-
8/3/2019 Strategies on Implementing Secure Development Lifecycle by Ervin Loh
1/29
Strategies on implementing
Secure Development LifecycleErvin Loh
Visual Studio ALM MVPhttp://ervinloh.wordpress.com
-
8/3/2019 Strategies on Implementing Secure Development Lifecycle by Ervin Loh
2/29
The Secure Development Lifecycle (SDL) is asoftware development security assurance process
consisting of security practices grouped by sevenphases of the traditional software developmentlife cycle. The SDL process is not specific toMicrosoft or the Windows platform and can beapplied to different operating systems, platforms,development methodologies, and to projects ofany size. In this demo packed session, we will look
at the strategies on implementing Microsoft's SDLinto your software development processes.
-
8/3/2019 Strategies on Implementing Secure Development Lifecycle by Ervin Loh
3/29
Agenda
Overview of the Microsoft SDL
Overview of code analysis
Microsoft code analysis tools:
FxCop PREFast
Visual Studio Code Analysis feature
ASP Source Code Analyzer for SQL Injection
Microsoft SDL code analysis requirements
-
8/3/2019 Strategies on Implementing Secure Development Lifecycle by Ervin Loh
4/29
Microsoft Security DevelopmentLifecycle (SDL)
Delivering secure software requires:
Executive commitment SDL a mandatory policy at Microsoft since 2004
Ongoing Process Improvements 6 month cycle
4
-
8/3/2019 Strategies on Implementing Secure Development Lifecycle by Ervin Loh
5/29
MSF-A+SDL TFS process template that incorporates the SDL
for Agile process guidance into the MSF Agiledevelopment framework.
Any code checked into the TFS source repository
by the developer is analyzed to ensure that itcomplies with SDL secure development practices.
-
8/3/2019 Strategies on Implementing Secure Development Lifecycle by Ervin Loh
6/29
Demo #1Demo #1
MSFMSF--Agile plus SecurityAgile plus Security
Development LifecycleDevelopment Lifecycle
Process Template for VSProcess Template for VS20102010
-
8/3/2019 Strategies on Implementing Secure Development Lifecycle by Ervin Loh
7/29
Code Analysis Overview Code Analysis Tools: Software tools that
analyze application implementations forconformance to best practices
Two types:
1. Static source code analysis2. Binary analysis
These tools are not silver bullets for identifying
non-conformance to best practices Can greatly reduce engineering costs
-
8/3/2019 Strategies on Implementing Secure Development Lifecycle by Ervin Loh
8/29
void function(char * str)
{char buffer[32];
strcpy(buffer,str);
}
void main(int argc, char ** argv)
{
function(argv[0]);
printf(argv[0]);
}
Static Analysis VersusBinary Analysis
COMPILER &
LINKER
Source Code Binary File
mov eax, DWORD PTR _str$[ebp]
push eax
lea ecx, DWORD PTR _buffer$[ebp]
push ecx
call _strcpy
add esp, 8
mov edx, DWORD PTR _argv$[ebp]
mov eax, DWORD PTR [edx]
push eax
call _printf
-
8/3/2019 Strategies on Implementing Secure Development Lifecycle by Ervin Loh
9/29
Static Source Code Analysis Static Source Code Analysis Tools:
Software tools that analyze theuncompiled source code implementationsof applications for areas of improvement
Inputs: Human-readable source code, such asC (*.c), C++ (*.cpp, *.cc) or C# (*.cs) files
Some key advantages: Easier to diagnose findings More mature technology
9
-
8/3/2019 Strategies on Implementing Secure Development Lifecycle by Ervin Loh
10/29
Binary Code Analysis Binary Code Analysis Tools: Software
tools that analyze the compiled or binaryversion of source code implementationsfor areas of improvement
Inputs: Machine code or binary files, such asexecutable (*.exe) and library (*.dll) files
Key advantage: Binary analysis tool have visibility into the
compiled code itself
-
8/3/2019 Strategies on Implementing Secure Development Lifecycle by Ervin Loh
11/29
Demo #2Demo #2
BinScope Binary AnalyzerBinScope Binary Analyzer
-
8/3/2019 Strategies on Implementing Secure Development Lifecycle by Ervin Loh
12/29
Code Analysis Pros and ConsPros
Helps scale thecode review
process Helps enforce
secure-coding
policies
Cons
False positives
False negatives
Language-centric Source-level issues
only
-
8/3/2019 Strategies on Implementing Secure Development Lifecycle by Ervin Loh
13/29
Microsoft FxCop FxCop: An application that analyzes
