerabilities (for example, no known vulnerabilities in the application with a “critical” or “important” rating at time of release) and never relaxing it once it's been set.

When should this practice be implemented?

Traditional Software development: Requirements Phase
Agile development: One Time

SDL Practice #4: Perform Security and Privacy Risk Assessments

Examining software design based on costs and regulatory requirements helps a team identify which portions of a project will require threat modeling and security design reviews before release and determine the Privacy Impact Rating of a feature, product, or service.

When should this practice be implemented?

Traditional Software development: Requirements Phase
Agile development: One Time