A New Book: The Security Development Lifecycle (Microsoft Press, 2006)

Much to my wife’s chagrin but to my delight I have just completed another book, this time with my boss, Steve Lipner. It’s a bit of a departure for me, as my prior books have been totally developer-centric. But that doesn’t mean I’m any less excited to do it; in fact, I think this book is more important than Writing Secure Code.

This time the book documents the Security Development Lifecycle (SDL), a process  that we’ve made part of the software development process here at Microsoft to build more secure software. Many customers, press, analysts, and, to be honest, competitors want to know more about what we’re doing in the software engineering space to shore up our software’s defenses. And thanks to the SDL, we’ve seen good progress to date (read: in the range of 50% reduction in vulnerabilities, sometimes more!)

In my opinion, what sets this book apart is the fact that it’s based on real-world software engineering, not theory, and is written by two guys whose job it is to work every day with software engineers and management to help them ship more secure software. We know what works and we know what doesn’t work. In fact, many people ask me, “If you had to choose two things from the SDL, what would they be?” and my answer is always the same, “Everything, because if it doesn’t work, it’s wouldn’t be in SDL!”

The Table of Contents for the book is:

Part I The Need for the SDL 
Chapter 1 Enough Is Enough: The Threats Have Changed
Chapter 2 Current Software Development Methods Fail
  to Produce Secure Software 
Chapter 3 A Short History of the SDL at Microsoft 
Chapter 4 SDL for Management 

Part II The Security Development Lifecycle Process  
Chapter 5 Stage 0: Education and Awareness 
Chapter 6 Stage 1: Project Inception 
Chapter 7 Stage 2: Define and Follow Design Best Practices 
Chapter 8 Stage 3: Product Risk Assessment 
Chapter 9 Stage 4: Risk Analysis 
Chapter 10 Stage 5: Creating Security Documents, Tools,
  and Best Practices for Customers 
Chapter 11 Stage 6: Secure Coding Policies 
Chapter 12 Stage 7: Secure Testing Policies 
Chapter 13  Stage 8: The Security Push 
Chapter 14 Stage 9: The Final Security Review 
Chapter 15 Stage 10: Security Response Planning 
Chapter 16 Stage 11: Product Release 
Chapter 17 Stage 12: Security Response Execution
Part III SDL Reference Material  
Chapter 18 Integrating SDL with Agile Methods  
Chapter 19 SDL Banned Function Calls  
Chapter 20 SDL Minimum Cryptographic Standards  
Chapter 21 SDL-Required Tools and Compiler Options 
Chapter 22 Threat Tree Patterns 

We kept the book short (352 pages) to focus on the core elements of the SDL, rather than blathering on. All the chapters are useful, but I think the most interesting chapters are these:

  • Ch 1 Really spells out the need for security (and it has nothing to do with security!)
  • Ch 3 Steve did a wonderful job of outlining the history of the SDL at Microsoft. It’s a real eye-opener and a very candid look into the security issues we, and the industry, face.
  • Ch 4 What managers need to know about implementing SDL, in terms of benefit and cost.
  • Ch 9 This is a highly updated and streamlined (and more pragmatic) look at our threat modeling and risk analysis framework, and it includes a real-world fully worked example.
  • Ch 12 This chapter introduces many security testing techniques, including fuzz-testing, and the book includes the source code for a file fuzzer.
  • Ch 15 Another Steve-chapter, this is an exposé of the Microsoft security response process. Again, it’s very candid, outlining many of the lessons we have learned building the best response process.
  • Ch 18 There has been zero security guidance for Agile methods, until now. This chapter was written in conjunction with the MSN and Windows Live team.
  • Ch 22 When we started threat modeling, we asked development teams to build threat trees. It turns out that unless you know what you’re doing, you will never build good threat trees. Then we realized that there are threat tree patterns that apply to the various threat types. This chapter outlines all the threat trees and how you can use them to design and test your application.

The book includes a CD that includes a six-part video presentation of the “Security Basics” class we deliver to all new employees here.

Steve and I are really excited about this book, in part because today is the day we sign off on it! The galleys are all reviewed and the cover looks great.

But we’re mostly excited because we believe this in an important book—the first book to document REAL software development process improvements that yield more secure software. It ain’t perfect, and that’s why we update the SDL twice a year, but it’s a great start.

The book will be available in June this year. You can find more info here http://www.microsoft.com/MSPress/books/8753.asp.