Manual Integration of the SDL Process Template

Manually integrating key elements of the SDL Process Template into an existing Visual Studio Team System project

The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication. This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in, or introduced into a retrieval system, or transmitted in any form, by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place, or event is intended or should be inferred. 2009 Microsoft Corporation. All rights reserved. Microsoft, SharePoint, SQL Server, Visio, Visual Basic, Visual C#, Visual C++, Visual Studio, and the Visual Studio logo are trademarks of the Microsoft group of companies. The names of actual companies and products mentioned herein may be the trademarks of their respective owners.

Manual Integration of the SDL Process Template

CONTENTS
Contents ........................................................................................................1 Objectives......................................................................................................2 Overview .......................................................................................................2 Required SDL features to integrate ..........................................................2 Step-by-step manual integration ..............................................................3 Step 1: Setting up your Team Server with team projects......................3 Step 2: Migrating SDL Tasks work item types and work items ............4 Step 3: Move SDL-specific queries ......................................................... 65 Step 4: Migrating the list of SDL Task Work Items ................................7 Step 5: Migrating SDL Check-in Policies ..................................................9 Step 6: Integrate SDL Final Security Report and related reports ...... 10 Step 7: Additional Documentation (not required) .............................. 12 In Conclusion ............................................................................................. 13

Field Cod

Field Cod

Field Cod

Field Cod

Field Cod

Field Cod

Field Cod

Field Cod

Field Cod

Field Cod

Field Cod

Field Cod

Field Cod

Manual Integration of the SDL Process Template

OBJECTIVES
y y Identify the key features of the SDL Process Template that are necessary for integrating the SDL into your project. Provide the steps necessary for manually integrating those features into an existing VSTS team project.

OVERVIEW
Cybercriminals are increasingly attacking applications and these attacks are extremely costly for organizations. Considering the risk and the impacts of security incidents, it is critical to develop software applications with security in mind. It is very beneficial to make security an integral part of software development to eliminate security problems as early as possible in the software development process. This whitepaper will enable you to implement the SDL on top of your existing team project created using a non-SDL template (e.g. Agile, Scrum, etc). Adoption of the Microsoft Security Development Lifecycle (SDL) has been simplified with the release of the SDL Process Template for Visual Studio Team System (VSTS). This paper outlines the steps for manually extracting the key elements of the SDL Process Template and integrating them into an existing Team Project. By completing each of these manual steps, you have integrated the key elements of the SDL into your project and are ready to implement security best practices into your code.

REQUIRED SDL FEATURES TO INTEGRATE

The SDL Process Template is intended to help application developers write more secure code. To effectively accomplish this purpose, your project must contain all of the critical components of the Security Development Lifecycle itself. If your objective is to write your code using the policies of the SDL, you must include all of the following features when extracting SDL elements from the SDL Process Template. 1. SDL Work Item Types: All of the customized work item types that the SDL Process Template uses to create requirements, enforce policies, and enable reporting. 2. SDL Requirements and Recommendations: All SDL Tasks to ensure all SDL Requirements and Recommendations are completed. 3. SDL Check-in Policies: Enforceable policies to verify the compiler/linker flag protections in Visual Studio are used. 4. SDL Reporting: To verify progress toward completing all SDL Tasks and provide an auditable assessment of your softwares security. 5. SDL Documents (optional): The supporting document libraries from the SDL Process Template

Manual Integration of the SDL Process Template

STEP-BY-STEP MANUAL INTEGRATION

Visual Studio Team System allows you to manually migrate each of these SDL elements and reintegrate them into your existing team project. The following details are intended to walk you through the necessary steps in this migration process. By following these steps, you should be able to integrate the SDL into your existing Visual Studio Team System project.

