Ebook Download The Security Development Lifecycle: SDL: A Process for Developing Demonstrably More Secure Software (Developer Best Practices), by Michael
This book The Security Development Lifecycle: SDL: A Process For Developing Demonstrably More Secure Software (Developer Best Practices), By Michael deals you much better of life that could create the high quality of the life better. This The Security Development Lifecycle: SDL: A Process For Developing Demonstrably More Secure Software (Developer Best Practices), By Michael is exactly what the people currently require. You are here as well as you might be precise and also certain to obtain this publication The Security Development Lifecycle: SDL: A Process For Developing Demonstrably More Secure Software (Developer Best Practices), By Michael Never question to get it even this is simply a book. You can get this book The Security Development Lifecycle: SDL: A Process For Developing Demonstrably More Secure Software (Developer Best Practices), By Michael as one of your collections. But, not the compilation to show in your bookshelves. This is a priceless book to be reading collection.
The Security Development Lifecycle: SDL: A Process for Developing Demonstrably More Secure Software (Developer Best Practices), by Michael
Ebook Download The Security Development Lifecycle: SDL: A Process for Developing Demonstrably More Secure Software (Developer Best Practices), by Michael
The Security Development Lifecycle: SDL: A Process For Developing Demonstrably More Secure Software (Developer Best Practices), By Michael. The developed innovation, nowadays assist everything the human demands. It consists of the day-to-day activities, works, workplace, amusement, as well as more. One of them is the great internet connection and computer system. This problem will ease you to sustain among your hobbies, reviewing practice. So, do you have going to review this publication The Security Development Lifecycle: SDL: A Process For Developing Demonstrably More Secure Software (Developer Best Practices), By Michael now?
This book The Security Development Lifecycle: SDL: A Process For Developing Demonstrably More Secure Software (Developer Best Practices), By Michael is expected to be among the best vendor book that will certainly make you feel completely satisfied to acquire as well as read it for completed. As recognized can usual, every book will certainly have specific points that will certainly make an individual interested so much. Even it comes from the author, kind, material, or even the publisher. Nonetheless, lots of people likewise take guide The Security Development Lifecycle: SDL: A Process For Developing Demonstrably More Secure Software (Developer Best Practices), By Michael based upon the motif and also title that make them astonished in. as well as here, this The Security Development Lifecycle: SDL: A Process For Developing Demonstrably More Secure Software (Developer Best Practices), By Michael is really recommended for you due to the fact that it has intriguing title and also style to check out.
Are you really a follower of this The Security Development Lifecycle: SDL: A Process For Developing Demonstrably More Secure Software (Developer Best Practices), By Michael If that's so, why do not you take this book now? Be the initial person that such as and also lead this publication The Security Development Lifecycle: SDL: A Process For Developing Demonstrably More Secure Software (Developer Best Practices), By Michael, so you can obtain the reason and also messages from this book. Never mind to be perplexed where to obtain it. As the other, we share the link to check out and download and install the soft data ebook The Security Development Lifecycle: SDL: A Process For Developing Demonstrably More Secure Software (Developer Best Practices), By Michael So, you may not bring the printed publication The Security Development Lifecycle: SDL: A Process For Developing Demonstrably More Secure Software (Developer Best Practices), By Michael anywhere.
The existence of the online publication or soft file of the The Security Development Lifecycle: SDL: A Process For Developing Demonstrably More Secure Software (Developer Best Practices), By Michael will certainly relieve people to get the book. It will additionally conserve even more time to just look the title or writer or author to get until your book The Security Development Lifecycle: SDL: A Process For Developing Demonstrably More Secure Software (Developer Best Practices), By Michael is exposed. Then, you can visit the link download to go to that is offered by this internet site. So, this will certainly be a very good time to begin appreciating this book The Security Development Lifecycle: SDL: A Process For Developing Demonstrably More Secure Software (Developer Best Practices), By Michael to check out. Consistently great time with publication The Security Development Lifecycle: SDL: A Process For Developing Demonstrably More Secure Software (Developer Best Practices), By Michael, always great time with cash to invest!
Your customers demand and deserve better security and privacy in their software. This book is the first to detail a rigorous, proven methodology that measurably minimizes security bugs—the Security Development Lifecycle (SDL). In this long-awaited book, security experts Michael Howard and Steve Lipner from the Microsoft Security Engineering Team guide you through each stage of the SDL—from education and design to testing and post-release. You get their first-hand insights, best practices, a practical history of the SDL, and lessons to help you implement the SDL in any development organization.
Discover how to:
- Use a streamlined risk-analysis process to find security design issues before code is committed
- Apply secure-coding best practices and a proven testing process
- Conduct a final security review before a product ships
- Arm customers with prescriptive guidance to configure and deploy your product more securely
- Establish a plan to respond to new security vulnerabilities
- Integrate security discipline into agile methods and processes, such as Extreme Programming and Scrum
Includes a CD featuring:
- A six-part security class video conducted by the authors and other Microsoft security experts
- Sample SDL documents and fuzz testing tool
PLUS—Get book updates on the Web.
