VMworld.com: VMware's Secure Software Development Lifecycle

VMworld

Currently Being Moderated

VMware's Secure Software Development Lifecycle

Created on: Aug 31, 2009 4:14 PM by VMworld Team - Last Modified: Sep 17, 2009 3:25 PM by VMworld Team

Session Details
Session ID:	TA2543
Session Title:	VMware's Secure Software Development Lifecycle
Session Abstract:	VMware's Secure Software Development Lifecycle (SSDL), established by the Software Security Group, is based on a set of industry proven practices with unique insight from VMware security researchers. The SSDL is an integral part of VMware's overall Software Development Lifecycle. Its goal is to achieve product releases that are secure by design. The lifecycle definition covers Training, Architecture Risk Analysis/Threat Modeling, Best Practice and Compliance Requirements, Response Preparation, Code Analysis, Security Testing, and Vulnerability Reporting and Response. VMware's Product Security Policy (PSP) lays down mandatory security requirements for all VMware products. This PSP guides VMware developers to release products that are ready to meet customer compliance requirements. VMware also has a comprehensive training program that includes Security elements, which fall within required curriculum for all of R&D staff members. When designing and drawing up product requirements, security posture is reviewed and the design is subject to architectural analysis and a review of the attack surface. During code implementation, static code analysis tools are used to discover violations of secure development standards. Code is also manually reviewed internally and by third parties. Dedicated test activities are in place to uncover security deficiencies. But even the best developed software can have software flaws. Vulnerability response is considered at several check points during the development cycle, and VMware releases patches or new product versions to address these flaws and documents them in VMware Security Advisories. This session concludes by answering common questions customers might have on VMware's advisories, CVE identifiers and output from vulnerability scanners.
Track:	Technology & Architecture
Session Type:	Breakout Session
Keywords:	Secure Software Development Lifecycle, SSDL
Duration:	1 Hour
Speaker(s):	Monty Ijzerman, Sr. Program Manager, VMware, Inc. Kris Inglis, Sr. Manager, VMware, Inc. Kirk Larsen, Product Security Officer, VMware, Inc.

Tags: sessions_test_development, sessions_vmware, sessions_lifecycle, sessions_security

Please sign-in to view this session in the theater below. (If you do not have an account, please create a "free" account)