OK. I'll revise what I said in an earlier post about this tool. You shouldn't change your vocabulary to Secure Development Lifecycle--but you definitely need to add it to your development practices. Security should start at the envisioning phase and proceed all the way to deployment. How many times has an application been created where the deployment had to be insecure because of the way the developers put it together? As a consultant, I've seen developers use “SA“ for the SQL connection, just because it was easier. I worked for a company that purchased a software package for $30,000 that required the “SA” password to be something specific--when we saw that it was because that password was coded 138 times in the app we knew why--and asked for our money back.
Face it, developers are sloppy when they consistently develop with “God-mode“ privileges. I know “least-privilege“ is hard to work with in development environments sometimes, but that does mean you can get sloppy. Do I use least privilege--depends on what the client gives me--it often depends on what they are already locked into because they do everything as “Administrator.“ It's no wonder XSS and SQL Injection are such critical problems when the amount to “God-like“ access.
Check out this video for a walkthrough of the new MS Tool for threat modeling. Keep in mind that the threat analysis tool that Microsoft has created is technology agnostic. If you wanted to create rule-sets for Java applications--you can. Additionally, a community effort is promote to creating rule files and relevancy mapping to the process.
Print | posted on Monday, March 13, 2006 12:30 PM