I was recently asked by one of our customer to talk about SDL and VS-TFS, I thought I would share a synopsis of the roundtable with you…Feel free to ping me if you have questions.
In 2011, Honda was hit by 283,000 unauthorized data access and lost $206 million in lawsuits, RSA security had to reimburse $66 Million. Sony, ADP, Google, Nasdaq and many others are examples of companies being hit on a regular basis with various impacts. In fact, information from various studies suggests that more than 760 other organizations had networks that were compromised with some of the same resources used to hit RSA. Almost 20 percent of the current Fortune 100 companies are on this list.
Many rules were put in place overtime to try to prevent some of those issues, and others, such as SOX, SB1386, ISO27001, BS7799, FISMA & NIST, PCI-DSS/OWASP, SEC, etc.
One of the common threats is against insecure applications:
• 90% of attacks are at the application layer (Verizon Business Study)
• Hacks targeting retail sector have increased 43%, largely due to SQL injection and the use of exploit toolkits (Dell SecureWorks)
• 25% of respondents indicated that meeting compliance objectives is the most effective argument in convincing management to invest in software security (Forrester)
• 92% of attacks were not highly difficult (Verizon Business Study)
• Use of Hard-coded Credentials is still in the top 10 of the Most Dangerous Software Errors
And as other studies suggest, not much is done about it:
So, where to start?
As for any change management project, we need to change people, process and tools:
People
· Implement new roles (e.g. Audit) and accountability
· Train and coach
· Align Governance-Security-Dev-QA-Ops Roles
Process
· Implement SDL
· Establish requirements
· Perform reviews
· Tools/Technologies
Leverage MS Stack (VS-TFS-SP-PPS)
· Code Analysis
· Work management (Process, documentation, etc.)
· Governance-Security-Dev-QA-Ops Work Alignment
· Automation
The good news is that the overall improvement process can be supported by Microsoft and VS-TFS. Indeed, as a pioneer in the field, the company developed the SDL process in the late 1999 and made it mandatory in 2004, it’s called the Secure Windows Initiative. This maturity model can support the implementation of the various steps required to make your applications secure.
Let’s focus on the tools; various technical components have been included in Visual Studio and Team Foundation server:
One of those components is the TFS template (currently 2008 and 2010), which among other things, includes new check-in rules, automated creation of specific tasks and reporting.
The tooling is just a piece of what the SDL maturity framework includes, some practices, like automating static code analysis at build time and doing thread modeling using the Elevation of Privilege (EoP) Card Game (think serious game like planning poker) as well as fuzz testing are also included, and are very well documented.
So, in conclusion, treat Software Security as a LifeCycle process, not in a piecemeal fashion. Applying change management concepts along the way, such as baby steps approach (Define impact vs. maturity, remediation vs. new code), focusing on the accuracy of the output at each stage, implementing proactive security practices, aligning the various organizations (dev, security, business, QA, etc.), defining as well as measuring objectives and leveraging the tools to support your improvement process.
