Book Description
Your customers demand and deserve better security and privacy in their software. This book is the first to detail a rigorous, proven methodology that measurably minimizes security bugs - the Security Development Lifecycle (SDL). In this long-awaited book, security experts Michael Howard and Steve Lipner from the Microsoft Security Engineering Team guide you through each stage of the SDL - from education and design to testing and post-release. You get their first-hand insights, best practices, a practical history of the SDL, and lessons to help you implement the SDL in any development organization.
Discover how to:
- Use a streamlined risk-analysis process to find security design issues before code is committed
- Apply secure-coding best practices and a proven testing process
- Conduct a final security review before a product ships
- Arm customers with prescriptive guidance to configure and deploy your product more securely
- Establish a plan to respond to new security vulnerabilities
- Integrate security discipline into agile methods and processes, such as Extreme Programming and Scrum.
This open book is licensed under a Open Publication License (OPL). You can download The Security Development Lifecycle ebook for free in PDF format (20.7 MB).
Table of Contents
Part I
The Need for the SDL
Chapter 1
Enough Is Enough: The Threats Have Changed
Chapter 2
Current Software Development Methods Fail to Produce Secure Software
Chapter 3
A Short History of the SDL at Microsoft
Chapter 4
SDL for Management
Part II
The Security Development Lifecycle Process
Chapter 5
Stage 0: Education and Awareness
Chapter 6
Stage 1: Project Inception
Chapter 7
Stage 2: Define and FollowDesign Best Practices
Chapter 8
Stage 3: Product Risk Assessment
Chapter 9
Stage 4: Risk Analysis
Chapter 10
Stage 5: Creating Security Documents, Tools, and Best Practices for Customers
Chapter 11
Stage 6: Secure Coding Policies
Chapter 12
Stage 7: Secure Testing Policies
Chapter 13
Stage 8: The Security Push
Chapter 14
Stage 9: The Final Security Review
Chapter 15
Stage 10: Security Response Planning
Chapter 16
Stage 11: Product Release
Chapter 17
Stage 12: Security Response Execution
Part III
SDL Reference Material
Chapter 18
Integrating SDL with Agile Methods
Chapter 19
SDL Banned Function Calls
Chapter 20
SDL Minimum Cryptographic Standards
Chapter 21
SDL-Required Tools and Compiler Options
Chapter 22
Threat Tree Patterns