Verfügbarkeit: The security development lifecycle

The security development lifecycle: SDL: a process for developing demonstrably more secure software ; [CD includes: a security training class video, sample SDL documents]

Gespeichert in:

Bibliographische Detailangaben
Hauptverfasser:	Howard, Michael 1965- (VerfasserIn), Lipner, Steve (VerfasserIn)
Format:	Buch
Sprache:	English
Veröffentlicht:	Redmond, Wash. Microsoft Press 2006
Schriftenreihe:	Best practices Secure software development series
Schlagworte:	Microsoft Softwareschutz
Online-Zugang:	Inhaltsverzeichnis
Beschreibung:	XXII, 320 S. Ill., graph. Darst. CD-ROM (12 cm)
ISBN:	0735622140 9780735622142

Internformat

MARC


LEADER	00000nam a2200000 c 4500
001	BV021642910
003	DE-604
005	20220117
007	t
008	060704s2006 ad\|\| \|\|\|\| 00\|\|\| eng d
020			\|a 0735622140 \|9 0-7356-2214-0
020			\|a 9780735622142 \|9 978-0-7356-2214-2
035			\|a (OCoLC)612108354
035			\|a (DE-599)BVBBV021642910
040			\|a DE-604 \|b ger \|e rakwb
041	0		\|a eng
049			\|a DE-824 \|a DE-739 \|a DE-384 \|a DE-706 \|a DE-M347 \|a DE-Aug4
084			\|a ST 276 \|0 (DE-625)143642: \|2 rvk
084			\|a ST 277 \|0 (DE-625)143643: \|2 rvk
100	1		\|a Howard, Michael \|d 1965- \|e Verfasser \|0 (DE-588)131565931 \|4 aut
245	1	0	\|a The security development lifecycle \|b SDL: a process for developing demonstrably more secure software ; [CD includes: a security training class video, sample SDL documents] \|c Michael Howard and Steve Lipner
264		1	\|a Redmond, Wash. \|b Microsoft Press \|c 2006
300			\|a XXII, 320 S. \|b Ill., graph. Darst. \|e CD-ROM (12 cm)
336			\|b txt \|2 rdacontent
337			\|b n \|2 rdamedia
338			\|b nc \|2 rdacarrier
490	0		\|a Best practices
490	0		\|a Secure software development series
650	0	7	\|a Microsoft \|0 (DE-588)4362438-8 \|2 gnd \|9 rswk-swf
650	0	7	\|a Softwareschutz \|0 (DE-588)4131649-6 \|2 gnd \|9 rswk-swf
689	0	0	\|a Softwareschutz \|0 (DE-588)4131649-6 \|D s
689	0	1	\|a Microsoft \|0 (DE-588)4362438-8 \|D s
689	0		\|5 DE-604
700	1		\|a Lipner, Steve \|e Verfasser \|4 aut
856	4	2	\|m OEBV Datenaustausch \|q application/pdf \|u http://bvbr.bib-bvb.de:8991/F?func=service&doc_library=BVB01&local_base=BVB01&doc_number=014857667&sequence=000001&line_number=0001&func_code=DB_RECORDS&service_type=MEDIA \|3 Inhaltsverzeichnis
999			\|a oai:aleph.bib-bvb.de:BVB01-014857667

