SDL Process Guidance- Detailed information on all stages and requirements of the Microsoft SDL:
SDL- Michael Howard discusses the SDL development practices, TechEd Barcelona, Nov. 2007 – Presentation and Video
- Michael Howard's "Everything Developer Security" talk, TechEd Barcelona, Nov. 2007 – Presentation and Video
- Security practitioners and experts discuss "A Proactive Approach to Building a Successful Security Development Lifecycle (SDL) Program", Nov. 2008 – Presentation and Video
- Quiz "Test Your Security IQ", Nov. 2008 – Put your C/C++/C# security skills to the challenge by reviewing ten tricky code snippets devised by Michael Howard and Bryan Sullivan.
- SDL Series: a set of 8 articles investigating the Microsoft Security Development Lifecycle
- The Security Development Lifecycle Blog pulls together comments and insights from the Security Engineering team at Microsoft.
- Michael Howard and Steve Lipner, The Security Development Lifecycle, Microsoft Press, Redmond, Washington, 2006
- Michael Howard and David LeBlanc, Writing Secure Code, Second Edition, Microsoft Press, Redmond, Washington, 2003
Threat ModelingGetting started with threat modeling - Uncover Security Design Flaws Using the STRIDE Approach, Nov. 2006 – Learn how the STRIDE (Spoofing, Tampering, Repudiation, Information disclosure, Denial of Service, Elevation of privileges) model helps uncover and mitigate security design vulnerabilities.
- Michael Howard discusses threat modeling, TechEd Barcelona, Nov. 2007 – Presentation and Video
- Michael Howard and Adam Shostack walk you through the SDL Threat Modeling Tool, Nov. 2008 – Video
- Getting Started with the SDL Threat Modeling Tool, Jan. 2009 – Follow Deb (a developer), Paul (a program manager), and Tim (a tester) through the process of developing their first threat model.
Diving deeper into threat modeling Secure Application Development- Securing Applications with the .NET Framework
The common language runtime and the .NET Framework provide many useful classes and services that enable developers to easily write security code. These classes and services also enable system administrators to customize the access that code has to protected resources. In addition, the runtime and the .NET Framework provide useful classes and services that facilitate the use of cryptography and role-based security. - Patterns & Practices – Security Guidance for Application Development
- Software Security with Static Code Analysis Using CAT.NET (Level 200), Feb. 2009 – Presentation and Video
In this webcast, Andreas Fuchsberger, Senior Software Design Engineer at Microsoft Corporation provides an overview of what static code analysis is and typical coding errors that static analysis can and cannot detect. He also looks at the recently released CAT.NET tool and how it helps with the detection of security vulnerabilities.
SDL for Online Services and Agile- SDL embraces Web, Sept. 2008 – Get detailed information on the new online service SDL requirements.
- Bryan Sullivan discusses "More Secure Online Services Powered by the Microsoft Security Development Lifecycle", Oct. 2008 – Presentation and Video
- Agile SDL: Streamline Security Process for Agile Development, Nov. 2008 – Get to know the new SDL/Agile methodology
- Bryan Sullivan presents "Ajax Applications: A Blueprint for Disaster", Mar. 2009 – Presentation and Video
How secure is your average Ajax application? A sample Ajax application will be built using design patterns, advice, and code samples from respected resources in the Ajax community; then the glaring security vulnerabilities will be exposed.
Microsoft Privacy GuidelinesPrivacy guidelines for developing software products and services that are based on Microsoft internal guidelines and experience incorporating privacy into the software development process. | |