While I was reading articles from the MSDN Magazine, I ended up on this very interesting article regarding the security development lifecycle at Microsoft: A Look Inside the Security Development Lifecycle at Microsoft (link).
It is obvious that Microsoft has made their products more robust and reliable during the last years. Face it, there is a new Internet Explorer coming out, IIS 7 is far away more secure than its predecessor, the same applies to Windows 2003 family - all of these are an obvious sign that Microsoft puts security as a very important characteristic of their products. But in order to provide it, as can be inferred form this article, there is a very solid process engaged. I personally like the idea of having a person in the team, responsible for the product security. Also, the fact that security is put into consideration early in the development process will help to build the architecture with respect to it, and afterwards, during the implementation phase, security will be a criterion for each developer.
Another thing that I read in this article and I find particularly true, is that most developers just don't know what is to write secure code. In order to mitigate the risk of security flaws, having a "security" guy on the team is going to be really very handy, because (s)he will give guidance and put attention to security issues and best practices. But after all, each developer should be knowledgeable. I am now covering the courses found at Microsoft e-Learning, courses showing the latest best practices and important flaws that every developer should be aware of. These courses are under the label "Microsoft Security Guidance Training" and they can be found here. Very interesting, very helpful and for sure after you cover these, you will have a solid base in security.
No comments:
Post a Comment