Datensatz im Suchindex

_version_	1804135445755330560
adam_text	* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * **** * * * * * * * * * *** * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * ****** * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * **** * * * * * * * * * * * * * * * * * * * **** * * * * * * * * * * * * * * * * * * * * * * * * *** * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * ** * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * **** * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * ***** * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * ***** * * * * * * * * * * * * * * * * * * * * * * * * * ******* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * ******** * * * * ***** * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * ****** * * * * * * * * * ******* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * ** ** * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * **** * * * * * * * * * * * * * * * * * * * * * * * * * * * **** * * * * * * * * * * * * * * * * ****** * * * * * * * * **** * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *** * * * * * * * * * * * * * ****** * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * ***** * * * * * * * * * * * * * * V LABLE OF CONTENTS* FOREWORD XV* SYSTEM REQUIREMENTS XX* ACKNOWLEDGMENTS XX* REFERENCES XXI* INTRODUCTION XVII* WHY SHOULD YOU READ THIS BOOK? XVIII* ORGANIZATION OF THIS BOOK XVIII* PART I, THE NEED FOR THE SDL XVIII* PART 11, THE SECURITY DEVELOPMENT LIFECYCLE PROCESS XVIII* PART 111, SDL REFERENCE MATERIAL XVIII* THE FUTURE EVOLUTION OF THE SDL XIX* WHAT S ON THE COMPANION DISC? XIX* PART I THE NEED FOR THE SOL 1 ENOUGH IS ENOUGH: THE THREATS HAVE CHANGED 3* WORLDS OF SECURITY AND PRIVACY COLLIDE 5* ANOTHER FACTOR THAT INFLUENCES SECURITY: RELIABILITY 8* IT S REALLY ABOUT QUALITY 10* WHY MAJOR SOFTWARE VENDORS SHOULD CREATE MORE SECURE SOFTWARE 11* ACHALIENGE TO LARGE ISVS 12* WHY IN-HOUSE SOFTWARE DEVELOPERS SHOULD CREATE MORE SECURE SOFTWARE 12* WHY SMALL SOFTWARE DEVELOPERS SHOULD CREATE MORE SECURE SOFTWARE 12* SUMMARY 13* REFERENCES 13* 2* CURRENT SOFTWARE DEVELOPMENT METHODS FAIL* TO PRODUCE SECURE SOFTWARE 17* GIVEN ENOUGH EYEBALLS, ALL BUGS ARE SHALLOW 18* INCENTIVE TO REVIEW CODE 18* UNDERSTANDING SECURITY BUGS 19* CRITICAL MASS 19* MANY EYEBALLS MISSES THE POINT ALTOGETHER 20* PROPRIETARY SOFTWARE DEVELOPMENT METHODS 21* CMMI, TSP, AND PSP 22* MICROSOFT IS INTERESTED IN HEARING YOUR FEEDBACK ABOUT THIS PUBLICATION SO WE CAN CONTINUALLY IMPROVE OUR BOOKS AND LEARNING RESOURCES FOR YOU. TO PARTICIPATE IN ABRIEF ONLINE SURVEY, PLEASE VISIT: WWW.MICROSOFT.COMLLEARNINGLBOOKSURVEYI VII VIII TABLE OF CONTENTS AGILE DEVELOPMENT METHODS 22* COMMON CRITERIA 22* SUMMARY 23* REFERENCES 24* 3 A SHORT HISTORY OF THE SDL AT MICROSOFT 27* FIRST STEPS 27* NEW THREATS, NEW RESPONSES 29* WINDOWS 2000 AND THE SECURE WINDOWS INITIATIVE 30* SEEKING SCALABILITY: THROUGH WINDOWS XP 32* SECURITY PUSHES AND FINAL SECURITY REVIEWS 33* FORMALIZING THE SECURITY DEVELOPMENT LIFECYCLE 36* A CONTINUING CHALLENGE 37* REFERENCES 38* 4 SDL FOR MANAGEMENT 41* COMMITMENT FOR SUCCESS 41* COMMITMENT AT MICROSOFT 41* IS THE SDL NECESSARY FOR YOU? 43* EFFECTIVE COMMITMENT 45* MANAGING THE SDL 48* RESOURCES 48* IS THE PROJECT ON TRACK? 50* SUMMARY 51* REFERENCES 51* PART 11 THE SECURITY DEVELOPMENT LIFECYCLE PROCESS 5 STAGE 0: EDUCATION AND AWARENESS 55* A SHORT HISTORY OF SECURITY EDUCATION AT MICROSOFT 56* ONGOING EDUCATION 58* TYPES OF TRAINING DELIVERY 60* EXERCISES AND LABS 61* TRACKING ATTENDANCE AND COMPLIANCE 62* OTHER COMPLIANCE IDEAS 62* MEASURING KNOWLEDGE 63* IMPLEMENTING YOUR OWN IN-HOUSE TRAINING 63* CREATING EDUCATION MATERIALS ON A BUDGET 64* KEY SUCCESS FACTORS AND METRICS 64* SUMMARY 65* REFERENCES 65* TABLE OF CONTENTS IX* 6 STAGE 1: PROJECT INCEPTION 67* DETERMINE WHETHER THE APPLICATION IS COVERED BY SDL 67* ACT AS A POINT OF CONTACT BETWEEN THE DEVELOPMENT TEAM* HOLDING DESIGN AND THREAT MODEL REVIEWS WITH THE* ASSIGN THE SECURITY ADVISOR. 68* AND THE SECURITY TEAM 69* HOLDING AN SDL KICK-OFF MEETING FOR THE DEVELOPMENT TEAM 70* DEVELOPMENT TEAM 70* ANALYZING AND TRIAGING SECURITY-RELATED AND PRIVACY-RELATED BUGS 70* ACTING AS A SECURITY SOUNDING BOARD FOR THE DEVELOPMENT TEAM 71* PREPARING THE DEVELOPMENT TEAM FOR THE FINAL SECURITY REVIEW 71* WORKING WITH THE REACTIVE SECURITY TEAM 71* BUILD THE SECURITY LEADERSHIP TEAM 71* MAKE SURE THE BUG- TRACKING PRACESS INCLUDES SECURITY AND PRIVACY BUG FIELDS 72* DETERMINE THE BUG BAR 74* SUMMARY 74* REFERENCES 74* 7 STAGE 2: DEFINE AND FOLLOW DESIGN BEST PRACTICES 75* COMMON SECURE-DESIGN PRINCIPLES 76* ATTACK SURFACE ANALYSIS AND ATTACK SURFACE REDUCTION 78* STEP 1: IS THIS FEATURE REALLY THAT IMPORTANT? 81* STEP 2: WHO NEEDS ACCESS TO THE FUNCTIONALITY AND FRAM WHERE? 