Professional Documents
Culture Documents
The Secure Development Lifecycle (SDL) is a software development security assurance process consisting of security practices grouped by seven phases of the traditional software development life cycle. The SDL process is not specific to Microsoft or the Windows platform and can be applied to different operating systems, platforms, development methodologies, and to projects of any size. In this demo packed session, we will look at the strategies on implementing Microsoft's SDL into your software development processes.
Agenda
Overview of the Microsoft SDL Overview of code analysis Microsoft code analysis tools:
FxCop PREFast Visual Studio Code Analysis feature ASP Source Code Analyzer for SQL Injection
6 month cycle
4
MSF-A+SDL
TFS process template that incorporates the SDL for Agile process guidance into the MSF Agile development framework. Any code checked into the TFS source repository by the developer is analyzed to ensure that it complies with SDL secure development practices.
Demo #1 MSF-Agile plus Security Development Lifecycle Process Template for VS 2010
Key advantage:
Binary analysis tool have visibility into the compiled code itself
Microsoft FxCop
FxCop: An application that analyzes managed code assemblies for conformance to the Microsoft .NET Framework Design Guidelines
http://msdn.microsoft.com/en-us/library/bb429476(VS.80).aspx
Binary code analyzer for .NET assemblies Can be fully integrated into the software development lifecycle In addition to security checks, FxCop analyzes assemblies for areas of improvement in design, localization, and performance
FxCop
Microsoft PREFast
Microsoft PREFast: An application that identifies vulnerabilities in C/C++ source code
http://www.microsoft.com/whdc/DevTools/tools/PREfast.m spx
Static source code analyzer for C/C++ applications Can be fully integrated into the software development lifecycle Distributed with the Windows Driver Kit (WDK), but can be used to analyze non-driver code written in C/C++
PREFast
Enabled via /analyze command-line switch or through Visual Studio project properties settings
Conclusion
Overview of Microsoft SDL Overview of code analysis Microsoft code analysis tools Microsoft SDL code analysis requirements
24