Questions tagged [sdl]

Security Development Lifecycle (SDL) is a secure coding paradigm developed by Microsoft.

14 questions
21
votes
1 answer

Secure Development costs

What case-studies or references are available from companies who have implemented a secure development process (eg, SDL or similar) around the cost/effort involved. Whilst each development department is likely to be a unique case, it is still…
Rory McCune
  • 60,923
  • 14
  • 136
  • 217
21
votes
3 answers

Startup security

I'm running a lean start-up, and I can't afford to pay a dedicated security expert, what types of precautions can I take? These would need to be cheap, simple to implement, and require minimal time investment. To clarify, as this is a start-up we…
AviD
  • 72,138
  • 22
  • 136
  • 218
18
votes
2 answers

The Creation of Secure Software Development Environments

[Edit] I did complete an analysis and framework of concepts that were included into my thesis for extensions to existing frameworks. All of the information in this thread was useful. The direct link to an extracted and shortened version of document…
iivel
  • 1,583
  • 10
  • 13
11
votes
2 answers

What is considered the simplest (or lightest) secure development lifecycle?

Microsoft has there simplified SDL: "The Security Development Lifecycle (SDL) is a security assurance process that is focused on software development." "The process outlined in this paper sets a minimum threshold for SDL compliance. That said,…
Tate Hansen
  • 13,714
  • 3
  • 40
  • 83
10
votes
6 answers

Are all security requirements expected to be testable?

Many approaches exist to define security requirements. To keep it simple, i would say to define a security requirement, one need to model the threat encountered when building up misuse cases for specific use cases being worked out. Still, at the…
Phoenician-Eagle
  • 2,167
  • 16
  • 21
7
votes
2 answers

I am looking for feedback on Secure Development Lifecycle for Scrum that has been tested?

This question is indeed targeting SDL but for Scrum. The A-SDL from Microsoft is nice, but honestly I am not even daring testing it in reality as it seems too academic. I mean what they request for, requires an army of developers! or a dedicated…
Phoenician-Eagle
  • 2,167
  • 16
  • 21
7
votes
2 answers

Established Security Design Patterns?

In software engineering, a design pattern is a general reusable solution to a commonly occurring problem within a given context in software design. Wikipedia lists many different design patterns for example, but security is never mentioned. Open…
Demento
  • 7,249
  • 5
  • 36
  • 45
6
votes
2 answers

Secure Software Development

I'm researching models on building security into the SDLC and so far have come across: BSIMM Microsoft SDL Open SAMM Are there any other documents and resources to look into? Specific tools that incorporate the principals of these models to help…
Epoch Win
  • 922
  • 2
  • 7
  • 14
5
votes
1 answer

How do Software Development Processes, OWASP CLASP & MS SDL, and Security Standards fit together?

How do these three concepts fit together: The Software Development Process (SDP) indicates the different phases of creating an application. Well known processes are waterfall, spiral, agile, extreme programming, etc. OWASP Clasp and Microsoft SDL…
daniel f.
  • 281
  • 1
  • 6
5
votes
1 answer

Data loss protection in software artifacts

Data loss protection is a major concern to every industry. The software engineering process involves multiple points for potential data loss, as a number of parties are involved other than the client and software development team. The list may…
Tathagata
  • 213
  • 1
  • 5
2
votes
0 answers

Microsoft Threat Modeling tool: how to avoid Spoofing of Destination Data Store

I have a threat model with a Cloud Storage entity an Managed Application which accesses it. Here is the diagram: The Microsoft Threat Modeling Tool says in the report that: Cloud Storage may be spoofed by an attacker and this may lead to data…
Gabor Herman
  • 71
  • 1
  • 4
1
vote
1 answer

What would be good resources to conduct Technical Impact Analysis?

As continuing research in Secure Software Development, I found the OWASP Top 10 project list Technical Impact such as: https://www.owasp.org/index.php/Top_10_2010-A1 Similarly, CAPEC list impact in terms of CIA:…
Epoch Win
  • 922
  • 2
  • 7
  • 14
0
votes
1 answer

Micrsoft Threat Modeling Tool 2016 make a bi-directional connect

How do you make to two processes Bi-directional? I see that sometimes when I right click on the MS threat modeling tool that there is a bidirectional option but it is greyed out.
bdawg
  • 187
  • 12
-2
votes
1 answer

Is ETSI TVRA a risk assessment or threat modeling tool?

Is ETSI TVRA TS 102 153 165-1 a risk assessment tool or threat modeling tool? And what's the justification? The purpose of the question is to be able to answer if TVRA is suitable to be mapped to Microsoft's SDL and at which practice ("PRACTICE #4:…
MFM
  • 1
  • 1