82* STEP 3: REDUCE PRIVILEGE 83* MORE ATTACK SURFACE ELEMENTS 85* SUMMARY 89* REFERENCES 90* 8 STAGE 3: PRODUCT RISK ASSESSMENT 93* SECURITY RISK ASSESSMENT 94* SETUP QUESTIONS 94* ATTACK SURFACE QUESTIONS 94* MOBILE-CODE QUESTIONS 95* SECURITY FEATURE-RELATED QUESTIONS 95* GENERAL QUESTIONS 95* ANALYZING THE QUESTIONNAIRE 96* PRIVACY IMPACT RATING 96* PRIVACY RANKING 1 98* PRIVACY RANKING 2 98* PRIVACY RANKING 3 98* PULLING IT ALL TOGETHER 98* SUMMARY 99* REFERENCES 99* X TABLE OF CONTENTS 9 STAGE 4: RISK ANALYSIS 101* THREAT-MODELING ARTIFACTS 103* WHAT TO MODEL 104* BUILDING THE THREAT MODEL 104* THE THREAT-MODELING PROCESS 105* 1. DEFINE USE SCENARIOS 105* 2. GATHER A LIST OF EXTERNAL DEPENDENCIES 106* 3. DEFINE SECURITY ASSUMPTIONS 106* 4. CREATE EXTERNAL SECURITY NOTES 107* 5. CREATE ONE OR MORE DFDS OF THE APPLICATION BEING MODELED 110* 6. DETERMINE THREAT TYPES 114* 7. IDENTIFY THREATS TO THE SYSTEM 116* 8. DETERMINE RISK 121* 9. PLAN MITIGATIONS 124* USING A THREAT MODEL TO AID CODE REVIEW 128* USING A THREAT MODEL TO AID TESTING 129* KEY SUCCESS FACTORS AND METRICS 129* SUMMARY 130* REFERENCES 130* 10 STAGE 5: CREATING SECURITY DOCUMENTS, TOOLS,* AND BEST PRACTICES FOR CUSTOMERS . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 133* WHY DOCUMENTATION AND TOOLS? 135* CREATING PRESCRIPTIVE SECURITY BEST PRACTICE DOCUMENTATION 135* SETUP DOCUMENTATION 136* MAINLINE PRODUCT USE DOCUMENTATION 136* HELP DOCUMENTATION 138* DEVELOPER DOCUMENTATION 138* CREATING TOOLS 139* SUMMARY 140* REFERENCES 140* 11 STAGE 6: SECURE CODING POLICIES 143* USE THE LATEST COMPILER AND SUPPORTING TOOL VERSIONS 143* USE DEFENSES ADDED BY THE COMPILER 144* BUFFER SECURITY CHECK: /GS 144* SAFE EXCEPTION HANDLING: /SAFESEH 144* COMPATIBILITY WITH DATA EXECUTION PREVENTION: /NXCOMPAT 145* USE SOURCE-CODE ANALYSIS TOOLS 145* SOURCE-CODE ANALYSIS TOOL TRAPS 145* BENEFITS OF SOURCE-CODE ANALYSIS TOOLS 146* 00 NOT USE BANNED FUNCTIONS 148* REDUCE POTENTIALLY EXPLOITABLE CODING CONSTRUCTS OR DESIGNS USE A SECURE CODING CHECKLIST SUMMARY REFERENCES 12 STAGE 7: SECURE TESTING POLICIES FUZZ TESTING PENETRATION TESTING RUN-TIME VERIFICATION REVIEWING AND UPDATING THREAT MODELS IF NEEDED REEVALUATING THE ATTACK SURFACE OF THE SOFTWARE SUMMARY REFERENCES 13 STAGE 8: THE SECURITY PUSH PREPARING FOR THE SECURITY PUSH PUSH DURATION TRAINING , CODE REVIEWS EXECUTABLE-FILE OWNERS THREAT MODEL UPDATES SECURITY TESTING ATTACK-SURFACE SCRUB DOCUMENTATION SCRUB ARE WE DONE YET? SUMMARY REFERENCES 14 STAGE 9: THE FINAL SECURITY REVIEW PRODUCT TEAM COORDINATION THREAT MODELS REVIEW UNFIXED SECURITY BUGS REVIEW TOOLS-USE VALIDATION AFTER THE FINAL SECURITY REVIEW IS COMPLETED HANDLING EXCEPTIONS SUMMARY 15 STAGE 10: SECURITY RESPONSE PLANNING WHY PREPARE TO RESPOND? YOUR DEVELOPMENT TEAM WILL MAKE MISTAKES NEW KINDS OF VULNERABILITIES WILL APPEAR RULES WILL CHANGE TABLE OF CONTENTS XI 149* 150* 150* 150* 153* 153* 164* 165* 165* 166* 166* 166* 169* 170* 171* , 171* 172* 174* 174* 175* 175* 176* 177* 178* 179* 181* 182* 182* 183* 184* 184* 184* 185* 187* 187* 187* 188* 189* XII TABLE OF CONTENTS PREPARING TO RESPOND 190 BUILDING A SECURITY RESPONSE CENTER 191 SECURITY RESPONSE AND THE DEVELOPMENT TEAM 208 CREATE YOUR RESPONSE TEAM 208 SUPPORT YOUR ENTIRE PRODUCT 209 SUPPORT ALL YOUR CUSTOMERS 210 MAKE YOUR PRODUCT UPDATABLE 211 FIND THE VULNERABILITIES BEFORE THE RESEARCHERS DO 212 SUMMARY 213 REFERENCES 213 16 STAGE 11: PRODUCT RELEASE 215 REFERENCES 215 17 STAGE 12: SECURITY RESPONSE EXECUTION 217 FOLLOWING YOUR PLAN 217 STAY COOL 217 TAKE YOUR TIME 218 WATCH FOR EVENTS THAT MIGHT CHANGE YOUR PLANS 219 FOLLOW YOUR PLAN 220 MAKING IT UP AS YOU GO 220 KNOW WHOM TO CALL 220 BE ABLE TO BUILD AN UPDATE 220 BE ABLE TO INSTALL AN UPDATE 221 KNOW THE PRIORITIES WHEN INVENTING YOUR PROCESS 221 KNOWING WHAT TO SKIP 221 SUMMARY 222 REFERENCES 222 PART 11I SOL REFERENCE MATERIAL 18 INTEGRATING SOL WITH AGILE METHODS 225 USING SDL PRACTICES WITH AGILE METHODS 226 SECURITY EDUCATION 226 PROJECT INCEPTION 226 ESTABLISHING AND FOLLOWING DESIGN BEST PRACTICES 227 RISK ANALYSIS 227 CREATING SECURITY DOCUMENTS, TOOLS, AND BEST PRACTICES FOR CUSTOMERS 229 SECURE CODING AND TESTING POLICIES 229 SECURITY PUSH 231 TABLE OF CONTENTS XIII FINAL SECURITY REVIEW .. 0 0 * 0 0 0 0 0 0 0 0 0 . 0 0 * 0 0 0.. 0 0.. 0 0.* 0 * 0 0 0.232 PRODUCT RELEASE 0 0** 0 0. 0 0 . 0 0 0 0** 0 0 0 0 0. 0 0 . 0 0** 0 0 0 * 0 0 * 0 0 . 0 0 * 0233 SECURITY RESPONSE EXECUTION 0* 0 0* 0 0 0 0 0 * 0* 0.. 0233 AUGMENTING AGILE METHODS WITH SDL PRACTICES .. 0 0 0* 0* 0. 0.. 0. 0 0 0234 USER STORIES 0 0 0 ** 0 0..** 0 0 ** 0... 0. 0 0* 0.. 0 0.* 0.** 0 0235 SMALL RELEASES AND ITERATIONS. 0 0 * 0 0 0* 0 ** 0..* 0* 0* 0 ** 0 0.* 0 ** 0 0 0236 MOVING PEOPLE AROUND ..... 0.. 0 * 0* 0 0*. 0. 0 0* 0** 0.. 0 0 236 SIMPLICITY 0 * 0 0 0 * 0.. 0.* 0 ** 0 0 * 0** 0. 0... 0 0 * 0** 0 0.. 0... 0 ** 0 0. 0236 SPIKE SOLUTIONS ... 0 0 0. 0 0******* 0 0* 0* 0 0.. 0 0 0 0 0.236 REFACTORING 0 0 0 0 0 . 0 0 0 0 0**. 0* 0* 0 0.. 0** 0 * 0 0*237 CONSTANT CUSTOMER AVAILABILITY .. 0....* 0* 0 0*. 0... 0. 0* 0 0 0.. 237 CODING TO STANDARDS 0 0 * 0* 0 0* 0* 0 0. 0 0* 0*** 0 * 0 0237 CODING THE UNIT TEST FIRST 0 O . 0.****** 0... 0 0* 0*. 0.238 PAIR PROGRAMMING 0. 0** 0 * 0. 0 0* 0**** 0 0.* 0 0.** 0.238 INTEGRATING OFTEN 0 * 0.. 0******* 0 . 0... 0 0**....* 0 0 0 238 LEAVING OPTIMIZATION UNTIL LAST 0 0. 0 0 0 0* 0 . 0 . 