STEP 1: SETTING UP YOUR TEAM SERVER WITH TEAM PROJECTS

To ensure you are able to manually integrate individual components of the SDL Process Template into your new team project, you will first need to create a dummy team project on Team Foundation Server by installing the SDL Process Template. This team project will sit beside your real team project and allow you to copy over components of the SDL Template. 1. After downloading the SDL Process Template, upload it into your Team Foundation Server via the Process Template Manager (Menu |Team | Team Foundation Server Settings | Process Template Manager). 2. With the SDL Process Template is in place, create a New Team Project using that template. For this whitepaper, we will name that new team project SDL Evolution. 3. You will then either create or Add an Existing Team Project that represents the project you will be using for your development lifecycle. For this whitepaper, we will name this team project SDL-Agile Manual Test. NOTE: Although we are using the term SDL-Agile in this scenario, the manual integration is not limited to Agile-based projects. In addition, manual integration of the SDL elements into your project does not automatically align your SDL implementation with Agile. Additional manual work would need to be done to streamline security practices for Agile development. Once both of these are in place, you are ready to start migrating items from the SDL Process Template into your project. NOTE: It is important to note that you will need to repeat these manual processes each time you create a new team project.

Manual Integration of the SDL Process Template

STEP 2: MIGRATING SDL TASKS WORK ITEM TYPES (.WIT FILES) ANDWORK ITEMS
Visual Studio Team System provides a set of useful tools within the project to manage the import and export of work items. The toolsare called WITimport and WITexport (Menu | Tools | Process Editor | Work Item Types) NOTE to Team Foundation Server (TFS) 2010 users: If you are trying to migrate this content into a project based on TFS 2010, you will need to use Process Template Editor 2010 to connect to TFS 2010.

1. Export Work Item Types (.WIT) from SDL Process Template y Create a folder on your local machine to save the exported WITs y Navigate to Export WIT (as seen above) y Select the SDL-based project from the drop-down y Select the specific Work Item Types you want to export y Save them in the designated folder

Manual Integration of the SDL Process Template

NOTE: To integrate the SDL into your project, export the following work item types: Bug: the host work item type that contains all of the security-specific fields for tracking SDL Task: the host work item type for SDL requirements and recommendations Security Code Review: is a recommendation for the SDL and can be imported if you choose to implement this feature in your SDL-based project. y y y y Import Work Item Types (WIT) into your New Team Project Navigate to WIT Import as described above Browse to the location where you saved the exported WITs Select your target Team Project Click OK

Manual Integration of the SDL Process Template

After importing all SDL-based Work Item Types, your new Team Project should now accommodate the specific work items from the SDL Process Template. If an existing Work Item Type in your project has the same name as an SDL Process Template WIT, you will need to go into the Process Template Editor and manually rename the Work Item Type to something different (e.g. a Bug in the SDL Process Template could be renamed Security Bug)

STEP 3: MOVE SDL-SPECIFIC QUERIES

To accommodate better tracking of security-related work items, we created several unique queries in the SDL Process Template. These queries will help you track and triage the security issues your project produces. Now that you have SDL-based Work Item Types in place, the queries to track them can be easily exported and reused. 1. Go to Team Explorer in your team project 2. In your SDL Evolution project, expand the Work Item |Team Query folder in Team Explorer 3. Then using drag/drop, select and drop the queries from one query list into another. We recommend that you copy over all of the SDL-related queries to ensure all of the reporting functionality in the Final Security Report is enabled: y y y y All Pending Security Code Reviews (if you choose to copy over Security Code Review work items) All SDL Tasks All Security Bugs Closed Security Bugs
Manual Integration of the SDL Process Template 6

y y y y y y

My Resolved Code Reviews Open and Blocking Security Bugs Open SDL Tasks Open Security Bugs Resolved Security Bugs SDL Exception Security Bugs

STEP 4: MIGRATING THE LIST OF SDL TASK WORK ITEMS

Once you have copied the work item type into your new project, you will need to copy over all of the SDL Task work items that define the requirements and recommendations of the SDL. This is a fairly straightforward process once the .WIT for SDL Task work items is in place. Because Team Explorer does not handle bulk copy/paste actions and will not resolve any existing column differences between two projects, you need to use MS Excel or MS Project to bulk copy SDL Task Work Items into your team project. In this exercise, we use Excel. NOTE: The below process will apply for copying over any existing query from one Team Project into another. However, you must pay attention to include all Required columns in Step 5 below.
Manual Integration of the SDL Process Template 7

1. In Team Explorer, open the Team Queries folder in each of your projects 2. Right click on the All SDL Tasks query in Team Explorer and select Open in Microsoft Excel

3. Each query should open in Microsoft Excel (your project will be empty, the SDL Evolution will be fully populated with work items) 4. In Excel, navigate to the Team tab and click on Choose Columns

5. Move the Work Item Type column over to the Selected columns and click OK NOTE: your work item type may have additional Required columns. Select each of these and move them over to the Selected columns section to avoid errors when publishing them back to the server

Manual Integration of the SDL Process Template

6. Copy the SDL Work Items from one spreadsheet and Paste them into the spreadsheet representing your project 7. You will need to manually fill in the blank columns to resolve any conflicts 8. Manually edit the Iterations Path Column to match the specific iteration types in your project 9. Select Publish

You can now return to Team Explorer and refresh the query. All SDL Tasks should be populated as work items ready to triage.

