Sunday, August 20, 2006

Preview: The Security Development Lifecycle

Michael Howard and Steve Lipner were kind enough to send me a copy of their new book The Security Development Lifecycle. Michael's blog summarizes the book. I was surprised to see the book's CD includes a six-part security class video. That's a first for me, at least.

I'm also looking forward to another Microsoft security book called Hunting Security Bugs. Michael Howard has another security book through Osborne called Designing Security Software arriving in February. Good work Michael -- push that publication date far enough away for me to catch up on my other reading.

On a related note, does anyone recall learning about this?

I saw it at the Microsoft Security Development Center. Microsoft India hosted a Security Shootout last March. Varun Sharma won. It's interesting to see such a promotion, and I wonder if the US will host something similar.

In the future, I recommend changing the logo. Vulnerabilities in code are not "security threats" -- they are vulnerabilities. I think Microsoft is so hung with up their definition of threat modeling that they think problems in their code are threats, not vulnerabilities. (Cue comments that "vulnerabilities are threats," which I will promptly ignore.)

1 comment:

LonerVamp said...

I think that is awesome, and I too would love to see this take place in the US/Canada as well. Just like red teaming and cyberdefense competitions and simulations, even coders need to practice and hone their skills with secure practices through active evaluation and hands-on activities. Only good things come from such activities.