Software used in today’s mission-critical and operational environments provides insufficient assurance against malicious threats. In order to improve resilience to attack and inadvertent misuse, assurances that closely couple with diligent security engineering and industry best practices are required to protect software systems. When properly integrated into the software development lifecycle (SDLC), software assurance best practices can improve the security posture of the system and reduce the risk of an attack.
The Security Development Lifecycle (SDL) is a process developed by Microsoft that embeds security and privacy throughout the software development life cycle and has proven to be effective on flagship products. The SDL integrates core concepts such as developer awareness, risk assessment, secure design, code review, and application penetration testing into the SDLC to significantly improve software security and reduce system risk. Microsoft has implemented the SDL for all software created since 2004, including Windows Vista, Windows 7, SQL Server 2005, and Internet Explorer 7 and 8, all of which have seen a significant reduction of disclosed vulnerabilities over their predecessors.
The Microsoft SDL is capable of being deployed by companies of all sizes–large and small–offering enhanced software assurance capabilities to protect your systems and customers. The SDL consists of multiple phases in which core software assurance activities are defined. Ideally, the Microsoft SDL should be implemented from the start, but a phased approach allows software assurance activities to be injected even in later stages of your project. The SDL Optimization Model has been designed to facilitate gradual, consistent and cost-effective implementation of the SDL.
Integrating the Microsoft SDL within your organization provides the benefits such as:
For additional information about the Microsoft SDL, please visit:
The SDL Pro Network is a group of security consultants, training companies, and tool providers that specialize in application security and have substantial experience and expertise with the methodology and technologies of the SDL. The SDL Pro Network is designed to provide customers with a variety of sources to meet their software assurance needs. As a member of the SDL Pro Network, Booz Allen provides a variety of software assurance services that assist customers with integration of the Microsoft SDL.
In today’s society, Information Assurance (IA) teams routinely integrate security controls into systems, as the need for security is widely known. However, many systems do not properly protect the application. There is misconception that technologies such as traditional firewalls, authentication, and encryption are sufficient to protect the application and data. Software defects with security ramifications–including implementation flaws that can result in SQL Injection, Cross Site Scripting (XSS), session hijacking, and design flaws such as inconsistent error handling–can put your data and systems at risk. Booz Allen has extensive experience in applying security best practices throughout the development lifecycle to minimize the occurrence of such defects. We provide our clients with a deep and diverse software assurance program that will enhance your approach to software security beyond the traditional compensatory security controls.
Booz Allen possesses the ability to design, develop, and deploy secure software, as well as verify the existence of weaknesses in systems. In addition to being a member of the Microsoft SDL Pro Network, Booz Allen is key participant in Open Web Application Security Project (OWASP), and has also supported the DHS Software Assurance (SwA) initiative since its inception (see Build Security In).
In order to help improve the software assurance community as a whole, Booz Allen leads and contributes to the development of application security standards and tools that are cornerstones of the industry as an organizational supporter of the OWASP. Booz Allen employs personnel that are valued players on the OWASP Application Security Verification Standard (ASVS) Project, OWASP Enterprise Security API (ESAPI) Project, OWASP Development Guide Project, and the OWASP Legal Project. These projects are utilized by multiple organizations throughout the world as a method to better implement software assurance.