STEP 5: MIGRATING SDL CHECK-IN POLICIES

The SDL Check-in Policies are a vital piece of the SDL Process Template. These policies ensure that your developers take advantage of the compiler/linker flag protections Visual Studio already contains. If enabled, these flags will catch many of the common and most vulnerable security flaws in your code before you ship your product. Because the SDL Process Template has been installed on the same Team Foundation Server as your new Team Project, the SDL Check-in Policies are already associated with your Source Control settings of all Team Projects residing on that Team Foundation Server.
Manual Integration of the SDL Process Template 9

1. Within your new Team Project, navigate to Source Control (Menu | Team | Team Project Settings | Source Control)

2. Select the SDL check-in policies and click OK

Video: How to improve your check-in process

STEP 6: INTEGRATE SDL FINAL SECURITY REPORT AND RELATED CHART REPORTS
The SDL Final Security Review is a critical piece of the SDL Release Phase. The Final Security Report in the SDL Process Template simplifies tracking of progress toward security objectives as well as provides an end-of-project auditable review of your products state of security. It is

Manual Integration of the SDL Process Template

10

important to ensure these reports are copied over into your new team project to complete the final pieces of your SDL adoption. 1. Navigate to your SQL Server Reporting Services home page http://[servername]/Reports 2. On the Contents Tab, open your new team project 3. Select Upload File

4. In the File to upload field, brows to the location where you installed the SDL Process Template and navigate to the Reports folder: If installed in default location this will be: C:\Program Files\Microsoft Security Development Lifecycle (SDL) Template - v4.0\Process Template\Reports 5. Select the report (.rdl file) you want to upload and then back in the SQL Server Reporting Services page, select OK.

Manual Integration of the SDL Process Template

11

6. You will need to copy all of the SDL Process Template reports to ensure that all of the included reports in the SDL Final Security Report are enabled. This includes: y y y y y Final Security Report.rdl RequirementsChart.rdl Security Bugs.rdl SecurityBugChart.rdl ToolbugChart.rdl

7. Open each of the reports you copied and re-associate them with the appropriate datasources a. After clicking on the report, you will get an error message The report server cannot process the report. The data source connection information has been deleted. (rsInvalidDataSourceReference) b. Click on the Properties tab c. Select Data Sources from the left column d. Select A shared data source and then Browse

e. Under your project, select the location /TfsReportDS and then OK f. Back in the Data Sources page, if there is an additional Data Source called TfsOlapReportDS, repeat Steps C-E above g. Finally, scroll to the bottom of the Data Sources page and select Apply 8. Close Report Manager and return to Team Explorer 9. Refresh your Reports folder and the new SDL reports should appear. NOTE: Depending on the refresh rate you have set on your SQL Server, the updated content may not refresh immediately

STEP 7: ADDITIONAL DOCUMENTATION (NOT REQUIRED)

If you want to copy any of the SDL-related documents into your Documents folder, you can handle this file-by-file transfer either within SharePoint or even within Team Explorer by using drag-drop.

Manual Integration of the SDL Process Template

12

1. If you want to designate a specific SDL folder, right click on the Documents folder in your team project and select New Document Library 2. Name your new document library as appropriate (e.g. SDL Docs) 3. Now you can simply drag and drop the individual documents from the SDL Process Template Document library into your new team project.

IN CONCLUSION
By completing each of these steps, you should have complete integration of all key components of the SDL Process Template into your own team project. Because of the manual nature of this process, there may be some unique issues that you encounter in your environment that will need to be worked through based on your project. However, the core features of the SDL Process Template should now be in place for you to begin adopting the requirements, policies, and reporting elements associated with more secure software development.

Manual Integration of the SDL Process Template

13