July 17, 2022

I have 2 assignments in this post. 1. Practical Connection Assignment (Subject: Principal Engineering) Provide a reflection of at least 500 words (or 2 pages double spaced) of how

I have 2 assignments in this post.

1. Practical Connection Assignment (Subject: Principal Engineering)

Provide a reflection of at least 500 words (or 2 pages double spaced) of how the knowledge, skills, or theories of this course have been applied or could be applied, in a practical manner to your current work environment. If you are not currently working, share times when you have or could observe these theories and knowledge could be applied to an employment opportunity in your field of study.

Requirements:

Provide a 500-words (or 2 pages double spaced) minimum reflection.

Use of proper APA formatting and citations. If supporting evidence from outside resources is used it must be properly cited.

Share a personal connection that identifies specific knowledge and theories from this course.

Demonstrate a connection to your current work environment. If you are not employed, demonstrate a connection to your desired work environment.

2. Individual Research Project (Topic: Microsoft SDL)

You will have an individual research paper on the topic your group has selected or been assigned. Your individual paper will be presented to your group as your contribution to the group paper and presentation. Your group will need to combine the material presented in the individual research papers provided to the group into a coherent research paper considerably longer than the individual paper.
A minimum of 5 pages and 5 references are required for your individual paper. Do not use the textbook as a reference. Do not copy and paste or quote from our textbook. Please note! Meeting the minimum requirements earns a passing grade, a C, in other words, on your individual paper depending on quality. If you want to earn a higher grade, you will need more pages, references, and/or better quality. Quantity (more pages and more references) does not necessarily equate to a higher grade. Poor quality can drag your grade down even if you meet the length requirements. Be sure you use Grammarly to both check your grammar and check for plagiarism.

SafeAssignOriginalityReport.pdf

7/16/22, 5:07 PM SafeAssign Originality Report

https://ucumberlands.blackboard.com/webapps/mdb-sa-BB5a31b16bb2c48/originalityReportPrint?course_id=_148647_1&paperId=5693803636&&attemptId=e7ec299a-10f2-46f3-ad57-8354e89c72c7&course_id=_148647_1 1/8

MICROSOFT SDL

1 MICROSOFT SECURITY DEVELOPMENT LIFECYCLE (SDL) STUDENT'S NAME:

Date: 07/16/2022

Contents

Introduction. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. ….3

Microsoft SDL Stages. .. .. .. .. .. .. .. .. .. .. .. .. .. ..3

Microsoft SDL Practices. .. .. .. .. .. .. .. .. .. .. .. .. . …4

Threat Modelling. .. .. .. .. .. .. .. .. .. .. .. .. .. .. …6

Conclusion. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. 7

Introduction

The Microsoft SDL brings up features in security and privacy throughout the entire process and stages of the development cycle, and it helps developers to develop highly secure software; it also addresses the necessary security requirements and reduces the cost of development. 2 TO ACHIEVE THE BEST OUT OF MICROSOFT SDL, IT IS ESSENTIAL TO FOLLOW THE GUIDANCE, BEST PRACTICES, TOOLS, AND TECHNIQUES THAT ARE USED IN MICROSOFT SDL TO BUILD MORE SECURE PRODUCTS AND SERVICES (LIPNER). Since its launch in 2002, it has been upgraded and updated to fully comply with the current practices due to the growth in technology such as the cloud, Internet of Things (IoT), and Artificial intelligence.

The Microsoft SDL has become a crucial part of the software development process involving development, implementation, and improvement. It has also played an essential role in representing the strategic investment

http://safeassign.blackboard.com/

7/16/22, 5:07 PM SafeAssign Originality Report

in the security effort, which is an evolution in the software design process, development, and testing and has now grown into a well-defined methodology. The Microsoft SDL has continued to be a fundamental component of developing products and services, and with the growing technology, Microsoft has continued to evolve its practices.

Microsoft SDL Stages

The Microsoft SDL stages are broken down into seven phases: the training phase is a crucial step as the practice is considered a requirement to enable the implementation of SDL. The critical aspects in this stage are; 3 SECURE DESIGN, THREAT MODELING, APPLICATION OF BEST PRACTICES REGARDING SECURITY AND PRIVACY, AND SECURITY TESTING. ON THE OTHER HAND, THE REQUIREMENT STAGE COMPRISES THE SECURITY AND PRIVACY THAT THE END-USERS REQUIRE; this involves the creation of suitable quality mechanisms and performing security and privacy risk assessments. Then the design stage, which is the third stage, involves security and privacy issues which aid in reducing the risk of threats from the public (Lipner). 3 THIS WILL INCLUDE AN ANALYSIS OF THE ATTACK SURFACE AND THE EMPLOYMENT OF THREAT MODELING MECHANISMS WHICH HELP APPLY AN ORGANIZED APPROACH TO DEALING WITH THE THREAT CASES DURING THE DEVELOPMENT STAGES.

