Chapter 65438 +0 Enough is enough: The threat is quietly changing 3

1. 1 Security and privacy conflicts around the world 5

1.2 Another factor affecting safety: reliability 8

1.3 is related to quality 10.

1.4 Why do major software developers need to develop more secure software 1 1

1.5 Why do internal software developers need to develop more secure software 12

1.6 Why do small software developers need to develop more secure software 12

1.7 summary 13

Reference 13

Chapter 2 The current software development methods are not enough to generate secure software 17.

2. 1 "As long as enough attention is paid, all defects will have nowhere to hide" 18.

2. 1. 1 power review code 18

2. 1.2 Understanding security errors 19

2. 1.3 number of personnel 19

2. 1.4 "The more concerned", the easier it is to drop 20 points.

2.2 patent software development mode 2 1

2.3 Agile Development Mode 22

2.4 General evaluation criteria 22

2.5 Summary 23

Reference 24

Chapter 3 A Brief History of Microsoft SDL 27

3. 1 prelude 27

3.2 New threats and new countermeasures 29

3.3Windows2000 and SecureWindowsInitiative30

3.4 the pursuit of scalability: running through WindowsXP32

3.5 Safety Publicity and Final Safety Review (FSR)33

3.6 Form a software security development life cycle 36

3.7 Persistent challenges 37

Reference 38

Chapter 4 Management of SDL4 1

4. 1 Commitment to success

Microsoft's Commitment 4 1

Do you need SDL? 43

4. 1.3 Effective commitment 45

4.2 managing SDL48

4.2. 1 resources 48

4.2.2 Is the project on track? 50

4.3 Summary 5 1

Reference 5 1

Part 2 Software security development life cycle process

Chapter 5 Stage 0: Education and Awareness 55

5. 1 A Brief History of Microsoft Safety Education 56

5.2 Continuing education 58

5.3 Training Delivery Type 60

5.4 Practice and Experiment 6 1

5.5 Tracking participation and compliance 62

5.6 Measurement knowledge 63

5.7 Realizing self-help training 63

5.8 Key success factors and quantitative indicators 64

5.9 Summary 65

Reference 65

Chapter 6 Stage 1: Project Initiation 67

6. 1 Judge whether the software security development life cycle covers the application 67

6.2 Appointment of security advisers 68

6.2. 1 serves as a bridge between the development team and the security team.

6.2.2 Convene the development team to hold the SDL kick-off meeting 70

6.2.3 Review the design and threat model of the development team 70

6.2.4 Analyze and classify bugs, such as security and privacy.

6.2.5 Development team safety loudspeaker 7 1

6.2.6 Assist the development team to prepare the final safety audit 7 1.

6.2.7 Cooperate with the corresponding safety team 7 1

6.3 Establish a safety leading group 7 1

6.4 Ensure that the defect tracking management process contains security and privacy defects 72.

6.5 Establishing "Error Criteria" 74

6.6 Summary 74

Reference 74

Chapter 7, Phase 2: Define and Follow Design Best Practices 75

Reference 90

Chapter 8 Stage 3: Product Risk Assessment 93

Chapter 9 Stage 4: Risk Analysis 10 1

Chapter 10 Stage 5: Creating Security Documents, Tools and Customer Best Practices 133

Chapter 1 1 Stage 6: Security Coding Strategy 143

Chapter 12 Stage 7: Safety Testing Strategy 153

Chapter 13 Stage 8: Safety Publicity Activities 169

Chapter 14 Stage 9: Final Safety Review 18 1

Chapter 15 Stage 10: Safety Response Plan 187

Chapter 16 Stage 1 1: Product Release 2 15

Chapter 17 Stage 12: Safety Response Execution 2 17

Part iii SDL

reference data

Chapter 18 Integrating SDL225 in Agile Mode

Reference 239

Chapter 19 SDL disables function call 24 1

Chapter 20 SDL Minimum Encryption Standard 25 1

2 1 chapter SDL necessary tools and compiler options 259

……