A Note Regarding the CD or DVD
The print version of this book ships with a CD or DVD. For those customers purchasing one of the digital formats in which this book is available, we are pleased to offer the CD/DVD content as a free download via O'Reilly Media's Digital Distribution services. To download this content, please visit O'Reilly's web site, search for the title of this book to find its catalog page, and click on the link below the cover image (Examples, Companion Content, or Practice Files). Note that while we provide as much of the media content as we are able via free download, we are sometimes limited by licensing restrictions. Please direct any questions or concerns to booktech@oreilly.com.
- Sales Rank: #563685 in Books
- Published on: 2006-06-28
- Original language: English
- Number of items: 1
- Dimensions: 8.90" h x 1.08" w x 7.72" l, 1.60 pounds
- Binding: Paperback
- 352 pages
From the Publisher
The software industry is clamoring to learn more about the SDL methodology. With insights direct from Microsoft’s security team, where these techniques have been developed and proven to help reduce code defects, this book premieres SDL to a worldwide audience and is the first to detail the methodology stage by stage.
Key Book Benefits:
• Delivers practical, proven advice from the experts for minimizing security-related code defects
• Details a methodology that can be applied to any development process, with outstanding results
• Includes a CD-ROM with video training classes for developers conducted by coauthor Michael Howard, a security program manager at Microsoft
About the Author
Michael Howard, CISSP, is a leading security expert. He is a senior security program manager at Microsoft® and the coauthor of The Software Security Development Lifecycle. Michael has worked on Windows security since 1992 and now focuses on secure design, programming, and testing techniques. He is the consulting editor for the Secure Software Development Series of books by Microsoft Press.
Steve Lipner, CISSP, is the senior director of Security Engineering Strategy for Microsoft. He is responsible for defining and updating the Security Development Lifecycle and has pioneered numerous security techniques. Steve has over 35 years’ experience as a researcher, development manager, and general manager in IT security.
Most helpful customer reviews
19 of 19 people found the following review helpful.
Glad to read Microsoft's contribution to the process of developing secure code
By Richard Bejtlich
I read six books on software security recently, namely "Writing Secure Code, 2nd Ed" by Michael Howard and David LeBlanc; "19 Deadly Sins of Software Security" by Michael Howard, David LeBlanc, and John Viega; "Software Security" by Gary McGraw; "The Security Development Lifecycle" by Michael Howard and Steve Lipner; "High-Assurance Design" by Cliff Berg; and "Security Patterns" by Markus Schumacher, et al. Each book takes a different approach to the software security problem, although the first two focus on coding bugs and flaws; the second two examine development processes; and the last two discuss practices or patterns for improved design and implementation. My favorite of the six is Gary McGraw's, thanks to his clear thinking and logical analysis. The other five are still noteworthy books. All six will contribute to the production of more security software.
"Security Development Lifecycle" (SDL) is unique because in many ways it exposes the guts of Microsoft's product development process. I cannot recall seeing another technical company share so much of its internal procedures with the public. One of the most interesting aspects of SDL is the attention paid to security after a product is shipped. No one at Microsoft breathes a sigh of relief when boxes appear on store shelves. Instead, Microsoft explains how it conducts security response planning in ch 15 and security response execution in ch 17. (Between the two is ch 16 -- only 3/4 of a page! Why bother?)
Although I liked SDL overall (enough to justify 4 stars), I thought it suffered three major problems. First, I don't think the audience was defined properly. p xviii mentions "managers" as the primary target, along with architects and designers. Specifically, "this is not a book for developers." Yet, ch 12 ("Secure Testing Policies") is definitely for programmers. A manager probably not going to know what a "null pointer dereference" is; at the very least that is not a subject that should be discussed in a book for managers.
Second, I think SDL suffers a little too much overlap with the earlier Microsoft book "Writing Secure Code, 2nd Ed." WSC2E addressed writing documentation, security testing ,and obviously secure coding in much the same language as repeated in SDL. Sometimes repetition is justified, but perhaps those subjects appeared in WSC2E for a reason and did not belong in a book for managers.
Third, and most importantly, Microsoft continues its pattern of misusing terms like "threat" that started with "Threat Modeling" and WSC2E. SDL demonstrates some movement on the part of the book's authors towards more acceptable usage, however. Material previously discussed in a "Threat Modeling" chapter in WSC2E now appears in a chapter called "Risk Analysis" (ch 9) -- but within the chapter, the terms are mostly still corrupted. Many times Microsoft misuses the term risk too. For example, p 94 says "The Security Risk Assessment is used to determine the system's level of vulnerability to attack." If you're making that decision, it's a vulnerability assessment; when you incorporate threat and asset value calculations with vulnerabilities, that's true risk assessment.