THE IMPLEMENTATION STAGE OF THE DESIGN INVOLVES THE APPLICATION OF APPROVED TOOLS AND INCLUDES AN ANALYSIS OF THE DYNAMIC RUN-TIME PERFORMANCE TO ANALYZE THE LIMITATIONS OF A SOFTWARE'S FUNCTIONALITY. Then the release stage involves the final review of the overall security techniques that have been integrated to ensure that the application meets the minimum security requirements; after the release stage, there will be the response stage, where implementation of the incident response plan takes place. This is a crucial stage as it protects the end-users from the application's vulnerabilities that can rise and tamper with the normal functioning of the application or the user processes.

Microsoft SDL Practices

The Security Development Lifecycle (SDL) is made up of a set of various practices that foster security compliance requirements and assurance. The SDL provides the developers a platform to design more secure programs by minimizing the number and severity of vulnerabilities. Some of the best practices of SDL include; the provision of training; although security is everyone's role, it is vital for software developers, test and service engineers should understand the basics of security and know how to establish the security mechanisms in the software's and products to enhance more security and at the same time address the organization needs and deliver the needs of the users efficiently (Eckhart, 2019, October). 2 PRACTICAL TRAINING WILL HELP COMPLEMENT AND REINFORCE SECURITY POLICIES, SDL BEST PRACTICES, STANDARDS, AND PROGRAM SECURITY REQUIREMENTS AND BE ESTABLISHED BY KNOWLEDGE DERIVED FROM THE COLLECTED DATA AND ADVANCED TECHNICAL CAPABILITIES.

Another critical SDL best practice is the definition of security requirements; consideration of security and privacy is crucial to establishing highly secured systems and applications irrespective of the design mechanisms employed. Security checks must be upgraded continually to meet the required changes in the needed functionalities in line with the potential threat involvement. The best time to establish security needs is during the early stages of planning and design development of the software. This will enable the software development team to include the security features and techniques to minimize disruption (Lipner). Some key factors that

7/16/22, 5:07 PM SafeAssign Originality Report

enhance the security requirements are; the legal and industry standards, the internal organization requirements and the coding techniques, and the commonly known threats. An in-built tracking system must trace these requirements.

Defining the metrics and compliance reporting is another best practice of Microsoft SDL. Establishing the minimum acceptable levels of the quality of security mechanisms is crucial to hold the developers and engineers accountable for meeting that criterion. Microsoft SDL enables the definition of these security aspects in the very early stages of development to help the team to understand the potential risks associated with the security issues and to, identify and fix any defect in the security features during the development stages and apply these principles throughout the entire project (Eckhart, 2019, October). 2 ALSO, WITH THE TECHNOLOGICAL ADVANCEMENT IN MOBILE PHONE TECHNOLOGY AND CLOUD COMPUTING, IT IS VERY CRUCIAL TO ENSURE ALL THE DATA, INCLUDING PERSONAL- SENSITIVE INFORMATION AND MANAGEMENT DATA, IS PROTECTED FROM SECURITY BREACH OR ALTERATION IN THE PROCESS OF STORAGE OR TRANSFER, HENCE MICROSOFT SDL PROVIDES DEFINITION AND USE OF CRYPTOGRAPHY STANDARDS THAT ARE TYPICALLY USED TO ACHIEVE THIS. THE GENERAL RULE OF GUIDANCE FOR TO USE AND IMPLEMENTATION OF ENCRYPTION IS TO ENSURE THAT ONLY USE OF INDUSTRY- VETTED ENCRYPTION TECHNIQUES AND LIBRARIES AND TO ENSURE THAT THEY ARE IMPLEMENTED IN A WAY THAT CAN BE EASILY REPLACED IF THE NEED ARISES.

Another best practice encouraged by Microsoft SDL is the use of approved tools. It defines and publishes a list of the supported devices and the associated security checks. Microsoft SDL enabled the developers and engineers to strive and use the latest versions of the approved tools and techniques to implement the new security functionalities and features to offer extra protection to the applications. Microsoft SDL also enhances the performance of dynamic analysis security testing (DAST), which enhances run-time verification of the fully compiled software functionality checks—using a tool to precisely monitor the software's behavior for any corruption of memory user-privilege concerns and any other crucial security concerns.

