| |
Frequently Asked Questions about Microsoft’s Security Development Lifecycle (SDL)
What is the Microsoft SDL Pro Network?
The Microsoft SDL Pro Network is a group of security consultants and trainers that specialize in application security and have substantial experience and expertise with the methodology and technologies of the Security Development Lifecycle (SDL), the industry-leading software security assurance process created by Microsoft and proven to be effective since 2004. The SDL Pro Network was created to address the challenges developers are facing with the increasing shift of attacks to the application layer. It is part of Microsoft’s commitment to enable organizations outside the company to develop more secure applications through SDL technologies, prescriptive guidance and industry partnerships.
SDL can make software more secure and private – you can leverage the same process in your code. Microsoft developed the SDL process to improve secure code. Products that were developed with the SDL show measurably reduced vulnerability counts after release, enhancing the security and privacy of the Microsoft platform to better protect customers from malicious and costly attacks.
The Security Development Lifecycle (SDL) is the industry-leading software security assurance process created by Microsoft. A Microsoft-wide initiative and a mandatory policy since 2004, the SDL has played a critical role in embedding security and privacy in Microsoft software and culture. Combining a holistic and practical approach, SDL introduces security and privacy early and throughout the development process. With attacks moving to the application layer, Microsoft is committed to supporting a more secure and trustworthy computing ecosystem by making SDL process guidance, tools and training more accessible to every developer. Visit the Microsoft SDL Pro Network to learn more.
Why is should you useing the Microsoft’s SDL so important?
With personal information becoming a valuable commodity for criminals, cyber crime poses a significant threat to every company, large or small. Cyber crime is a huge market with serious financial implications for businesses everywhere. In addition, attacks are clearly shifting up the stack to the application layer. Therefore, it has become more critical that software developers embed security and privacy into their software development process through the SDL. Benefits for development organizations include:
- Reduce customer risk and improve customer trust by making software more inherently secure and protecting sensitive information.
- Reduce the total cost of development by finding and eliminating vulnerabilities early in the design phase. According to NIST, eliminating vulnerabilities in design stage can cost 30 times less than fixing them post release (The National Institute of Standards and Technology.)
- Reduce the cost of ownership for customers by issuing less security patches, therefore lowering the cost of managing patches for your applications.
Why was Security University chosen to be part of the Microsoft’s SDL Pro Network?
Security University specializes and focuses strictly on security training services. Microsoft recognizes Security University’s expertise and years of experience involving the same methodologies and technologies associated with the SDL.
What are the services that the SDL Pro Network members offer?
Closely following the SDL, these services are designed to span the entire lifecycle and make security and privacy an integral part of how software is developed. Specific offerings fall into the following capability areas:
Training, Policy and Organizational Capabilities, including security training and general counsel on how to implement the SDL
Requirement and Design, including risk analysis, functional requirements and threat modeling
Implementation, including use of APIs, code analysis and code review
Verification, including fuzzing and Web application scanning
Release and Response, including Final Security Review (FSR), penetration testing, and response planning and execution
What Security University training courses target SDL?
Security University has incorporated Microsoft’s SDL into each of the following Qualified Software Security Expert certification classes:
Q/SSE® Qualified/ Software Security Expert 5-Day Bootcamp
A three-part, five-day class that delivers the best of all of the Qualified Software Security Expert classes and more. Learn how to prevent attacks with a step-by-step process on how to fix software with counter measures that protect your code. Completing and passing this Q/SSE class proves you have mastered the tactical software security skills labs and proves your "qualified" for the job.
Q/SSPT® Qualified/ Software Security Penetration Testing
A five-day hands-on workshop that introduces you to “how to penetrate your software”, a step-by-step methodology to effectively and efficiently attack software and break & fix software. This workshop is presented in an "interwoven" format where each topic has a hands-on component so that you can explore the attacking techniques and software tools using real software. Students gain insight, experience, and a nose for where bugs are hiding.
Q/ST® Qualified/ Software Security Testing BootCamp
A hands-on class allowing students to work together on actual project applications, attacking for security vulnerabilities that they are programming day in and day out. The class takes top quality assurance testers and makes them into software security attackers with passion, knowledge and experience to test applications
How to Break & FIX Web Applications
A five-day class that focuses on the web as the Internet's killer application. Web servers are the target of choice for hackers, with 97% of all web applications vulnerable. This class explores a model for web application testing as well as web application concerns, including accountability, availability, confidentiality and integrity.
How to Break & FIX Software
A two-day hands-on workshop that introduces you to "how to break software," a 17-step methodology to effectively and efficiently test software. This workshop is presented in an "interwoven" format where each topic has a hands-on component so that students can explore the testing techniques and software tools using real software.
Q/SSH® Qualified/ Software Security Hacker/ Defender
A five-day class that provides examples of security breaches, current day exploits, and vulnerabilities of real software code. Case studies illustrate the broad range of threats that organizations face from both external attackers as well as insiders. The class reviews underlying flaws, exploits, vulnerabilities, consequences, and mitigation techniques for each attack scenario.
Introduction to Reverse Engineering
A class designed to provide software testers and developers the skills to break even the most secure applications. As an introduction, the course lays the foundation for acquiring the skills that when collectively applied are known as reverse engineering. The course covers the complimentary techniques of static and dynamic analysis and how together they can be used to identify vulnerable hot spots in applications.
For more information about the SDL, visit the Microsoft SDL portal
|