managed code assemblies for conformanceto the Microsoft .NET Framework DesignGuidelines http://msdn.microsoft.com/en-us/library/bb429476(VS.80).aspx
Binary code analyzer for .NET assemblies Can be fully integrated into the software
development lifecycle
In addition to security checks, FxCop analyzesassemblies for areas of improvement indesign, localization, and performance
-
8/3/2019 Strategies on Implementing Secure Development Lifecycle by Ervin Loh
14/29
FxCop
-
8/3/2019 Strategies on Implementing Secure Development Lifecycle by Ervin Loh
15/29
Microsoft PREFast Microsoft PREFast: An application that identifies
vulnerabilities in C/C++ source code http://www.microsoft.com/whdc/DevTools/tools/PREfast.m
spx
Static source code analyzer for C/C++ applications
Can be fully integrated into the softwaredevelopment lifecycle
Distributed with the Windows Driver Kit (WDK), butcan be used to analyze non-driver code written inC/C++
-
8/3/2019 Strategies on Implementing Secure Development Lifecycle by Ervin Loh
16/29
PREFast
-
8/3/2019 Strategies on Implementing Secure Development Lifecycle by Ervin Loh
17/29
Visual Studio Code Analysis Microsoft Visual Studio Team System and
higher versions provide the capabilities ofPREFast and FxCop integrated into thedevelopment environment http://msdn.microsoft.com/en-us/library/ms182025(VS.80).aspx
Enabled via/analyze command-lineswitch or through Visual Studio projectproperties settings
-
8/3/2019 Strategies on Implementing Secure Development Lifecycle by Ervin Loh
18/29
Visual Studio Code Analysis
-
8/3/2019 Strategies on Implementing Secure Development Lifecycle by Ervin Loh
19/29
Demo #3Demo #3
Visual Studio CodeVisual Studio Code
AnalysisAnalysis
-
8/3/2019 Strategies on Implementing Secure Development Lifecycle by Ervin Loh
20/29
ASP Source Code Analyzerfor SQL Injection
Microsoft Source Code Analyzer for SQL
Injection tool helps developers and testersfind certain SQL injection vulnerabilities inASP code
http://support.microsoft.com/kb/954476 Command-line static source code analysis
tool
Limited to analyzing ASP pages that arewritten in VBScript
-
8/3/2019 Strategies on Implementing Secure Development Lifecycle by Ervin Loh
21/29
ASP Source Code Analyzer forSQL Injection
-
8/3/2019 Strategies on Implementing Secure Development Lifecycle by Ervin Loh
22/29
Demo #4Demo #4
ASP Source Code AnalyzerASP Source Code Analyzer
for SQL Injectionfor SQL Injection
-
8/3/2019 Strategies on Implementing Secure Development Lifecycle by Ervin Loh
23/29
Microsoft SDL Code
Analysis Requirements Organizations that use source code analysis tools or
are considering using them should develop codeanalysis tool policies
The Microsoft SDL provides specific requirements forusing PREFast, FxCop and Visual Studio Example: Developers must fix Visual Studio /analyze
warnings 4532, 6029, 6053, 6057, 6059, 6063, and muchmore
For more information, refer to the Microsoft SDL whitepaper
(Appendix E) at http://www.microsoft.com/sdl or the MicrosoftSDL book (Chapter 21) athttp://www.microsoft.com/mspress/books/8753.aspx
23
-
8/3/2019 Strategies on Implementing Secure Development Lifecycle by Ervin Loh
24/29
Conclusion Overview of Microsoft SDL
Overview of code analysis
Microsoft code analysis tools
Microsoft SDL code analysis requirements
24
-
8/3/2019 Strategies on Implementing Secure Development Lifecycle by Ervin Loh
25/29
Microsoft Security Development Lifecycle
(SDL)
Official SDL Web Site: http://www.microsoft.com/sdl
SDL Book:
http://www.microsoft.co
m/mspress/books/8753.as
px
-
8/3/2019 Strategies on Implementing Secure Development Lifecycle by Ervin Loh
26/29
Microsoft Developer Network
(MSDN) Security DeveloperCenter Official Web site:
http://msdn.microsoft.com/security
-
8/3/2019 Strategies on Implementing Secure Development Lifecycle by Ervin Loh
27/29
Secure Development Blogs The Microsoft Security Development
Lifecycle (SDL) Blog:http://blogs.msdn.com/sdl
Michael Howards Blog:http://blogs.msdn.com/michael_howard
-
8/3/2019 Strategies on Implementing Secure Development Lifecycle by Ervin Loh
28/29
Microsoft Hunting Security Bugs
Hunting Security Bugs:
http://www.microsoft.com/mspress/books/8485.aspx
-
8/3/2019 Strategies on Implementing Secure Development Lifecycle by Ervin Loh
29/29
Thank YouThank YouQ&AQ&A