Beruflich Dokumente
Kultur Dokumente
Lifecycle for IT
Rob Labb
Application Consulting and Engineering Services
roblab@microsoft.com
Implement an SDL
Implement an SDL to build security into
Strategic
Tactical
Operational
Legal
SDLC
SDL-IT
Envision
Design
Application
Entry / Risk
Assessment
Threat
Model /
Design
Review
Develop /
Purchase
Internal
Review
Test
Release /
Sustainment
PostPre-Production Production
Assessment
Assessment
Internal Review
Threat Model /
Design Review
Objective:
Post-Production
Assessment
Pre-Production
Assessment
Application Inventory
Determine Application Risk Categorization
High Risk Security/Privacy Release
Medium Risk Security/Privacy Release
Low Risk Security/Privacy Release
Internal Review
Threat Model /
Design Review
Objective:
Post-Production
Assessment
Pre-Production
Assessment
Internal Review
Internal Review
App Entry
Threat Model /
Design Review
Post-Production
Assessment
Pre-Production
Assessment
Pre-Production Assessment
Internal Review
App Entry
Threat Model /
Design Review
Objective:
Post-Production
Assessment
Pre-Production
Assessment
Post-Production Assessment
Post-Production
App Entry
Internal Review
Threat Model /
Design Review
Assessment
Pre-Production
Assessment
Objective:
High/Medium/Low Risk Applications
Host Level Scan
Windows
IIS
SQL
Conclusion
Conclusions
Process: Security
cannot be an
afterthought
Call To Action
Implement a Secure Development Lifecycle
Create more secure and reliable software
Build Trust!
Resources
2006 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be re gistered
trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this
presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part
of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation.
MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.