0 0 0238 WHEN A BUG IS FOUND, A TEST IS CREATED 0 0 . 0 0 0 0... 0.. 0**** 0239 SUMMARY 0.* 0 ** 0 * 0 0****** 0* 0 * 0****. 0* 0 0 0 0. 0* 0 0239 REFERENCES .. 0***** 0 * 0 0**** 0* 0* 0**** 0**. 0 0 0** 0 0.239 19 SDL BANNED FUNCTION CALLS 241 THE BANNED APLS. 0 * 0** 0 0.. 0.* 0 0** 0 0..* 0****** 0. 0..... 0 0 .242 WHY THE N FUNCTIONS ARE BANNED . 0********** 0. 0 0******* 0** 0 0.245 IMPORTANT CAVEAT ..... 0 ** 0 * 0 0* 0 0 ** 0. 0 0***** 0.***** 0 0* 0.246 CHOOSING STRSAFE VS. SAFE CRTO . 0* 0 0* 0 . 0********** 0 0.. 0******** 0. 246 USING STRSAFE .... 0* 0 0****** 0 0.********* 0* 0**** 0 0* 0246 STRSAFE EXAMPLE 0 0 0 0 0*** 0 0******. 0.* 0**** 0.247 USING SAFE CRT 0* 0 0 0* 0 0 0* 0* 0 0* 0 0 * 0 * 0 0 247 SAFE CRT EXAMPLE... 0 0 0 0 0 0* 0* 0 0* 0** 0 0 * 0 248 OTHER REPLACEMENTS.. 0**** 0 * 0 0 * 0 0**** 0 * 0******** 0**.. 0* 248 TOOLS SUPPORT .. 0**** 0** 0 * 0 ******** 0**** 0* 0 0* 0**** 0* 0248 ROI AND COST IMPACT ..... 0 * 0 0***** 0 0******* 0** 0*** 0 0.249 METRICS AND GOALS ... 0 * 0 0 * 0************** 0 0* 0***** 0 0*** 0 0* 249 REFERENCES .. 0**** 0 * 0**** 0*** 0** 0 0 0** 0** 0 0 0 0* 249 20 SDL MINIMUM CRYPTOGRAPHIC STANDARDS 251 HIGH-LEVEL CRYPTOGRAPHIC REQUIREMENTS .. 0**** 0 0 ** 0 * 0 * 0* 0 0 * 0* 0.251 CRYPTOGRAPHIC TECHNOLOGIES VS. LOW-LEVEL CRYPTOGRAPHIC AIGORITHMS .. 0 251 USE CRYPTOGRAPHIC LIBRARIES 0 0 0 0. 0. 0 0* 0* 0 0* 0 0252 CRYPTOGRAPHIC AGILITY .. 0** 0 0 * 0 0* 0**** 0 0 ** 0 0 * 0 ***** 0 0.252 DEFAULT TO SECURE CRYPTOGRAPHIC AIGORITHMS.... 0**** 0** 0**.. 0.253 XIV TABLE OF CONTENTS CRYPTOGRAPHIE ALGORITHM USAGE 253 SYMMETRIE BLOCK CIPHERS AND KEY LENGTHS 254 SYMMETRIE STREAM CIPHERS AND KEY LENGTHS 254 SYMMETRIE AIGORITHM MODES 255 ASYMMETRIE AIGORITHMS AND KEY LENGTHS 255 HASH FUNETIONS 255 MESSAGE AUTHENTIEATION CODES 256 DATA STORAGE AND RANDOM NUMBER GENERATION 256 STORING PRIVATE KEYS AND SENSITIVE DATA 256 GENERATING RANDOM NUMBERS AND CRYPTOGRAPHIE KEYS 257 GENERATING RANDOM NUMBERS AND CRYPTOGRAPHIE KEYS FROM PASSWORDS OR OTHER KEYS 257 REFERENEES 257 21 SDL-REQUIRED TOOLS AND COMPILER OPTIONS 259 REQUIRED TOOLS 259 PREFAST 259 FXCOP 263 APPLIEATION VERIFIER 265 MINIMUM COMPILER AND BUILD TOOL VERSIONS 267 REFERENEES 268 22 THREAT TREE PATTERNS 269 SPOOFING AN EXTERNAL ENTITY OR A PROEESS 271 TAMPERING WITH A PROEESS 273 TAMPERING WITH A DATA FLOW 274 TAMPERING WITH A DATA STORE 276 REPUDIATION 278 INFORMATION DISCLOSURE OF A PROEESS 280 INFORMATION DISCLOSURE OF A DATA FLOW 281 INFORMATION DISCLOSURE OF A DATA STORE 282 DENIAL OF SERVICE AGAINST A PROEESS 284 DENIAL OF SERVICE AGAINST A DATA FLOW 285 DENIAL OF SERVICE AGAINST A DATA STORE 286 ELEVATION OF PRIVILEGE 287 REFERENEES 288 INDEX 291 MICROSOFT IS INTERESTED IN HEARING YOUF FEEDBACK ABOUT THIS PUBLICATION SO WE CAN CONTINUALLY IMPROVE OUF BOOKS AND JEAMING RESOURCES FOR YOU. TO PARTICIPATE IN ABRIEF ONLINE SURVEY, PLEASE VISIL: WWW.MICROSOFT.COM/LEARNING/BOAKSURVEY/
adam_txt	* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * **** * * * * * * * * * *** * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * ****** * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * **** * * * * * * * * * * * * * * * * * * * **** * * * * * * * * * * * * * * * * * * * * * * * * *** * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * ** * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * **** * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * ***** * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * ***** * * * * * * * * * * * * * * * * * * * * * * * * * ******* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * ******** * * * * ***** * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * ****** * * * * * * * * * ******* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * ** ** * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * **** * * * * * * * * * * * * * * * * * * * * * * * * * * * **** * * * * * * * * * * * * * * * * ****** * * * * * * * * **** * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *** * * * * * * * * * * * * * ****** * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * ***** * * * * * * * * * * * * * * V LABLE OF CONTENTS* FOREWORD XV* SYSTEM REQUIREMENTS XX* ACKNOWLEDGMENTS XX* REFERENCES XXI* INTRODUCTION XVII* WHY SHOULD YOU READ THIS BOOK? XVIII* ORGANIZATION OF THIS BOOK XVIII* PART I, "THE NEED FOR THE SDL" XVIII* PART 11, "THE SECURITY DEVELOPMENT LIFECYCLE PROCESS" XVIII* PART 111, "SDL REFERENCE MATERIAL" XVIII* THE FUTURE EVOLUTION OF THE SDL XIX* WHAT'S ON THE COMPANION DISC? XIX* PART I THE NEED FOR THE SOL 1 ENOUGH IS ENOUGH: THE THREATS HAVE CHANGED 3* WORLDS OF SECURITY AND PRIVACY COLLIDE 5* ANOTHER FACTOR THAT INFLUENCES SECURITY: RELIABILITY 8* IT'S REALLY ABOUT QUALITY 10* WHY MAJOR SOFTWARE VENDORS SHOULD CREATE MORE SECURE SOFTWARE 11* ACHALIENGE TO LARGE ISVS 12* WHY IN-HOUSE SOFTWARE DEVELOPERS SHOULD CREATE MORE SECURE SOFTWARE 12* WHY SMALL SOFTWARE DEVELOPERS SHOULD CREATE MORE SECURE SOFTWARE 12* SUMMARY 13* REFERENCES 13* 2* CURRENT SOFTWARE DEVELOPMENT METHODS FAIL* TO PRODUCE SECURE SOFTWARE 17* "GIVEN ENOUGH EYEBALLS, ALL BUGS ARE SHALLOW" 