Pre-SDL Requirements: Security Training

Education and Awareness

All members of software development teams should receive appropriate training to stay informed about security basics and recent trends in security and privacy. Individuals who develop software programs should attend at least one security training class each year. Security training can help ensure software is created with security and privacy in mind and can also help development teams stay current on security issues. Project team members are strongly encouraged to seek additional security and privacy education that is appropriate to their needs or products.

A number of key knowledge concepts are important to successful software security. These concepts can be broadly categorized as either basic or advanced security knowledge. Each technical member of a project team (developer, tester, program manager) should be exposed to the knowledge concepts in the following subsections.

On This Page

Basic Concepts
Advanced Concepts
Security Requirements
Security Recommendations
Privacy Recommendations
Resources

Basic Concepts

• Secure design, including the following topics:

  • Attack surface reduction

  • Defense in depth

  • Principle of least privilege

  • Secure defaults

• Threat Modeling, including the following topics:

  • Overview of threat modeling

  • Design to a threat model

  • Coding to a threat model

  • Testing to a threat model

• Secure Coding, including the following topics:

  • Buffer overruns

  • Integer arithmetic errors

  • Cross site scripting

  • SQL injection

  • Weak cryptography

  • Managed code issues (Microsoft .NET/Java)

• Security Testing, including the following topics:

  • Security testing versus Functional testing

  • Risk assessment

  • Test methodologies

  • Test automation

• Privacy, including the following topics:

  • Types of privacy data

  • Privacy design best practices

  • Risk analysis

  • Privacy development best practices

  • Privacy testing best practices

Advanced Concepts

The preceding training concepts establish an adequate knowledge baseline for technical personnel. As time and resources permit, it is recommended that you explore other advanced concepts. Examples include (but are not limited to):

• Security design and architecture

• User interface design

• Security concerns in detail

• Security response processes

• Implementing custom threat mitigations

Security Requirements

• All developers, testers, and program managers must complete at least one security training class each year. Individuals who have not taken a class in the basics of security design, development, and testing must do so.

• At least 80 percent of the project team staff who work on products or services must be in compliance with the standards listed earlier before their product or service is released. Relevant managers must also be in compliance with these standards. Project teams are strongly encouraged to plan security training early in the development process so that training can be completed as early as possible and have a maximum positive effect on the project’s security.

Security Recommendations

We recommend that staff who work in all disciplines read the following publications:

• Writing Secure Code , Second Edition(ISBN 9780735617223; ISBN: 0-7356-1722-8)

• Uncover Security Design Flaws Using The STRIDE Approach (ISBN: 0-7356-1991-3).

Privacy Recommendations

Microsoft recommends that staff who works in all disciplines read the following documents:

• Appendix A: Privacy at a Glance (Sample)

• Microsoft Privacy Guidelines for Developing Software Products and Services

Resources

• The Security Development Lifecycle (ISBN 9780735622142; ISBN-10 0-7356-2214-0), Chapter 5: Stage 0 – Education and Awareness

• Privacy: What Developers and IT Professionals Should Know  (ISBN-10: 0-321-22409-4; ISBN-13: 978-0-321-22409-5)

• The Protection of Information in Computer Systems

• Bell-LaPadula Model

• Biba Model

Content Disclaimer

This documentation is not an exhaustive reference on the SDL process as practiced at Microsoft. Additional assurance work may be performed by product teams (but not necessarily documented) at their discretion. As a result, this example should not be considered as the exact process that Microsoft follows to secure all products. This documentation is provided “as-is.” Information and views expressed in this document, including URL and other Internet website references, may change without notice. You bear the risk of using it. This documentation does not provide you with any legal rights to any intellectual property in any Microsoft product. You may copy and use this document for your internal, reference purposes. © 2012 Microsoft Corporation. All rights reserved. Licensed under Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported