What do you think?
Rate this book
Best Practices
Security Development Lifecycle: SDL: A Process for Developing Demonstrably More Secure Software
Your customers demand and deserve better security and privacy in their software. This book is the first to detail a rigorous, proven methodology that measurably minimizes security bugs—the Security Development Lifecycle (SDL). In this long-awaited book, security experts Michael Howard and Steve Lipner from the Microsoft Security Engineering Team guide you through each stage of the SDL—from education and design to testing and post-release. You get their first-hand insights, best practices, a practical history of the SDL, and lessons to help you implement the SDL in any development organization.
Discover how to:
Use a streamlined risk-analysis process to find security design issues before code is committed Apply secure-coding best practices and a proven testing process Conduct a final security review before a product ships Arm customers with prescriptive guidance to configure and deploy your product more securely Establish a plan to respond to new security vulnerabilities Integrate security discipline into agile methods and processes, such as Extreme Programming and Scrum
Includes a CD featuring:
A six-part security class video conducted by the authors and other Microsoft security experts Sample SDL documents and fuzz testing tool
PLUS—Get book updates on the Web.
A Note Regarding the CD or DVD
The print version of this book ships with a CD or DVD. For those customers purchasing one of the digital formats in which this book is available, we are pleased to offer the CD/DVD content as a free download via O'Reilly Media's Digital Distribution services. To download this content, please visit O'Reilly's web site, search for the title of this book to find its catalog page, and click on the link below the cover image (Examples, Companion Content, or Practice Files). Note that while we provide as much of the media content as we are able via free download, we are sometimes limited by licensing restrictions. Please direct any questions or concerns to booktech@oreilly.com.
Discover how to:
Use a streamlined risk-analysis process to find security design issues before code is committed Apply secure-coding best practices and a proven testing process Conduct a final security review before a product ships Arm customers with prescriptive guidance to configure and deploy your product more securely Establish a plan to respond to new security vulnerabilities Integrate security discipline into agile methods and processes, such as Extreme Programming and Scrum
Includes a CD featuring:
A six-part security class video conducted by the authors and other Microsoft security experts Sample SDL documents and fuzz testing tool
PLUS—Get book updates on the Web.
A Note Regarding the CD or DVD
The print version of this book ships with a CD or DVD. For those customers purchasing one of the digital formats in which this book is available, we are pleased to offer the CD/DVD content as a free download via O'Reilly Media's Digital Distribution services. To download this content, please visit O'Reilly's web site, search for the title of this book to find its catalog page, and click on the link below the cover image (Examples, Companion Content, or Practice Files). Note that while we provide as much of the media content as we are able via free download, we are sometimes limited by licensing restrictions. Please direct any questions or concerns to booktech@oreilly.com.
352 pages, Paperback
First published June 7, 2006
8 people are currently reading
94 people want to read
About the author
Michael Howard
17 books8 followersLibrarian Note: There is more than one author by this name in the Goodreads database.
software security expert from Microsoft
software security expert from Microsoft
Ratings & Reviews
Friends & Following
Create a free account to discover what your friends think of this book!
Community Reviews
Displaying 1 - 5 of 5 reviews
June 24, 2012
Very useful book on organizing security-related development process. Although, sometimes it mentions Microsoft technologies, but most of times authors discuss generic security-related issues, processes, etc.
Book covers wide area of topics, and would be very useful for sr. engineers, development managers, etc.
Book covers wide area of topics, and would be very useful for sr. engineers, development managers, etc.
June 20, 2017
Liked the chapters on STRIDE, secure design principles + threat modeling.
Like the title says it is a lifecycle doc - checklists + phases. Not sure how well this translates to something that isn't done via waterfall. The process is heavy to do frequently.
Like the title says it is a lifecycle doc - checklists + phases. Not sure how well this translates to something that isn't done via waterfall. The process is heavy to do frequently.
May 22, 2022
Though some of the specific examples dont apply to the modern web app world, the principles and processes do.
September 11, 2014
This is a slightly out of date book, but is a good starting point for projects wanting to incorporate better security into their development life cycle.
May 24, 2007
The way forward.
Displaying 1 - 5 of 5 reviews