Security (Not to be mistaken for Software) Development LifeCycle and Visual Studio - Team Foundation Server (VS-TFS)

Posted by Frederic Persoon - 30 October, 2012

header-picture

I was recently asked by one of our customer to talk about SDL and VS-TFS, I thought I would share a synopsis of the roundtable with you…Feel free to ping me if you have questions.

In 2011, Honda was hit by 283,000 unauthorized data access and lost $206 million in lawsuits, RSA security had to reimburse $66 Million. Sony, ADP, Google, Nasdaq and many others are examples of companies being hit on a regular basis with various impacts. In fact, information from various studies suggests that more than 760 other organizations had networks that were compromised with some of the same resources used to hit RSA. Almost 20 percent of the current Fortune 100 companies are on this list.

Many rules were put in place overtime to try to prevent some of those issues, and others, such as SOX, SB1386, ISO27001, BS7799, FISMA & NIST, PCI-DSS/OWASP, SEC, etc.

One of the common threats is against insecure applications:

• 90% of attacks are at the application layer (Verizon Business Study)

• Hacks targeting retail sector have increased 43%, largely due to SQL injection and the use of exploit toolkits (Dell SecureWorks)

• 25% of respondents indicated that meeting compliance objectives is the most effective argument in convincing management to invest in software security (Forrester)

• 92% of attacks were not highly difficult (Verizon Business Study)

• Use of Hard-coded Credentials is still in the top 10 of the Most Dangerous Software Errors

And as other studies suggest, not much is done about it:

clip_image002

So, where to start?

clip_image004

As for any change management project, we need to change people, process and tools:

People

· Implement new roles (e.g. Audit) and accountability

· Train and coach

· Align Governance-Security-Dev-QA-Ops Roles

Process

· Implement SDL

· Establish requirements

· Perform reviews

· Tools/Technologies

Leverage MS Stack (VS-TFS-SP-PPS)

· Code Analysis

· Work management (Process, documentation, etc.)

· Governance-Security-Dev-QA-Ops Work Alignment

· Automation

The good news is that the overall improvement process can be supported by Microsoft and VS-TFS. Indeed, as a pioneer in the field, the company developed the SDL process in the late 1999 and made it mandatory in 2004, it’s called the Secure Windows Initiative. This maturity model can support the implementation of the various steps required to make your applications secure.

Let’s focus on the tools; various technical components have been included in Visual Studio and Team Foundation server:

clip_image006

One of those components is the TFS template (currently 2008 and 2010), which among other things, includes new check-in rules, automated creation of specific tasks and reporting.

clip_image008

clip_image010

clip_image012

The tooling is just a piece of what the SDL maturity framework includes, some practices, like automating static code analysis at build time and doing thread modeling using the Elevation of Privilege (EoP) Card Game (think serious game like planning poker) as well as fuzz testing are also included, and are very well documented.

So, in conclusion, treat Software Security as a LifeCycle process, not in a piecemeal fashion. Applying change management concepts along the way, such as baby steps approach (Define impact vs. maturity, remediation vs. new code), focusing on the accuracy of the output at each stage, implementing proactive security practices, aligning the various organizations (dev, security, business, QA, etc.), defining as well as measuring objectives and leveraging the tools to support your improvement process.

Topics: Blog


Recent Posts

Webinar: What is MLOps ?

read more

What is a Data Pipeline?

read more

Modern DevOps Practices for Work Item Process Template Customizations

read more