SDL - now for cloud and fast development

With an increasing number of business customers choosing a cloud for their computing environment, the cloud, or both, the security guide should be dynamic. Because security and privacy are key issues affecting the choice of computing environment, manufacturers have the ability to convince customers that web applications running in the cloud can function safely and securely.

Microsoft has taken a number of steps to make best security practices available to a wide range of developers. This includes a guide, an SDL optimization model, and a Threat Modeling Tool. All of the above, plus subsequent releases of SDL, tools, tutorials, and technologies, will allow software developers and manufacturing partners to provide the required level of security in their applications, as well as their users, a more reliable computing environment.

')
Recently, Microsoft announced two new SDL documents at a conference in Berlin, Germany.

Security considerations for client and cloud applications . Download a report from the SDL team, which discusses issues related to client and cloud applications, as well as steps taken by Microsoft to develop SDL when addressing security issues.

SDL 4.1a, an enhanced version that includes a rapid development process . Download the latest SDL tutorial, including the SDL chapter for quick development, a clear approach that combines quick methods and security. A complete and, moreover, flexible SDL guide for rapid development includes all SDL requirements, providing additional guidance on their use for very short implementation cycles.

Let's take a quick look at each of them.

Security Considerations for Client and Cloud Applications

While computer manufacturers are discussing the cloud as a computing environment, customers are concerned about how information security will be ensured. According to the results of the IT Pro's online survey conducted in September 2009, about 51% of respondents put safety and security of information as the main obstacle for making decisions about using the cloud.

When considering security issues for client and cloud applications (EN), Microsoft considers security from the perspective of an organization that can consider placing their applications in the cloud.



If you are going to keep your application in the cloud, at a high level, you should ask questions regarding two basic security issues:

· Safety requirements and compliance . If you have requirements, what should the provider do to ensure the required level of security of your software when stored in the cloud? What did he do to ensure these requirements?

· Features and level of security services . Different providers may offer different security features (for example, supporting specific types of identification), as well as different levels of security services in their SLAs. Read the details in order to know exactly what specific services they will provide you from a security perspective.

Undoubtedly, the development of software for the cloud as well as for the client part needs a structured development process from a security point of view, such as the SDL. Therefore, make sure that for your applications you use a structured security development process like SDL.

SDL for quick development

You are not alone if you use the rapid development process. Rapid development methods are increasingly being chosen by manufacturers around the world. According to an independent Forrester report, 85% of industrial technology professionals have either just chosen, either in the decision-making process, or have already applied rapid development methods.

Note: If you are not familiar with rapid development and would like to learn more, you can read about it at http://www.agilemanifesto.org . Wikipedia defines it as:

Rapid software development belongs to a group of software development methodologies based on iterative development, where requirements and solutions are unwound through collaboration between self-organizing cross-functional teams. The term was established in 2001 when compiling Agile Manifesto .

Also noteworthy early methods of Rapid Development include: Scrum (1995), Crystal Clear , Extreme Programming (1996), Adaptive Software Development , Feature Driven Development , and Dynamic Systems Development Method (DSDM) (1995). After being published in 2001 by Agile Manifesto, they began to relate to Quick Methodologies.

In his blog on SDL, Brian Sullivan gives an excellent description of the team’s approach to the task of applying SDL requirements and processes, transforming the manual into a structure that is suitable for rapid development, which can be flexibly applied to both long-term and short-term rapid development projects. Here is a short overview of his post.

When looking at the SDL security development life cycle and describing it in phases, you can see that it was originally designed to be integrated into the spiral product development process that Microsoft used to develop Windows and other business products. Although there are many differences between spiral methods and rapid development methods, the main ones for me are:

· Rapid development methods do not have clear phases.

· Quick development releases are usually much shorter, in some cases only for one or two weeks



Due to these differences, the SDL for rapid development divides the SDL (according to requirements) into three categories: the requirement for each quick step, the requirements are so important that they must be completed at each repetition; one-time requirements, requirements that must be completed once during the entire project, regardless of the duration of the project; and bucket requirements, requirements that need to be completed regularly, but they are not so important as to do this with each repetition.

Threat modeling is an excellent example: a team can create a threat model throughout the week, but this will not necessarily be the most rational use of its time. SDL for rapid development gives an idea of ​​how the team can spend the appropriate period of time, model new features, as well as how to build the basic model for the existing functionality.

For a complete guide to SDL for rapid development, download SDL 4.1a, an enhanced version that includes the Quick Development process (EN) and read the new sections on rapid development.

Concluding remarks

As computer technology continues to grow, Microsoft continues to invest in the basics of security and privacy, offering the development of the best documents and technologies for both client and cloud applications. The release of SDL for rapid development, as well as a security report for applications in the cloud, confirm the fact that Microsoft is doing everything possible to keep up with the times, and ultimately be able to create even more reliable online security.