Security Digest #5

This is The Padlock, returning from its New Year celebrations, a little late, eyes red-rimmed, but brimming with security-related news. Happy New Security Strategy!


MSF for Agile + SDL Process Template

We first featured Microsoft's new SDL-Agile Process in November, and now happily return to it in order to welcome the first public beta of the new “MSF-A+SDL”, or to give it its full Sunday appellation, the MSF for Agile Software Development plus SDL Process Template for VSTS 2008 (see glossary for an explanation of "MSF").

This is a template which helps teams integrate secure development processes directly into their Visual Studio Team System environment, in a way similar to last year's SDL Process Template for VSTS, only this time, with added agility!

There are also some completely new features in the MSF-A+SDL, when compared with the previous SDL Process Template offering.

One useful addition is the automatic generation of new SDL task work items whenever a user adds a new iteration. This is particularly helpful because many projects, and especially agile projects such web applications or cloud services with no defined “end date”, can run indefinitely, and so need periodically to re-complete SDL requirements (as defined in the SDL-Agile process).

Similarly, whenever new code, such as a new Visual Studio project or a web site, is checked in to an MSF-A+SDL project’s source control repository, the template can intelligently generate new SDL requirements appropriate to that particular project type. One example of this is given on the SDL blog: when a new C# web site is added to the repo, the template adds requirements such as disabling ASP.NET tracing, and applying the AntiXss library. Good boy!


Simple Implementations of Microsoft's SDL

2010's news from the Microsoft Security Development Lifecycle group continues with the announcement of a new "white paper" illustrating the core concepts of the SDL, and discussing the individual security activities that should be performed in order to claim compliance with the SDL process:

http://go.microsoft.com/?linkid=9708425

The 771KB PDF includes:

• A brief overview of the Microsoft SDL
• An overview of the Microsoft SDL Optimization Model
• Discussion of Microsoft security development practices
• Individual roles and responsibilities in the development process
• Mandatory and Optional security activities
• The application security verification process

The document outlines a "minimum threshold", staying true to the core attributes of the SDL, and providing a model for building an effective security development lifecycle - particularly in smaller organizations. By explaining how the SDL can be implemented with limited resources, and applied to any platform, the "Simplified SDL" white paper helps address certain common misconceptions about the Microsoft SDL. Like the one saying that you have to be an organization the size of Microsoft in order to be able to implement it, or that it is only appropriate for Microsoft languages on Microsoft platforms, and you need some alternative methodology "... if you’re writing code with Ruby for OS X."


Black Hat

Black Hat DC 2010 has just started, and on Wednesday, SDL's Bryan Sullivan is due to give a talk about “Agile Security; or, How to Defend Applications with Five-Day-Long Release Cycles”, demonstrating the use of MSF-A+SDL. So there should soon be much more available, by way of information and resources, on the subject of the new VSTS template.

Meanwhile, the rest of January's security-related items (beautiful security, ugly passwords) already having escaped into their own dedicated articles, it's goodnight from me.