Modern software development processes require software engineers to design and build more secure software and address security compliance requirements while decreasing development cost. Reducing the opportunities for attackers to exploit a potential weak spot or vulnerability requires analysing the overall attack surface, and includes restricting access to system services. Applying a structured approach to threat scenarios during design helps a team more effectively and less expensively identify security vulnerabilities, determine risks from those threats, and establish appropriate mitigations.
This session illustrates the core concepts of the Microsoft Security Development Lifecycle (SDL) and discusses the security activities that should be performed in order to claim compliance with the SDL process. Combining a holistic and practical approach, the SDL aims to reduce the number and severity of vulnerabilities in software by introducing security and privacy throughout all phases of the development process.
Besides presenting the Microsoft SDL methodology, this session presents practical applications of tools for understanding your attack surface before and after new apps are deployed (Attack Surface Analyzer), finding and addressing system security issues (Microsoft Threat Modeling Tool), and a simple fuzzer designed to test for potential denial of service vulnerabilities (MiniFuzz).