Secure by Design: Developing Apps Without Flaws Takes the Right Tools
"So we adapted the SDL so that groups using Agile could use the SDL. And we're constantly looking at things like that. Now the move is toward continuous release," said Pittaway, where the company releases updated product versions six times a day or more. In such a situation, he asked, "How do you make something like the SDL relevant in that kind of context?" Indeed, John Dickson, a principal at the Denim Group, a software security consultancy, made the same observation. "Microsoft's SDL is probably the most famous," Dickson said. "I think these security frameworks are a great starting point. What I see most frequently is people taking those and adapting them for their environment. "Most companies have not one software team and not one software technology, so what we see is people have .NET and Microsoft but also J2EE and Extreme Programming or some type of Scrum, also Web and mobile," Dickson observed. "How do you adapt that to a different framework? That's where the good guys are separating themselves out from everybody else."One of the most popular tools is for threat modeling, which is a very key part of the SDL. Microsoft also offers BinScope, which is a binary analyzer, and MiniFuzz, which is a basic testing tool designed to help detect code flaws. In addition, Microsoft offers the Attack Surface Analyzer as well as a Team Foundation Services template so users can apply the SDL on their project as they manage it. Another tool is banned.h, a code sanitization tool in the form of a header file designed to locate potentially insecure APIs (also known as "banned APIs"). In Visual Studio 2013 there is a /SDL flag that "switches on all the more useful protections," Pittaway said. Microsoft also provides static analysis tools like PreFast and PreFix. There have been more than a million downloads of the SDL tools. Mark Troester, director of product marketing at Sonatype, which provides component life cycle management solutions, said developers must "think about the entire software lifecycle. As they should, developers will do what they can to deliver apps fast. It's up to the architects, dev management, security team, QA, etc., to be involved and ensure that security is considered throughout the entire lifecycle. But these supporting roles must support security, licensing and quality controls in a way that doesn't hinder developers." In a study of 150 development shops, Forrester noted that those using Microsoft SDL saw better return on investment (ROI). "It turns out that those practicing SDL specifically reported visibly better ROI results than the overall population," the Forrester study said. "Unlike point technologies, SDL advocates a coordinated approach to application security throughout the life cycle and its emphasis is on a set of processes that supports such coordination." After a series of SQL injection attacks from the Internet exposed weaknesses in its IT systems, MidAmerican Energy Holdings used the SDL as the backbone for a security effort the company put in place. The SDL "is a way for Microsoft to improve the security of its code and a way to help people writing software for its platform," said Jeff Williams, CEO of Aspect Security, a Columbia, Md.-based security firm that provided security training services to MidAmerican. Meanwhile, MidAmerican looked for scanning tools and selected Fortify 360 from Hewlett-Packard's Fortify division. It also decided to follow Open Web Application Security Project (OWASP) standards.
When Microsoft started the SDL it had no tools, though users began asking for tools support. "When you are effectively the platform for the planet, you have the obligation to make sure that the products you are selling are safe to use," Pittaway said. "So very early on we also started to externalize the SDL and its guidance and policies. But we very quickly got back that people wanted tools. So we started to release tools to third parties, and you can download them from Microsoft.com/sdl."