Professional Documents
Culture Documents
Manually integrating key elements of the SDL Process Template into an existing Visual Studio Team System project
The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication. This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in, or introduced into a retrieval system, or transmitted in any form, by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place, or event is intended or should be inferred. 2009 Microsoft Corporation. All rights reserved. Microsoft, SharePoint, SQL Server, Visio, Visual Basic, Visual C#, Visual C++, Visual Studio, and the Visual Studio logo are trademarks of the Microsoft group of companies. The names of actual companies and products mentioned herein may be the trademarks of their respective owners.
CONTENTS
Contents ........................................................................................................1 Objectives......................................................................................................2 Overview .......................................................................................................2 Required SDL features to integrate ..........................................................2 Step-by-step manual integration ..............................................................3 Step 1: Setting up your Team Server with team projects......................3 Step 2: Migrating SDL Tasks work item types and work items ............4 Step 3: Move SDL-specific queries ......................................................... 65 Step 4: Migrating the list of SDL Task Work Items ................................7 Step 5: Migrating SDL Check-in Policies ..................................................9 Step 6: Integrate SDL Final Security Report and related reports ...... 10 Step 7: Additional Documentation (not required) .............................. 12 In Conclusion ............................................................................................. 13
Field Cod
Field Cod
Field Cod
Field Cod
Field Cod
Field Cod
Field Cod
Field Cod
Field Cod
Field Cod
Field Cod
Field Cod
Field Cod
OBJECTIVES
y y Identify the key features of the SDL Process Template that are necessary for integrating the SDL into your project. Provide the steps necessary for manually integrating those features into an existing VSTS team project.
OVERVIEW
Cybercriminals are increasingly attacking applications and these attacks are extremely costly for organizations. Considering the risk and the impacts of security incidents, it is critical to develop software applications with security in mind. It is very beneficial to make security an integral part of software development to eliminate security problems as early as possible in the software development process. This whitepaper will enable you to implement the SDL on top of your existing team project created using a non-SDL template (e.g. Agile, Scrum, etc). Adoption of the Microsoft Security Development Lifecycle (SDL) has been simplified with the release of the SDL Process Template for Visual Studio Team System (VSTS). This paper outlines the steps for manually extracting the key elements of the SDL Process Template and integrating them into an existing Team Project. By completing each of these manual steps, you have integrated the key elements of the SDL into your project and are ready to implement security best practices into your code.
STEP 2: MIGRATING SDL TASKS WORK ITEM TYPES (.WIT FILES) ANDWORK ITEMS
Visual Studio Team System provides a set of useful tools within the project to manage the import and export of work items. The toolsare called WITimport and WITexport (Menu | Tools | Process Editor | Work Item Types) NOTE to Team Foundation Server (TFS) 2010 users: If you are trying to migrate this content into a project based on TFS 2010, you will need to use Process Template Editor 2010 to connect to TFS 2010.
1. Export Work Item Types (.WIT) from SDL Process Template y Create a folder on your local machine to save the exported WITs y Navigate to Export WIT (as seen above) y Select the SDL-based project from the drop-down y Select the specific Work Item Types you want to export y Save them in the designated folder
NOTE: To integrate the SDL into your project, export the following work item types: Bug: the host work item type that contains all of the security-specific fields for tracking SDL Task: the host work item type for SDL requirements and recommendations Security Code Review: is a recommendation for the SDL and can be imported if you choose to implement this feature in your SDL-based project. y y y y Import Work Item Types (WIT) into your New Team Project Navigate to WIT Import as described above Browse to the location where you saved the exported WITs Select your target Team Project Click OK
After importing all SDL-based Work Item Types, your new Team Project should now accommodate the specific work items from the SDL Process Template. If an existing Work Item Type in your project has the same name as an SDL Process Template WIT, you will need to go into the Process Template Editor and manually rename the Work Item Type to something different (e.g. a Bug in the SDL Process Template could be renamed Security Bug)
y y y y y y
My Resolved Code Reviews Open and Blocking Security Bugs Open SDL Tasks Open Security Bugs Resolved Security Bugs SDL Exception Security Bugs
1. In Team Explorer, open the Team Queries folder in each of your projects 2. Right click on the All SDL Tasks query in Team Explorer and select Open in Microsoft Excel
3. Each query should open in Microsoft Excel (your project will be empty, the SDL Evolution will be fully populated with work items) 4. In Excel, navigate to the Team tab and click on Choose Columns
5. Move the Work Item Type column over to the Selected columns and click OK NOTE: your work item type may have additional Required columns. Select each of these and move them over to the Selected columns section to avoid errors when publishing them back to the server
6. Copy the SDL Work Items from one spreadsheet and Paste them into the spreadsheet representing your project 7. You will need to manually fill in the blank columns to resolve any conflicts 8. Manually edit the Iterations Path Column to match the specific iteration types in your project 9. Select Publish
You can now return to Team Explorer and refresh the query. All SDL Tasks should be populated as work items ready to triage.
1. Within your new Team Project, navigate to Source Control (Menu | Team | Team Project Settings | Source Control)
STEP 6: INTEGRATE SDL FINAL SECURITY REPORT AND RELATED CHART REPORTS
The SDL Final Security Review is a critical piece of the SDL Release Phase. The Final Security Report in the SDL Process Template simplifies tracking of progress toward security objectives as well as provides an end-of-project auditable review of your products state of security. It is
10
important to ensure these reports are copied over into your new team project to complete the final pieces of your SDL adoption. 1. Navigate to your SQL Server Reporting Services home page http://[servername]/Reports 2. On the Contents Tab, open your new team project 3. Select Upload File
4. In the File to upload field, brows to the location where you installed the SDL Process Template and navigate to the Reports folder: If installed in default location this will be: C:\Program Files\Microsoft Security Development Lifecycle (SDL) Template - v4.0\Process Template\Reports 5. Select the report (.rdl file) you want to upload and then back in the SQL Server Reporting Services page, select OK.
11
6. You will need to copy all of the SDL Process Template reports to ensure that all of the included reports in the SDL Final Security Report are enabled. This includes: y y y y y Final Security Report.rdl RequirementsChart.rdl Security Bugs.rdl SecurityBugChart.rdl ToolbugChart.rdl
7. Open each of the reports you copied and re-associate them with the appropriate datasources a. After clicking on the report, you will get an error message The report server cannot process the report. The data source connection information has been deleted. (rsInvalidDataSourceReference) b. Click on the Properties tab c. Select Data Sources from the left column d. Select A shared data source and then Browse
e. Under your project, select the location /TfsReportDS and then OK f. Back in the Data Sources page, if there is an additional Data Source called TfsOlapReportDS, repeat Steps C-E above g. Finally, scroll to the bottom of the Data Sources page and select Apply 8. Close Report Manager and return to Team Explorer 9. Refresh your Reports folder and the new SDL reports should appear. NOTE: Depending on the refresh rate you have set on your SQL Server, the updated content may not refresh immediately
12
1. If you want to designate a specific SDL folder, right click on the Documents folder in your team project and select New Document Library 2. Name your new document library as appropriate (e.g. SDL Docs) 3. Now you can simply drag and drop the individual documents from the SDL Process Template Document library into your new team project.
IN CONCLUSION
By completing each of these steps, you should have complete integration of all key components of the SDL Process Template into your own team project. Because of the manual nature of this process, there may be some unique issues that you encounter in your environment that will need to be worked through based on your project. However, the core features of the SDL Process Template should now be in place for you to begin adopting the requirements, policies, and reporting elements associated with more secure software development.
13