The Microsoft Security Development Lifecycle (SDL) Quiz

Questions and Answers

What is the Microsoft SDL?

• A hardware device
• A software development model (correct)
• A programming language
• A security threat

What is the purpose of the SDL?

• To create more vulnerabilities in software
• To introduce security and privacy early in the development process (correct)
• To decrease the number of patches required
• To increase the cost of software development

What are the SD3+C principles?

• Principles to determine software performance
• Principles to determine user interface design
• Principles to determine where security efforts are needed (correct)
• Principles to determine software compatibility

What is the Secure by Design principle?

Includes secure architecture, threat modeling, vulnerability elimination, and improvements in security (A)

What is the Secure by Default principle?

Includes least privilege, defense in depth, conservative default settings, avoidance of risky default changes, and less commonly used services off by default (D)

What is the Secure in Deployment principle?

Includes deployment guides, analysis and management tools, and patch deployment tools (B)

What is the benefit of implementing the SDL?

Significant reduction in vulnerabilities and cost savings due to fewer patches required (C)

What is software security engineering?

Developing software in a way that is more secure from the outset (B)

What are some of the specific process activities involved in software security engineering?

Misuse or abuse cases and secure coding (C)

What resources are available for learning more about software security engineering?

Books devoted exclusively to software security engineering (D)

What is the touchpoints approach to software security?

It is a process agnostic approach that emphasizes security activities (C)

What is the minimum set of activities that some organizations consider should be performed in secure software development?

The touchpoints approach (B)

What did Microsoft do with the SDL activities?

They integrated them with an agile development approach (D)

Flashcards

Microsoft SDL

A software development model from Microsoft.

Purpose of SDL

To incorporate security and privacy considerations early in the software creation process.

SD3+C Principles

Principles that guide where security efforts are most needed: Secure by Design, Default, Deployment + Communication.

Secure by Design

Designing the architecture with security in mind, including threat modeling and vulnerability elimination.

Secure by Default

Default configurations should be secure, with least privilege, defense in depth, and disabling risky/unused services.

Secure in Deployment

Providing guides, tools, and processes for secure deployment and patching.

Benefits of SDL

Fewer vulnerabilities and reduced costs due to less patching.

Software Security Engineering

Creating software with security as a primary goal from the beginning.

Activities in SSE

Analyzing potential misuse scenarios and practicing secure coding techniques.

Touchpoints Approach

A process-agnostic approach emphasizing key security activities throughout the software development lifecycle.

Touchpoints Minimum

A minimum set of security activities that should be performed in secure software development.

Microsoft's SDL & Agile

Microsoft integrated SDL activities into an agile development framework.

Study Notes

The Microsoft Security Development Lifecycle (SDL)

• The Microsoft SDL is a mandatory policy since 2004, enabling Microsoft to embed security and privacy in its software and culture.
• The SDL introduces security and privacy early and throughout all phases of the development process.
• Microsoft defined SD3+C principles to help determine where security efforts are needed.
• Secure by Design principle includes secure architecture, threat modeling, vulnerability elimination, and improvements in security.
• Secure by Default principle includes least privilege, defense in depth, conservative default settings, avoidance of risky default changes, and less commonly used services off by default.
• Secure in Deployment principle includes deployment guides, analysis and management tools, and patch deployment tools.
• Communications principle includes security response and community engagement.
• The SDL model includes 16 recommended practices for architects, designers, developers, and testers to follow.
• The implementation of SDL shows a significant reduction in vulnerabilities and cost savings due to fewer patches required.
• Numerous papers, books, and training materials are available to accompany the SDL model.
• The SDL is the most widely known and used security development life-cycle model.
• The SDL website provides more information about the practices and principles.