Performing penetration testing is another essential Microsoft SDL best practice as it allows for the performance of security analysis of an application system that is done by a security expert simulating the actions of a hacker (Eckhart, 2019, October). Penetration testing aims to identify any security vulnerabilities resulting from errors during software development stages. Microsoft SDL also develops the standard incident response process, and this is a crucial task that helps in addressing the new threat concerns that can emerge at any given time; the incident plan entails contacts that can be reached in cases of emergency and develop a protocol that will be used for security servicing, this plan must be tested before it is needed.

Threat Modelling

4 THREAT MODELING IS A CRUCIAL ASPECT OF MICROSOFT SDL. 1 IT IS AN ENGINEERING TECHNIQUE THAT CAN HELP IDENTIFY THREATS, ATTACKS, AND VULNERABILITIES AND PROVIDES MECHANISMS FOR COUNTERING THE DANGERS THAT COULD POTENTIALLY AFFECT THE SOFTWARE APPLICATION. 5 THREAT MODELING CAN BE USED IN SHAPING THE APPLICATION'S DESIGN TO MEET THE ORGANIZATION'S SECURITY GOALS AND OBJECTIVES AND MINIMIZE RISK; the five main steps involved in threat modeling are the definition of the security requirements, creation of an application diagram, identification of threats, mitigation of the identified threats and validation that the threats have been handled (Bygdås, 2021, June). This is and should be part of an organization's development cycle routine that will enable the organization to refine the threat model gradually and consistently, further reducing the risks.

7/16/22, 5:07 PM SafeAssign Originality Report

6 THE MICROSOFT THREAT MODELING TOOL MAKES THREAT MODELING MUCH EASIER FOR ALL SOFTWARE DEVELOPERS AND ENGINEERS THROUGH A STANDARD NOTATION THAT ENHANCES THE VISUALIZATION OF THE SYSTEM COMPONENTS, DATA FLOWS, AND SECURITY BOUNDARIES. 7 IT ALSO GREATLY AIDS THE THREAT MODELERS IN IDENTIFYING THE CLASSES OF THE TREATS THEY SHOULD CONSIDER BASED ON THE STRUCTURE OF THEIR APPLICATION DESIGN; Microsoft SDL designed the tool to be used by everyone, even if one is a non-security expert, which will enable the threat modeling to become much easier for all the software developers by giving a clear guidance o establishing and analysis of the threat models (Bygdås, 2021, June).

Conclusion

The threat modeling tools enable any developer to achieve the following three aspects: communicate on the security design of their systems, perform analysis of the strategies for any threat in security issues using proven techniques and give suggestions and manage mitigations for security issues.

References

Lipner, SB 3 Overview of Talks 3.1 Experience with the Microsoft Security Development Lifecycle. Empirical Evaluation of Secure Development Processes, 5.

Bygdås, E., Jaatun, L. A., Antonsen, S. B., Ringen, A., & Eiring, E. (2021, June). 8 EVALUATING THREAT MODELING TOOLS: 6 MICROSOFT TMT VERSUS OWASP THREAT DRAGON. 9 IN 2021 INTERNATIONAL CONFERENCE ON CYBER SITUATIONAL AWARENESS, DATA ANALYTICS AND ASSESSMENT (CYBERSA) (PP. 1-7). IEEE.

10 ECKHART, M., EKELHART, A., LÜDER, A., BIFFL, S., & WEIPPL, E. (2019, October). 10 SECURITY DEVELOPMENT LIFECYCLE FOR CYBER-PHYSICAL PRODUCTION SYSTEMS. IECON 2019-45TH ANNUAL CONFERENCE OF THE IEEE INDUSTRIAL ELECTRONICS SOCIETY (VOL. 1, pp. 3004-3011). IEEE.

Hertzum, M. (2020). Usability Testing: 11 A PRACTITIONER'S GUIDE TO EVALUATING THE USER EXPERIENCE. SYNTHESIS LECTURES ON HUMAN-CENTERED INFORMATICS, 13(1), I-105.

Eck, M. L. 11 V., MARKSLAG, E., SIDOROVA, N., BROSENS-KESSELS, A., & VAN DER AALST, W. M. (2018, September). 11 DATA-DRIVEN USABILITY TEST SCENARIO CREATION. IN THE INTERNATIONAL CONFERENCE ON HUMAN-CENTRED SOFTWARE ENGINEERING (PP. 88- 108). Springer, Cham.

7/16/22, 5:07 PM SafeAssign Originality Report