18* INCENTIVE TO REVIEW CODE 18* UNDERSTANDING SECURITY BUGS 19* CRITICAL MASS 19* "MANY EYEBALLS" MISSES THE POINT ALTOGETHER 20* PROPRIETARY SOFTWARE DEVELOPMENT METHODS 21* CMMI, TSP, AND PSP 22* MICROSOFT IS INTERESTED IN HEARING YOUR FEEDBACK ABOUT THIS PUBLICATION SO WE CAN CONTINUALLY IMPROVE OUR BOOKS AND LEARNING RESOURCES FOR YOU. TO PARTICIPATE IN ABRIEF ONLINE SURVEY, PLEASE VISIT: WWW.MICROSOFT.COMLLEARNINGLBOOKSURVEYI VII VIII TABLE OF CONTENTS AGILE DEVELOPMENT METHODS 22* COMMON CRITERIA 22* SUMMARY 23* REFERENCES 24* 3 A SHORT HISTORY OF THE SDL AT MICROSOFT 27* FIRST STEPS 27* NEW THREATS, NEW RESPONSES 29* WINDOWS 2000 AND THE SECURE WINDOWS INITIATIVE 30* SEEKING SCALABILITY: THROUGH WINDOWS XP 32* SECURITY PUSHES AND FINAL SECURITY REVIEWS 33* FORMALIZING THE SECURITY DEVELOPMENT LIFECYCLE 36* A CONTINUING CHALLENGE 37* REFERENCES 38* 4 SDL FOR MANAGEMENT 41* COMMITMENT FOR SUCCESS 41* COMMITMENT AT MICROSOFT 41* IS THE SDL NECESSARY FOR YOU? 43* EFFECTIVE COMMITMENT 45* MANAGING THE SDL 48* RESOURCES 48* IS THE PROJECT ON TRACK? 50* SUMMARY 51* REFERENCES 51* PART 11 THE SECURITY DEVELOPMENT LIFECYCLE PROCESS 5 STAGE 0: EDUCATION AND AWARENESS 55* A SHORT HISTORY OF SECURITY EDUCATION AT MICROSOFT 56* ONGOING EDUCATION 58* TYPES OF TRAINING DELIVERY 60* EXERCISES AND LABS 61* TRACKING ATTENDANCE AND COMPLIANCE 62* OTHER COMPLIANCE IDEAS 62* MEASURING KNOWLEDGE 63* IMPLEMENTING YOUR OWN IN-HOUSE TRAINING 63* CREATING EDUCATION MATERIALS "ON A BUDGET" 64* KEY SUCCESS FACTORS AND METRICS 64* SUMMARY 65* REFERENCES 65* TABLE OF CONTENTS IX* 6 STAGE 1: PROJECT INCEPTION 67* DETERMINE WHETHER THE APPLICATION IS COVERED BY SDL 67* ACT AS A POINT OF CONTACT BETWEEN THE DEVELOPMENT TEAM* HOLDING DESIGN AND THREAT MODEL REVIEWS WITH THE* ASSIGN THE SECURITY ADVISOR. 68* AND THE SECURITY TEAM 69* HOLDING AN SDL KICK-OFF MEETING FOR THE DEVELOPMENT TEAM 70* DEVELOPMENT TEAM 70* ANALYZING AND TRIAGING SECURITY-RELATED AND PRIVACY-RELATED BUGS 70* ACTING AS A SECURITY SOUNDING BOARD FOR THE DEVELOPMENT TEAM 71* PREPARING THE DEVELOPMENT TEAM FOR THE FINAL SECURITY REVIEW 71* WORKING WITH THE REACTIVE SECURITY TEAM 71* BUILD THE SECURITY LEADERSHIP TEAM 71* MAKE SURE THE BUG- TRACKING PRACESS INCLUDES SECURITY AND PRIVACY BUG FIELDS 72* DETERMINE THE "BUG BAR" 74* SUMMARY 74* REFERENCES 74* 7 STAGE 2: DEFINE AND FOLLOW DESIGN BEST PRACTICES 75* COMMON SECURE-DESIGN PRINCIPLES 76* ATTACK SURFACE ANALYSIS AND ATTACK SURFACE REDUCTION 78* STEP 1: IS THIS FEATURE REALLY THAT IMPORTANT? 81* STEP 2: WHO NEEDS ACCESS TO THE FUNCTIONALITY AND FRAM WHERE? 82* STEP 3: REDUCE PRIVILEGE 83* MORE ATTACK SURFACE ELEMENTS 85* SUMMARY 89* REFERENCES 90* 8 STAGE 3: PRODUCT RISK ASSESSMENT 93* SECURITY RISK ASSESSMENT 94* SETUP QUESTIONS 94* ATTACK SURFACE QUESTIONS 94* MOBILE-CODE QUESTIONS 95* SECURITY FEATURE-RELATED QUESTIONS 95* GENERAL QUESTIONS 95* ANALYZING THE QUESTIONNAIRE 96* PRIVACY IMPACT RATING 96* PRIVACY RANKING 1 98* PRIVACY RANKING 2 98* PRIVACY RANKING 3 98* PULLING IT ALL TOGETHER 98* SUMMARY 99* REFERENCES 99* X TABLE OF CONTENTS 9 STAGE 4: RISK ANALYSIS 101* THREAT-MODELING ARTIFACTS 103* WHAT TO MODEL 104* BUILDING THE THREAT MODEL 104* THE THREAT-MODELING PROCESS 105* 1. DEFINE USE SCENARIOS 105* 2. GATHER A LIST OF EXTERNAL DEPENDENCIES 106* 3. DEFINE SECURITY ASSUMPTIONS 106* 4. CREATE EXTERNAL SECURITY NOTES 107* 5. CREATE ONE OR MORE DFDS OF THE APPLICATION BEING MODELED 110* 6. DETERMINE THREAT TYPES 114* 7. IDENTIFY THREATS TO THE SYSTEM 116* 8. DETERMINE RISK 121* 9. PLAN MITIGATIONS 124* USING A THREAT MODEL TO AID CODE REVIEW 128* USING A THREAT MODEL TO AID TESTING 129* KEY SUCCESS FACTORS AND METRICS 129* SUMMARY 130* REFERENCES 130* 10 STAGE 5: CREATING SECURITY DOCUMENTS, TOOLS,* AND BEST PRACTICES FOR CUSTOMERS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133* WHY DOCUMENTATION AND TOOLS? 135* CREATING PRESCRIPTIVE SECURITY BEST PRACTICE DOCUMENTATION 135* SETUP DOCUMENTATION 136* MAINLINE PRODUCT USE DOCUMENTATION '" 136* HELP DOCUMENTATION 138* DEVELOPER DOCUMENTATION 138* CREATING TOOLS 139* SUMMARY 140* REFERENCES 140* 11 STAGE 6: SECURE CODING POLICIES 143* USE THE LATEST COMPILER AND SUPPORTING TOOL VERSIONS 143* USE DEFENSES ADDED BY THE COMPILER 144* BUFFER SECURITY CHECK: /GS 144* SAFE EXCEPTION HANDLING: /SAFESEH 144* COMPATIBILITY WITH DATA EXECUTION PREVENTION: /NXCOMPAT 145* USE SOURCE-CODE ANALYSIS TOOLS 145* SOURCE-CODE ANALYSIS TOOL TRAPS 145* BENEFITS OF SOURCE-CODE ANALYSIS TOOLS 146* 00 NOT USE BANNED FUNCTIONS 148* REDUCE POTENTIALLY EXPLOITABLE CODING CONSTRUCTS OR DESIGNS USE A SECURE CODING CHECKLIST SUMMARY REFERENCES 12 STAGE 7: SECURE TESTING POLICIES FUZZ TESTING PENETRATION TESTING RUN-TIME VERIFICATION REVIEWING AND UPDATING THREAT MODELS IF NEEDED REEVALUATING THE ATTACK SURFACE OF THE SOFTWARE SUMMARY REFERENCES 13 STAGE 8: THE SECURITY PUSH PREPARING FOR THE SECURITY PUSH PUSH DURATION TRAINING , CODE REVIEWS EXECUTABLE-FILE OWNERS THREAT MODEL UPDATES SECURITY TESTING ATTACK-SURFACE SCRUB DOCUMENTATION SCRUB ARE WE DONE YET? SUMMARY REFERENCES 14 STAGE 9: THE