Applying the SDL to Windows Azure
Employing the security development lifecycle (SDL) has grown from desktop based applications to now cloud based applications. While building great software is significant, it’s crucial that the end product is secure and free of exploits (or at best mitigate the risks if unfortunately found).
Those that aren’t familiar with the SDL process then this is an opportunity to better understand the role that SDL plays in producing secure and high quality code as well as moving an application “to the cloud.” Using the SDL phases as a guide (sans Training [although here’s a good presentation] and Response), the following video's are break-out sessions for each section:
In this video, Chris Weber, Managing Partner and Robert Mooney, Senior Software Development, Casaba, speak about applying Microsoft SDL Requirements security practices to applications built on top of Windows Azure, focusing on the requirements phase.
In this video, Joe Basirico, Director of Security Services, Security Innovation, speaks about mapping concepts from the design phase of the Microsoft SDL to Windows Azure, including application trust, secure storage, claims-based authorization, and cryptography.
In this video, Peter Oehlert, Senior Security Consultant, iSEC Partners, explains how the implementation phase of the Microsoft SDL applies to building Windows Azure application. He starts first by defining both the similarities and key differences between implementation of on-premises solutions and Windows Azure-based applications.
In this video, Aviram Jenik, CEO, Beyond Security, talks about applying Microsoft SDL to applications built on top of Windows Azure applications, focusing on the verification phase.
In this video, Jason Glassberg, Co-Founder, Casaba, speaks about the release phase of the Microsoft SDL and how to apply the Microsoft SDL release phase practices to applications built on top of Windows Azure. Jason explains that the Microsoft SDL can apply to any cloud-based deployment, but focuses on Windows Azure, explaining that the steps are very similar to a typical on-premises application (File an Incident Response Plan, Perform a Final Security Review and Release Archive).
Additional information on the SDL process can be found here along with a white paper on Security Best Practices for Developing Windows Azure Applications.