6

I'm researching models on building security into the SDLC and so far have come across:

  1. BSIMM
  2. Microsoft SDL
  3. Open SAMM

Are there any other documents and resources to look into? Specific tools that incorporate the principals of these models to help dev teams build secure software?

Also any resources that might be specifically targeted to Smartphone App Development would be great.

Epoch Win
  • 922
  • 2
  • 7
  • 14

2 Answers2

6

Microsoft SDL v5 is pretty decent and you have to full paper explaining the whole process that can be downloaded from MSKB: http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=12285

If you need to get just a general grasp of the process, you can read a short and solid intro @ TechSurface: http://techsurface.com/2010/01/microsoft-security-development-lifecycle-sdl.html

There are several more esoteric ones, if you are interested:

  1. Maturity Framework for Assuring Resiliency Under Stress
  2. Correctness by Construction

For Android secured development, try those:

  1. https://isecpartners.com/files/iSEC_Securing_Android_Apps.pdf - development focused.
  2. http://developer.android.com/guide/topics/security/security.html - for system security considerations.
Community
  • 1
dalimama
  • 1,065
  • 1
  • 11
  • 21
3

Since you refer to SDL I assume you know it already, but to have it mentioned here: Microsoft provides a SDL Threat Modelling Tool (http://www.microsoft.com/security/sdl/adopt/threatmodeling.aspx)

OWASP hosts a primer about Threat Risk Modelling (and recommends the use of Microsoft SDL)

And of course NIST has a whole load of docs on this topic, e.g.: http://csrc.nist.gov/publications/nistpubs/800-12/800-12-html/chapter7.html and: http://csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf

mdo
  • 326
  • 1
  • 6