Strategies on Implementing Secure Development Lifecycle by Ervin Loh

8/3/2019 Strategies on Implementing Secure Development Lifecycle by Ervin Loh

1/29

Strategies on implementing

Secure Development LifecycleErvin Loh

Visual Studio ALM MVPhttp://ervinloh.wordpress.com


2/29

The Secure Development Lifecycle (SDL) is asoftware development security assurance process

consisting of security practices grouped by sevenphases of the traditional software developmentlife cycle. The SDL process is not specific toMicrosoft or the Windows platform and can beapplied to different operating systems, platforms,development methodologies, and to projects ofany size. In this demo packed session, we will look

at the strategies on implementing Microsoft's SDLinto your software development processes.


3/29

Agenda

Overview of the Microsoft SDL

Overview of code analysis

Microsoft code analysis tools:

FxCop PREFast

Visual Studio Code Analysis feature

ASP Source Code Analyzer for SQL Injection

Microsoft SDL code analysis requirements


4/29

Microsoft Security DevelopmentLifecycle (SDL)

Delivering secure software requires:

Executive commitment SDL a mandatory policy at Microsoft since 2004

Ongoing Process Improvements 6 month cycle

4


5/29

MSF-A+SDL TFS process template that incorporates the SDL

for Agile process guidance into the MSF Agiledevelopment framework.

Any code checked into the TFS source repository

by the developer is analyzed to ensure that itcomplies with SDL secure development practices.


6/29

Demo #1Demo #1

MSFMSF--Agile plus SecurityAgile plus Security

Development LifecycleDevelopment Lifecycle

Process Template for VSProcess Template for VS20102010


7/29

Code Analysis Overview Code Analysis Tools: Software tools that

analyze application implementations forconformance to best practices

Two types:

1. Static source code analysis2. Binary analysis

These tools are not silver bullets for identifying

non-conformance to best practices Can greatly reduce engineering costs


8/29

void function(char * str)

{char buffer[32];

strcpy(buffer,str);

}

void main(int argc, char ** argv)

{

function(argv[0]);

printf(argv[0]);

}

Static Analysis VersusBinary Analysis

COMPILER &

LINKER

Source Code Binary File

mov eax, DWORD PTR _str$[ebp]

push eax

lea ecx, DWORD PTR _buffer$[ebp]

push ecx

call _strcpy

add esp, 8

mov edx, DWORD PTR _argv$[ebp]

mov eax, DWORD PTR [edx]

push eax

call _printf


9/29

Static Source Code Analysis Static Source Code Analysis Tools:

Software tools that analyze theuncompiled source code implementationsof applications for areas of improvement

Inputs: Human-readable source code, such asC (*.c), C++ (*.cpp, *.cc) or C# (*.cs) files

Some key advantages: Easier to diagnose findings More mature technology

9


10/29

Binary Code Analysis Binary Code Analysis Tools: Software

tools that analyze the compiled or binaryversion of source code implementationsfor areas of improvement

Inputs: Machine code or binary files, such asexecutable (*.exe) and library (*.dll) files

Key advantage: Binary analysis tool have visibility into the

compiled code itself


11/29

Demo #2Demo #2

BinScope Binary AnalyzerBinScope Binary Analyzer


12/29

Code Analysis Pros and ConsPros

Helps scale thecode review

process Helps enforce

secure-coding

policies

Cons

False positives

False negatives

Language-centric Source-level issues

only


13/29

Microsoft FxCop FxCop: An application that analyzes

managed code assemblies for conformanceto the Microsoft .NET Framework DesignGuidelines http://msdn.microsoft.com/en-us/library/bb429476(VS.80).aspx

Binary code analyzer for .NET assemblies Can be fully integrated into the software

development lifecycle

In addition to security checks, FxCop analyzesassemblies for areas of improvement indesign, localization, and performance


14/29

FxCop


15/29

Microsoft PREFast Microsoft PREFast: An application that identifies

vulnerabilities in C/C++ source code http://www.microsoft.com/whdc/DevTools/tools/PREfast.m

spx

Static source code analyzer for C/C++ applications

Can be fully integrated into the softwaredevelopment lifecycle

Distributed with the Windows Driver Kit (WDK), butcan be used to analyze non-driver code written inC/C++


16/29

PREFast


17/29

Visual Studio Code Analysis Microsoft Visual Studio Team System and

higher versions provide the capabilities ofPREFast and FxCop integrated into thedevelopment environment http://msdn.microsoft.com/en-us/library/ms182025(VS.80).aspx

Enabled via/analyze command-lineswitch or through Visual Studio projectproperties settings


18/29

Visual Studio Code Analysis


19/29

Demo #3Demo #3

Visual Studio CodeVisual Studio Code

AnalysisAnalysis


20/29

ASP Source Code Analyzerfor SQL Injection

Microsoft Source Code Analyzer for SQL

Injection tool helps developers and testersfind certain SQL injection vulnerabilities inASP code

http://support.microsoft.com/kb/954476 Command-line static source code analysis

tool

Limited to analyzing ASP pages that arewritten in VBScript


21/29

ASP Source Code Analyzer forSQL Injection


22/29

Demo #4Demo #4

ASP Source Code AnalyzerASP Source Code Analyzer

for SQL Injectionfor SQL Injection


23/29

Microsoft SDL Code

Analysis Requirements Organizations that use source code analysis tools or

are considering using them should develop codeanalysis tool policies

The Microsoft SDL provides specific requirements forusing PREFast, FxCop and Visual Studio Example: Developers must fix Visual Studio /analyze

warnings 4532, 6029, 6053, 6057, 6059, 6063, and muchmore

For more information, refer to the Microsoft SDL whitepaper

(Appendix E) at http://www.microsoft.com/sdl or the MicrosoftSDL book (Chapter 21) athttp://www.microsoft.com/mspress/books/8753.aspx

23


24/29

Conclusion Overview of Microsoft SDL

Overview of code analysis

Microsoft code analysis tools

Microsoft SDL code analysis requirements

24


25/29

Microsoft Security Development Lifecycle

(SDL)

Official SDL Web Site: http://www.microsoft.com/sdl

SDL Book:

http://www.microsoft.co

m/mspress/books/8753.as

px


26/29

Microsoft Developer Network

(MSDN) Security DeveloperCenter Official Web site:

http://msdn.microsoft.com/security


27/29

Secure Development Blogs The Microsoft Security Development

Lifecycle (SDL) Blog:http://blogs.msdn.com/sdl

Michael Howards Blog:http://blogs.msdn.com/michael_howard


28/29

Microsoft Hunting Security Bugs

Hunting Security Bugs:

http://www.microsoft.com/mspress/books/8485.aspx


29/29

Thank YouThank YouQ&AQ&A

Documents

Strategies on Implementing Secure Development Lifecycle by Ervin Loh