FINAL SECURITY REVIEW PRODUCT TEAM COORDINATION THREAT MODELS REVIEW UNFIXED SECURITY BUGS REVIEW TOOLS-USE VALIDATION AFTER THE FINAL SECURITY REVIEW IS COMPLETED HANDLING EXCEPTIONS SUMMARY 15 STAGE 10: SECURITY RESPONSE PLANNING WHY PREPARE TO RESPOND? YOUR DEVELOPMENT TEAM WILL MAKE MISTAKES NEW KINDS OF VULNERABILITIES WILL APPEAR RULES WILL CHANGE TABLE OF CONTENTS XI 149* 150* 150* 150* 153* 153* 164* 165* 165* 166* 166* 166* 169* 170* 171* , 171* 172* 174* 174* 175* 175* 176* 177* 178* 179* 181* 182* 182* 183* 184* 184* 184* 185* 187* 187* 187* 188* 189* XII TABLE OF CONTENTS PREPARING TO RESPOND 190 BUILDING A SECURITY RESPONSE CENTER 191 SECURITY RESPONSE AND THE DEVELOPMENT TEAM 208 CREATE YOUR RESPONSE TEAM 208 SUPPORT YOUR ENTIRE PRODUCT 209 SUPPORT ALL YOUR CUSTOMERS 210 MAKE YOUR PRODUCT UPDATABLE 211 FIND THE VULNERABILITIES BEFORE THE RESEARCHERS DO 212 SUMMARY 213 REFERENCES 213 16 STAGE 11: PRODUCT RELEASE 215 REFERENCES 215 17 STAGE 12: SECURITY RESPONSE EXECUTION 217 FOLLOWING YOUR PLAN 217 STAY COOL 217 TAKE YOUR TIME 218 WATCH FOR EVENTS THAT MIGHT CHANGE YOUR PLANS 219 FOLLOW YOUR PLAN 220 MAKING IT UP AS YOU GO 220 KNOW WHOM TO CALL 220 BE ABLE TO BUILD AN UPDATE 220 BE ABLE TO INSTALL AN UPDATE 221 KNOW THE PRIORITIES WHEN INVENTING YOUR PROCESS 221 KNOWING WHAT TO SKIP 221 SUMMARY 222 REFERENCES 222 PART 11I SOL REFERENCE MATERIAL 18 INTEGRATING SOL WITH AGILE METHODS 225 USING SDL PRACTICES WITH AGILE METHODS 226 SECURITY EDUCATION 226 PROJECT INCEPTION 226 ESTABLISHING AND FOLLOWING DESIGN BEST PRACTICES 227 RISK ANALYSIS 227 CREATING SECURITY DOCUMENTS, TOOLS, AND BEST PRACTICES FOR CUSTOMERS 229 SECURE CODING AND TESTING POLICIES 229 SECURITY PUSH 231 TABLE OF CONTENTS XIII FINAL SECURITY REVIEW . 0 0 * 0 0 0 0 0 0 0 0 0 . 0 0 * 0 0 0. 0 0. 0 0.* 0 * 0 0 0.232 PRODUCT RELEASE 0 0** 0 0. 0 0 . 0 0 0 0** 0 0 0 0 0. 0 0 . 0 0** 0 0 0 * 0 0 * 0 0 . 0 0 * 0233 SECURITY RESPONSE EXECUTION 0* 0 0* 0 0 0 0 0 * 0* 0. 0233 AUGMENTING AGILE METHODS WITH SDL PRACTICES . 0 0 0* 0* 0. 0. 0. 0 0 0234 USER STORIES 0 0 0 ** 0 0..** 0 0 ** 0. 0. 0 0* 0. 0 0.* 0.** 0 0235 SMALL RELEASES AND ITERATIONS. 0 0 * 0 0 0* 0 ** 0.* 0* 0* 0 ** 0 0.* 0 ** 0 0 0236 MOVING PEOPLE AROUND . 0.. 0 * 0* 0 0*. 0. 0 0* 0** 0. 0 0 236 SIMPLICITY 0 * 0 0 0 * 0. 0.* 0 ** 0 0 * 0** 0. 0.. 0 0 * 0** 0 0.. 0.. 0 ** 0 0. 0236 SPIKE SOLUTIONS . 0 0 0. 0 0******* 0 0* 0* 0 0. 0 0 0 0 0.236 REFACTORING 0 0 0 0 0 . 0 0 0 0 0**. 0* 0* 0 0.. 0** 0 * 0 0*237 CONSTANT CUSTOMER AVAILABILITY . 0.* 0* 0 0*. 0. 0. 0* 0 0 0. 237 CODING TO STANDARDS 0 0 * 0* 0 0* 0* 0 0. 0 0* 0*** 0 * 0 0237 CODING THE UNIT TEST FIRST 0 O' . 0.****** 0. 0 0* 0*. 0.238 PAIR PROGRAMMING 0. 0** 0 * 0. 0 0* 0**** 0 0.* 0 0.** 0.238 INTEGRATING OFTEN 0 * 0. 0******* 0 . 0. 0 0**..* 0 0 0 238 LEAVING OPTIMIZATION UNTIL LAST 0 0. 0 0 0 0* 0 . 0 . 0 0 0238 WHEN A BUG IS FOUND, A TEST IS CREATED 0 0 . 0 0 0 0. 0. 0**** 0239 SUMMARY 0.* 0 ** 0 * 0 0****** 0* 0 * 0****. 0* 0 0 0 0. 0* 0 0239 REFERENCES . 0***** 0 * 0 0**** 0* 0* 0**** 0**. 0 0 0** 0 0.239 19 SDL BANNED FUNCTION CALLS 241 THE BANNED APLS. 0 * 0** 0 0. 0.* 0 0** 0 0.* 0****** 0. 0. 0 0 .242 WHY THE "N" FUNCTIONS ARE BANNED . 0********** 0. 0 0******* 0** 0 0.245 IMPORTANT CAVEAT . 0 ** 0 * 0 0* 0 0 ** 0. 0 0***** 0.***** 0 0* 0.246 CHOOSING STRSAFE VS. SAFE CRTO . 0* 0 0* 0 . 0********** 0 0. 0******** 0. 246 USING STRSAFE . 0* 0 0****** 0 0.********* 0* 0**** 0 0* 0246 STRSAFE EXAMPLE 0 0 0 0 0*** 0 0******. 0.* 0**** 0.247 USING SAFE CRT 0* 0 0 0* 0 0 0* 0* 0 0* 0 0 * 0 * 0 0 247 SAFE CRT EXAMPLE. 0 0 0 0 0 0* 0* 0 0* 0** 0 0 * 0 248 OTHER REPLACEMENTS. 0**** 0 * 0 0 * 0 0**** 0 * 0******** 0**.. 0* 248 TOOLS SUPPORT . 0**** 0** 0 * 0 ******** 0**** 0* 0 0* 0**** 0* 0248 ROI AND COST IMPACT . 0 * 0 0***** 0 0******* 0** 0*** 0 0.249 METRICS AND GOALS . 0 * 0 0 * 0************** 0 0* 0***** 0 0*** 0 0* 249 REFERENCES . 0**** 0 * 0**** 0*** 0** 0 0 0** 0** 0 0 0 0* 249 20 SDL MINIMUM CRYPTOGRAPHIC STANDARDS 251 HIGH-LEVEL CRYPTOGRAPHIC REQUIREMENTS . 0**** 0 0 ** 0 * 0 * 0* 0 0 * 0* 0.251 CRYPTOGRAPHIC TECHNOLOGIES VS. LOW-LEVEL CRYPTOGRAPHIC AIGORITHMS . 0 251 USE CRYPTOGRAPHIC LIBRARIES 0 0 0 0. 0. 0 0* 0* 0 0* 0 0252 CRYPTOGRAPHIC AGILITY . 0** 0 0 * 0 0* 0**** 0 0 ** 0 0 * 0 ***** 0 0.252 DEFAULT TO SECURE CRYPTOGRAPHIC AIGORITHMS. 0**** 0** 0**. 0.253 XIV TABLE OF CONTENTS CRYPTOGRAPHIE ALGORITHM USAGE 253 SYMMETRIE BLOCK CIPHERS AND KEY LENGTHS 254 SYMMETRIE STREAM CIPHERS AND KEY LENGTHS 254 SYMMETRIE AIGORITHM MODES 255 ASYMMETRIE AIGORITHMS AND KEY LENGTHS 255 HASH FUNETIONS 255 MESSAGE AUTHENTIEATION CODES 256 DATA STORAGE AND RANDOM NUMBER GENERATION 256 STORING PRIVATE KEYS AND SENSITIVE DATA 256 GENERATING RANDOM NUMBERS AND CRYPTOGRAPHIE KEYS 257 GENERATING RANDOM NUMBERS AND CRYPTOGRAPHIE KEYS FROM PASSWORDS OR OTHER KEYS 257 REFERENEES 257 21 SDL-REQUIRED TOOLS AND COMPILER OPTIONS 259 REQUIRED TOOLS 259 PREFAST 259 FXCOP 263 APPLIEATION VERIFIER 265 MINIMUM COMPILER AND BUILD TOOL VERSIONS 267 REFERENEES 268 22 THREAT TREE PATTERNS 269 SPOOFING AN EXTERNAL ENTITY OR A PROEESS 271 TAMPERING WITH A PROEESS 273 TAMPERING WITH A DATA FLOW 274 TAMPERING WITH A DATA STORE 276 REPUDIATION 278 INFORMATION DISCLOSURE OF A PROEESS 280 INFORMATION DISCLOSURE OF A DATA FLOW 281 INFORMATION DISCLOSURE OF A DATA STORE 282 DENIAL OF SERVICE AGAINST A PROEESS 284 DENIAL OF SERVICE AGAINST A DATA FLOW 285 DENIAL OF SERVICE AGAINST A DATA STORE 286 ELEVATION OF PRIVILEGE 287 REFERENEES 288 INDEX 291 MICROSOFT IS INTERESTED IN HEARING YOUF FEEDBACK ABOUT THIS PUBLICATION SO WE CAN CONTINUALLY IMPROVE OUF BOOKS AND JEAMING RESOURCES FOR YOU. TO PARTICIPATE IN ABRIEF ONLINE SURVEY, PLEASE VISIL: WWW.MICROSOFT.COM/LEARNING/BOAKSURVEY/
