Pre-SDL Requirements: Security Training

Education and Awareness

All members of software development teams should receive appropriate training to stay informed about security basics and recent trends in security and privacy. Individuals who develop software programs should attend at least one security training class each year. Security training can help ensure software is created with security and privacy in mind and can also help development teams stay current on security issues. Project team members are strongly encouraged to seek additional security and privacy education that is appropriate to their needs or products.

A number of key knowledge concepts are important to successful software security. These concepts can be broadly categorized as either basic or advanced security knowledge. Each technical member of a project team (developer, tester, program manager) should be exposed to the knowledge concepts in the following subsections.

On This Page

Basic Concepts
Advanced Concepts
Security Requirements
Security Recommendations
Privacy Recommendations
Resources

Basic Concepts

• Secure design, including the following topics:

  • Attack surface reduction

  • Defense in depth

  • Principle of least privilege

  • Secure defaults

• Threat Modeling, including the following topics:

  • Overview of threat modeling

  • Design to a threat model

  • Coding to a threat model

  • Testing to a threat model

• Secure Coding, including the following topics:

  • Buffer overruns

  • Integer arithmetic errors

  • Cross site scripting

  • SQL injection

  • Weak cryptography

  • Managed code issues (Microsoft .NET/Java)

• Security Testing, including the following topics:

  • Security testing versus Functional testing

  • Risk assessment

  • Test methodologies

  • Test automation

• Privacy, including the following topics:

  • Types of privacy data

  • Privacy design best practices

  • Risk analysis

  • Privacy development best practices

  • Privacy testing best practices

Advanced Concepts

The preceding training concepts establish an adequate knowledge baseline for technical personnel. As time and resources permit, it is recommended that you explore other advanced concepts. Examples include (but are not limited to):

• Security design and architecture

• User interface design

• Security concerns in detail

• Security response processes

• Implementing custom threat mitigations

Security Requirements

• All developers, testers, and program managers must complete at least one security training class each year. Individuals who have not taken a class in the basics of security design, development, and testing must do so.

• At least 80 percent of the project team staff who work on products or services must be in compliance with the standards listed earlier before their product or service is released. Relevant managers must also be in compliance with these standards. Project teams are strongly encouraged to plan security training early in the development process so that training can be completed as early as possible and have a maximum positive effect on the project’s security.

Security Recommendations

We recommend that staff who work in all disciplines read the following publications:

• Writing Secure Code , Second Edition(ISBN 9780735617223; ISBN: 0-7356-1722-8)

• Uncover Security Design Flaws Using The STRIDE Approach (ISBN: 0-7356-1991-3).

Privacy Recommendations

Microsoft recommends that staff who works in all disciplines read the following documents:

• Appendix A: Privacy at a Glance (Sample)

• Microsoft Privacy Guidelines for Developing Software Products and Services

Resources

• The Security Development Lifecycle (ISBN 9780735622142; ISBN-10 0-7356-2214-0), Chapter 5: Stage 0 – Education and Awareness

• Privacy: What Developers and IT Professionals Should Know  (ISBN-10: 0-321-22409-4; ISBN-13: 978-0-321-22409-5)

• The Protection of Information in Computer Systems

• Bell-LaPadula Model

• Biba Model

Content Disclaimer