The authors try to deflect what I expect was criticism of their term misuse in previous books. On p 102 they say "The meaning of the word threat is much debated. In this book, a threat is defined as an attacker's objective." The problem with this definition is that it exposes the problems with their terminology. The authors make me cringe when I read phrases like "threats to the system ranked by risk" (p 103) or "spoofing threats risk ranking." On p 104, they are really talking about vulnerabilities when they write "All threats are uncovered through the analysis process." The one time they do use threat properly, it shows their definition is nonsensical: "consider the insider-threat scenario -- should your product protect against attackers who work for your company?" If you recognize that a threat is a party with the capabilities and intentions to exploit a vulnerability in an asset, then Microsoft is describing insiders appropriately -- but not as "an attacker's objective."
Don't get me wrong -- there's a lot to like about SDL. I gave the book four stars, and I think it would be good to read it. I fear, though, that this is another book distributed to Microsoft developers and managers riddled with sometimes confusing or outright wrong ways to think about security. This produces lasting problems that degrade the community's ability to discuss and solve software security problems. I also question the implication that SDL is great and everything else doesn't produce verified security improvements. I can understand denigrating Linux, but is Microsoft afraid to acknowledge the security record of an OS like OpenBSD?
10 of 10 people found the following review helpful.
Good, but not great
By Alexander T. Barclay
I have been very impressed with other offerings from the Microsoft professional series and was excited when this book was released. This is not a technical book like "Writing Secure Code" and "Code Complete" but a book aimed at managers responsible for software projects. My opinion is not based on real world experience of large software projects, but on academic projects smaller in scale than those of Microsoft.
The introductory material is weak, part 1 which explores the reasoning and history behind the SLD seemed to be stretched needlessly, repeating the same information multiple times. Chapter 4 which provides the management impact of the SDL lacks focus, and does not justify the need (ROI) for the SDL.
Part 2 goes though each step of the SDL in detail. Overall, this section is more polished and for the most part does a good job of covering each domain in detail. While this book is focused on managerial and operational activities, there are times where it awkwardly delves into specific technical details. Chapter 10 (Documents, Tools, Practices for customers) and chapter 15 (Response planning) are strong chapters which most everyone can lean from.
Part 3 is a series of reference materials. Chapter 20 (Crypto) and 21 (Compiler Options) are good guidelines to compare your organizations own practices against.
Strengths:
+ Talks about a real methodology being used at MS everyday
+ Excellent references, cites many foundation papers
+ Gives the reasoning behind many decisions in development in SDL
+ Good discussion of threat trees
+ Managerial focused chapters are well thought out and complete
Weaknesses:
- Technical information is MS focused
- Might be acronym heavy for non-technical/security managers
- Does not reference other secure development processes, such as IATF section 3
- Does not reference NIST 800 series for risk analysis
What I would like to see:
*Expanded Chapter 5 (Education and Awareness), giving more information on the curriculum of security classes offered.
*Better balance between the technical and managerial aspects of the SDL. This book would be stellar either with more technical information (platform independent) or by focusing the book more on managerial aspects of the SDL.
*The actual SDL documents being used at MS
Overall, this is a good book, I would recommend it. However I do think a second edition would help this book immensely.
1 of 2 people found the following review helpful.
Managerial View of the Microsoft Approach to Security
By John Matlock
As is well known, Microsoft software has been known in the past for producing software that had numerous problems in the security area. It finally became so obvious that the company was forced to make a major change in emphasis regarding the security holes in their products.
Microsoft is, of course, a huge software development organization. To move the organization into writing more secure code it was necessary to develop plans, procedures, classes for managers and programmer and the like to implement writing more secure code. The resulting effort is called the Security Development Lifecycle (SDL).
The results of implementing SDL are summarized in the Introduction to the book. Here are two newspaper headlines quoted there:
Gartner Recommends Against Microsoft IIS (eWeek, 2001)
We actually consider Microsoft to be leading the software industry now in improvements in their security development life cycle (CRN 2006)
This book is aimed at the people managing and defining software projects. It does not contain very many specific code examples that would appeal to the developer. This is not to say that developers shouldn't read it, but that it is not a detailed techie document.
The CD that comes with the book includes several documents that extend the concepts talked about in the book and a six part security class video conducted by the authors.
One note of caution. This book is on the Microsoft approach to security. It's what they are doing. It works for them. But there are also other approaches such as that being implemented by organizations such as the US Government.
The Security Development Lifecycle: SDL: A Process for Developing Demonstrably More Secure Software (Developer Best Practices), by Michael PDF
The Security Development Lifecycle: SDL: A Process for Developing Demonstrably More Secure Software (Developer Best Practices), by Michael EPub
The Security Development Lifecycle: SDL: A Process for Developing Demonstrably More Secure Software (Developer Best Practices), by Michael Doc
The Security Development Lifecycle: SDL: A Process for Developing Demonstrably More Secure Software (Developer Best Practices), by Michael iBooks
The Security Development Lifecycle: SDL: A Process for Developing Demonstrably More Secure Software (Developer Best Practices), by Michael rtf
The Security Development Lifecycle: SDL: A Process for Developing Demonstrably More Secure Software (Developer Best Practices), by Michael Mobipocket
The Security Development Lifecycle: SDL: A Process for Developing Demonstrably More Secure Software (Developer Best Practices), by Michael Kindle
Tidak ada komentar:
Posting Komentar