any_adam_object	1
any_adam_object_boolean	1
author	Howard, Michael 1965- Lipner, Steve
author_GND	(DE-588)131565931
author_facet	Howard, Michael 1965- Lipner, Steve
author_role	aut aut
author_sort	Howard, Michael 1965-
author_variant	m h mh s l sl
building	Verbundindex
bvnumber	BV021642910
classification_rvk	ST 276 ST 277
ctrlnum	(OCoLC)612108354 (DE-599)BVBBV021642910
discipline	Informatik
discipline_str_mv	Informatik
format	Book
fullrecord	<?xml version="1.0" encoding="UTF-8"?><collection xmlns="http://www.loc.gov/MARC21/slim"><record><leader>01723nam a2200397 c 4500</leader><controlfield tag="001">BV021642910</controlfield><controlfield tag="003">DE-604</controlfield><controlfield tag="005">20220117 </controlfield><controlfield tag="007">t</controlfield><controlfield tag="008">060704s2006 ad\|\| \|\|\|\| 00\|\|\| eng d</controlfield><datafield tag="020" ind1=" " ind2=" "><subfield code="a">0735622140</subfield><subfield code="9">0-7356-2214-0</subfield></datafield><datafield tag="020" ind1=" " ind2=" "><subfield code="a">9780735622142</subfield><subfield code="9">978-0-7356-2214-2</subfield></datafield><datafield tag="035" ind1=" " ind2=" "><subfield code="a">(OCoLC)612108354</subfield></datafield><datafield tag="035" ind1=" " ind2=" "><subfield code="a">(DE-599)BVBBV021642910</subfield></datafield><datafield tag="040" ind1=" " ind2=" "><subfield code="a">DE-604</subfield><subfield code="b">ger</subfield><subfield code="e">rakwb</subfield></datafield><datafield tag="041" ind1="0" ind2=" "><subfield code="a">eng</subfield></datafield><datafield tag="049" ind1=" " ind2=" "><subfield code="a">DE-824</subfield><subfield code="a">DE-739</subfield><subfield code="a">DE-384</subfield><subfield code="a">DE-706</subfield><subfield code="a">DE-M347</subfield><subfield code="a">DE-Aug4</subfield></datafield><datafield tag="084" ind1=" " ind2=" "><subfield code="a">ST 276</subfield><subfield code="0">(DE-625)143642:</subfield><subfield code="2">rvk</subfield></datafield><datafield tag="084" ind1=" " ind2=" "><subfield code="a">ST 277</subfield><subfield code="0">(DE-625)143643:</subfield><subfield code="2">rvk</subfield></datafield><datafield tag="100" ind1="1" ind2=" "><subfield code="a">Howard, Michael</subfield><subfield code="d">1965-</subfield><subfield code="e">Verfasser</subfield><subfield code="0">(DE-588)131565931</subfield><subfield code="4">aut</subfield></datafield><datafield tag="245" ind1="1" ind2="0"><subfield code="a">The security development lifecycle</subfield><subfield code="b">SDL: a process for developing demonstrably more secure software ; [CD includes: a security training class video, sample SDL documents]</subfield><subfield code="c">Michael Howard and Steve Lipner</subfield></datafield><datafield tag="264" ind1=" " ind2="1"><subfield code="a">Redmond, Wash.</subfield><subfield code="b">Microsoft Press</subfield><subfield code="c">2006</subfield></datafield><datafield tag="300" ind1=" " ind2=" "><subfield code="a">XXII, 320 S.</subfield><subfield code="b">Ill., graph. Darst.</subfield><subfield code="e">CD-ROM (12 cm)</subfield></datafield><datafield tag="336" ind1=" " ind2=" "><subfield code="b">txt</subfield><subfield code="2">rdacontent</subfield></datafield><datafield tag="337" ind1=" " ind2=" "><subfield code="b">n</subfield><subfield code="2">rdamedia</subfield></datafield><datafield tag="338" ind1=" " ind2=" "><subfield code="b">nc</subfield><subfield code="2">rdacarrier</subfield></datafield><datafield tag="490" ind1="0" ind2=" "><subfield code="a">Best practices</subfield></datafield><datafield tag="490" ind1="0" ind2=" "><subfield code="a">Secure software development series</subfield></datafield><datafield tag="650" ind1="0" ind2="7"><subfield code="a">Microsoft</subfield><subfield code="0">(DE-588)4362438-8</subfield><subfield code="2">gnd</subfield><subfield code="9">rswk-swf</subfield></datafield><datafield tag="650" ind1="0" ind2="7"><subfield code="a">Softwareschutz</subfield><subfield code="0">(DE-588)4131649-6</subfield><subfield code="2">gnd</subfield><subfield code="9">rswk-swf</subfield></datafield><datafield tag="689" ind1="0" ind2="0"><subfield code="a">Softwareschutz</subfield><subfield code="0">(DE-588)4131649-6</subfield><subfield code="D">s</subfield></datafield><datafield tag="689" ind1="0" ind2="1"><subfield code="a">Microsoft</subfield><subfield code="0">(DE-588)4362438-8</subfield><subfield code="D">s</subfield></datafield><datafield tag="689" ind1="0" ind2=" "><subfield code="5">DE-604</subfield></datafield><datafield tag="700" ind1="1" ind2=" "><subfield code="a">Lipner, Steve</subfield><subfield code="e">Verfasser</subfield><subfield code="4">aut</subfield></datafield><datafield tag="856" ind1="4" ind2="2"><subfield code="m">OEBV Datenaustausch</subfield><subfield code="q">application/pdf</subfield><subfield code="u">http://bvbr.bib-bvb.de:8991/F?func=service&doc_library=BVB01&local_base=BVB01&doc_number=014857667&sequence=000001&line_number=0001&func_code=DB_RECORDS&service_type=MEDIA</subfield><subfield code="3">Inhaltsverzeichnis</subfield></datafield><datafield tag="999" ind1=" " ind2=" "><subfield code="a">oai:aleph.bib-bvb.de:BVB01-014857667</subfield></datafield></record></collection>
