Udostępnij za pośrednictwem

Free ebook: The Security Development Lifecycle

  • Artykuł

Hello, Michael Howard here, from the Microsoft Cybersecurity team. It’s hard to imagine that Steve Lipner and I wrote The Security Development Lifecycle: A Process for Developing Demonstrably More Secure Software (Microsoft Press, 2006) a decade ago. Even though much has changed in the intervening years, it’s amazing how the simple fundamentals still hold true.

In the book we talk of “banned functionality,” or functionality that is dangerous and should never be used, and we still talk about the topic today, even though some of the specifics are a little different. Threat modeling, which has a dedicated chapter in the book and which is a cornerstone of the Microsoft Security Development Lifecycle (SDL), is a critical component of any application architecture today.

Sure, the book doesn’t mention “IoT” or “cloud” and the word “mobile” rarely gets mentioned, but banned functionality, threat modeling, and numerous other core SDL tenets—such as a static analysis, bug bars, fuzz testing, and correct cryptographic design—apply to IoT, cloud, and mobile as much as they do to three-tier applications and websites. For example, Microsoft recently released a paper on IoT security architecture, and the first section’s title is “Security starts with a threat model.”

Microsoft’s practice of the SDL has evolved and matured over the last decade, and there’s lots of current guidance and tools available for download at the SDL website. But as I re-read our SDL book recently, I was struck by how much of it is as applicable today as it was yesterday, and it’s because of this that we’re delighted to release the book as a free download from Microsoft Press. Click here to initiate download of the PDF (20.5 MB) . Click here to initiate download of the EPUB (3.3 MB).  (Please note that the companion materials that were originally released on a CD with the book won’t be made available.)

We hope that more people will read The Security Development Lifecycle and make small changes to their current design, development, and testing practices so as to improve their products’ security.

Michael Howard

mikehow@microsoft.com
Austin, Texas
April 2016

Comments

  • Anonymous
    April 19, 2016
    Thanks for the release! However, I still insist that you should release the material in the CD also.
  • Anonymous
    April 19, 2016
    This is awesome.
  • Anonymous
    April 20, 2016
    Steve Lipner here. Many thanks to Microsoft Press for making this release happen. Even though the SDL book is ten years old, a lot of folks still find it a valuable reference. I'm delighted that it'll be broadly available to help development teams improve the security of their software.
  • Anonymous
    April 21, 2016
    Hi,Could you please send me a copy of book.ThanksSyed
  • Anonymous
    April 26, 2016
    Wonderbar!!
  • Anonymous
    April 27, 2016
    Any chance you can change those download links over to HTTPS instead?
    • Anonymous
      April 27, 2016
      Hi Eric - the links have been updated to https.
  • Anonymous
    May 26, 2016
    Thank you for the great resource.
  • Anonymous
    August 12, 2016
    good
  • Anonymous
    October 22, 2016
    Big thanks for the release.Unfortunately epub version is not compatible with Google Play Books. validator.idpf.org shows few errors and warnings.
  • Anonymous
    January 19, 2017
    Thanks!
  • Anonymous
    August 20, 2017
    Its awesome. Thank you.