I bought Michael Howard
's and Steve Lipner's book The Security Development Lifecycle
here at TechEd 2006 today. Michael has a description and purpose of the book as well as a table of contents on his blog
One thing I noticed immediately is the list of Threat Tree Patterns in its own chapter. I remember I had a question about these at one of my talks
on Threat Modeling as I included a slide from one of Michael's decks that mentioned this concept. Threat Tree Patterns really help in the modeling process as these are well known and common types of threat scenarios to look for in your application. Previously, with the DREAD style
, you had to think of these yourself, and if you weren't a security expert you might miss several things. So, it helps to look at the patterns. Unfortunately, these patterns weren't readily available at the time, but now they are finally added to this book. Great!
I have read several SDL papers over the last couple of years and watched how Microsoft has fine-tuned the process. I think this will be a great read for every developer as they think through applying secure development at every stage of the software development lifecycle.