id	DE-604.BV021642910
illustrated	Illustrated
index_date	2024-07-02T15:00:33Z
indexdate	2024-07-09T20:40:37Z
institution	BVB
isbn	0735622140 9780735622142
language	English
oai_aleph_id	oai:aleph.bib-bvb.de:BVB01-014857667
oclc_num	612108354
open_access_boolean
owner	DE-824 DE-739 DE-384 DE-706 DE-M347 DE-Aug4
owner_facet	DE-824 DE-739 DE-384 DE-706 DE-M347 DE-Aug4
physical	XXII, 320 S. Ill., graph. Darst. CD-ROM (12 cm)
publishDate	2006
publishDateSearch	2006
publishDateSort	2006
publisher	Microsoft Press
record_format	marc
series2	Best practices Secure software development series
spelling	Howard, Michael 1965- Verfasser (DE-588)131565931 aut The security development lifecycle SDL: a process for developing demonstrably more secure software ; [CD includes: a security training class video, sample SDL documents] Michael Howard and Steve Lipner Redmond, Wash. Microsoft Press 2006 XXII, 320 S. Ill., graph. Darst. CD-ROM (12 cm) txt rdacontent n rdamedia nc rdacarrier Best practices Secure software development series Microsoft (DE-588)4362438-8 gnd rswk-swf Softwareschutz (DE-588)4131649-6 gnd rswk-swf Softwareschutz (DE-588)4131649-6 s Microsoft (DE-588)4362438-8 s DE-604 Lipner, Steve Verfasser aut OEBV Datenaustausch application/pdf http://bvbr.bib-bvb.de:8991/F?func=service&doc_library=BVB01&local_base=BVB01&doc_number=014857667&sequence=000001&line_number=0001&func_code=DB_RECORDS&service_type=MEDIA Inhaltsverzeichnis
spellingShingle	Howard, Michael 1965- Lipner, Steve The security development lifecycle SDL: a process for developing demonstrably more secure software ; [CD includes: a security training class video, sample SDL documents] Microsoft (DE-588)4362438-8 gnd Softwareschutz (DE-588)4131649-6 gnd
subject_GND	(DE-588)4362438-8 (DE-588)4131649-6
title	The security development lifecycle SDL: a process for developing demonstrably more secure software ; [CD includes: a security training class video, sample SDL documents]
title_auth	The security development lifecycle SDL: a process for developing demonstrably more secure software ; [CD includes: a security training class video, sample SDL documents]
title_exact_search	The security development lifecycle SDL: a process for developing demonstrably more secure software ; [CD includes: a security training class video, sample SDL documents]
title_exact_search_txtP	The security development lifecycle SDL: a process for developing demonstrably more secure software ; [CD includes: a security training class video, sample SDL documents]
title_full	The security development lifecycle SDL: a process for developing demonstrably more secure software ; [CD includes: a security training class video, sample SDL documents] Michael Howard and Steve Lipner
title_fullStr	The security development lifecycle SDL: a process for developing demonstrably more secure software ; [CD includes: a security training class video, sample SDL documents] Michael Howard and Steve Lipner
title_full_unstemmed	The security development lifecycle SDL: a process for developing demonstrably more secure software ; [CD includes: a security training class video, sample SDL documents] Michael Howard and Steve Lipner
title_short	The security development lifecycle
title_sort	the security development lifecycle sdl a process for developing demonstrably more secure software cd includes a security training class video sample sdl documents
title_sub	SDL: a process for developing demonstrably more secure software ; [CD includes: a security training class video, sample SDL documents]
topic	Microsoft (DE-588)4362438-8 gnd Softwareschutz (DE-588)4131649-6 gnd
topic_facet	Microsoft Softwareschutz
url	http://bvbr.bib-bvb.de:8991/F?func=service&doc_library=BVB01&local_base=BVB01&doc_number=014857667&sequence=000001&line_number=0001&func_code=DB_RECORDS&service_type=MEDIA
work_keys_str_mv	AT howardmichael thesecuritydevelopmentlifecyclesdlaprocessfordevelopingdemonstrablymoresecuresoftwarecdincludesasecuritytrainingclassvideosamplesdldocuments AT lipnersteve thesecuritydevelopmentlifecyclesdlaprocessfordevelopingdemonstrablymoresecuresoftwarecdincludesasecuritytrainingclassvideosamplesdldocuments

Verfügbarkeit

Es ist kein Print-Exemplar vorhanden.

Fernleihe Bestellen Achtung: Nicht im THWS-Bestand! Inhaltsverzeichnis

MARC

Datensatz im Suchindex

Es ist kein Print-Exemplar vorhanden.

Ähnliche Einträge