Unit 2
Unit 2
Unit 2
Key Point: Ensure that the environment used for coding is secure.
Importance: Insecure development environments can compromise the
security of the code produced.
Key Point: Safeguard the central repository where code is stored and
managed.
Importance: Unauthorized access to the repository can lead to code
tampering and security breaches.
Key Point: Acknowledge that all code has vulnerabilities and establish a
process to manage them.
Importance: Enables proactive identification, tracking, and mitigation of
security issues from discovery to resolution.
2. MSECURITY (SDL)
Microsoft's Security Development Lifecycle (SDL) is a rigorous framework designed to
integrate security throughout the entire software development and deployment process. Here's
a detailed breakdown of Microsoft's SDL based on the components and phases mentioned:
1. Training:
o Role-specific training is provided to developers and engineers to educate them
on security basics and recent trends in secure development. This ensures that
all team members are equipped to implement security measures effectively.
2. Requirements:
o Security and privacy requirements are defined at the outset of the software
development process. These requirements evolve throughout the product
lifecycle to adapt to changes in functionality and the threat landscape.
3. Design:
o Once requirements are established, the software design phase begins. Threat
models are created to identify, categorize, and assess potential security threats
according to risk levels. Threat models are continuously updated as the
software evolves.
4. Implementation:
o Developers start writing code based on the design and threat models.
Microsoft provides secure development tools to aid developers in
implementing security, privacy, and functional requirements effectively.
5. Verification:
o Before code can be released, thorough verification processes are in place to
ensure adherence to SDL standards. This includes:
Static code analysis: Identifies potential security flaws in the source
code.
Binary analysis: Assess vulnerabilities at the binary code level to
confirm readiness for production.
Credential and secret scanner: Identifies exposure of credentials and
secrets in source code and configurations.
Encryption scanning: Validates encryption practices.
Fuzz testing: Tests APIs and parsers with unexpected data to detect
vulnerabilities.
Configuration validation: Ensures production systems adhere to
security standards.
Component Governance (CG): Checks for open-source software
vulnerabilities and legal obligations.
6. Release:
o Builds go through a Safe Deployment Process (SDP) where they are
progressively released to larger groups:
Ring 0: Development team.
Ring 1: All Microsoft employees.
Ring 2: External users on targeted release channels.
Ring 3: Worldwide standard release.
o Builds remain in each ring for a specified period with high load periods to
ensure stability before moving to the next ring.
7. Response:
o After deployment, all Microsoft services are continuously monitored using a
proprietary near-real-time monitoring system. This system helps identify and
respond to potential security incidents promptly.
3. OWASP
1. Project Manager:
4. SAMM
SAMM, which stands for Software Assurance Maturity Model, is an open
framework designed to help organizations formulate and implement a strategy
for software security that is tailored to their specific risks and constraints. Here
are some simple points about SAMM:
SAMM Overview
1. Purpose:
o SAMM helps organizations improve their software security
practices by providing a structured framework.
o It guides organizations through a maturity model approach to
address software security from different perspectives.
Framework Structure:
1. Incremental Improvement:
o Slow Behavioral Change: Organizations change their security
practices gradually over time.
o Step-by-Step Progress: Make small improvements in security
regularly rather than trying to fix everything at once.
2. Flexibility and Customization:
o No One-Size-Fits-All: Recognize that each organization has
different risks and needs.
o Adapt to Your Context: Choose security practices that fit your
organization's unique situation and goals.
3. Prescriptive Guidance:
o Clear Steps: Security activities should be straightforward and easy
to understand.
o Measurable Goals: Aim for measurable improvements with
defined milestones.
core functions:
Governance
Construction
1. Threat Assessment:
o Identify and analyze potential threats.
o Manage risks associated with software development.
2. Security Requirements:
o Integrate security needs into development phases.
o Define security features required from project start.
3. Secure Architecture:
o Design software with security as a priority.
o Control technologies to ensure secure designs.
Verification
1. Design Review:
o Review designs to ensure security mechanisms are adequate.
o Confirm designs meet security expectations.
2. Implementation Review:
o Check source code for vulnerabilities.
o Implement strategies to mitigate risks.
3. Security Testing:
o Test software in real environments for vulnerabilities.
o Establish minimum security standards for releases.
Operations
1. Issue Management:
oDevelop processes to handle vulnerabilities.
o Use issue data to enhance security practices.
2. Environment Hardening:
o Strengthen security of operating environments.
o Secure configurations of systems hosting software.
3. Operational Enablement:
o Provide security information for operators.
o Equip operational teams with tools for security maintenance.
Maturity Levels:
Importance:
1. Prepare:
o Formulate an incident response team with defined roles (IT, legal,
PR).
o Develop policies outlining response procedures, communication
protocols, and reporting requirements.
2. Identify:
o Use monitoring tools (e.g., SIEM) to detect anomalies and
potential threats.
o Train employees to recognize phishing and other security risks.
3. Contain:
o Isolate affected systems to prevent further damage.
o Preserve evidence like log files for forensic analysis.
4. Eradicate:
o Remove malicious software and unauthorized access.
o Utilize tools like Endpoint Detection and Response (EDR) for real-
time threat elimination.
5. Recover:
o Restore systems to normal operations with minimal downtime.
o Validate recovery through testing and verification procedures.
6. Learn:
o Conduct a post-incident review to evaluate response effectiveness.
o Document findings and update incident response procedures based
on lessons learned.
Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.
Alternative Proxies: