Added more info about SDL

1 files changed, 52 insertions, 16 deletions

diff --git a/synopsis.tex b/synopsis.tex
index 845173e..d7b7776 100644
--- a/synopsis.tex
+++ b/synopsis.tex
@@ -521,11 +521,43 @@ principles:
 \end{itemize}
 
 Microsoft created software development process which follows these principles,
-Security Development Lifecycle (SDL). It consists of 16 practices, split into 6
-phases. These activities include: security training, setting requirements and
-minimal levels of security, risks assessment, designing secure functionality and
-security functions, safe implementation, analysis, testing of the produced
-application, creating emergency plan and final review.
+Security Development Lifecycle (SDL). It is used throughout the whole company
+and is mandatory policy since 2004. Its goal is to reduce the number and
+severity of security vulnerabilities present in software by combining a holistic
+and practical approach.
+
+SDL consists of five main phases:
+
+\begin{itemize}
+	\item \textbf{Requirements} \\
+		In this early phase, developers define the security
+		requirements and milestones, minimum acceptable quality levels
+		and decide which parts of the software will require further
+		assessment.
+	\item \textbf{Design} \\
+		During this phase, secure functionality and security functions
+		of the application are being designed, attack surface area is
+		getting reduced, and the development team creates threat models.
+	\item \textbf{Implementation} \\
+		Before implementing the functionality, approved and safe tools
+		should be chosen. If some API will be also used, all unsafe
+		functions of it should be deprecated. When writing the code, it
+		should be constantly analyzed to make sure it is secure.
+	\item \textbf{Verification} \\
+		The phase of testing and reviewing the application. Includes
+		run-time verification of functionality, memory usage and proper
+		privileges, as well as fuzz testing, and threat model review.
+	\item \textbf{Release} \\
+		After the product is finished, a support for it must be
+		guaranteed by creating an emergency plan and a support team. It
+		must be also examined against the previously set requirements
+		and threat models. After passing all checks, it will be
+		certified and ready for release.
+\end{itemize}
+
+Following the design by security principles and using Security Development
+Lifecycle will definitely help in the development of secure solutions and
+minimize the threats after deployment.
 
 \newpage
 
@@ -545,21 +577,25 @@ prevention methods made by people dedicated to making software more secure.
 
 \section{Reflection}
 
-Thanks to this project I have learned a lot about application security and how
-to make my apps secure. I got really interested in this subject and I would
-like to continue studying it. That is why I believe it was a good decision to
-pick up this topic. The questions I asked in my problem definition were on
-point as, by trying to answer them, I managed to describe the things I wanted
-to learn and write about. I think my methods of research were correct since the
-availability of resources made it easy to find information in many different,
-interesting forms. Creation of examples allowed me to not only understand the
+I believe it was a good decision to pick application security as the topic of my
+individual project specialization because, in the course of researching this
+subject, I have gained a lot of very useful knowledge that will help me in the
+future. The questions I asked in my problem definition were on point as, by
+trying to answer them, I managed to describe the things I wanted to learn and
+write about. I think my methods of research were correct since the availability
+of resources made it easy to find information in many different, interesting
+forms, like books, articles, and videos. Creation of examples, trying out
+different attack and prevention techniques allowed me to not only understand the
 security concepts in theory but also in practice. The plan I came up with was
 good because it allowed me to focus on my goals instead of single activities on
 specific days, which would be hard to follow, because of my dynamic schedule.
 Although looking back at it, I could make it better by assigning less time on
-initial and final activities and putting more time on the actual work. This
-made me not follow my plan completely the way I would like to. However, in the
-end, I managed to finish my synopsis on time, so it is not a big issue.
+initial and final activities and putting more time on the actual work. This made
+me not follow my plan completely the way I would like to. However, in the end, I
+managed to finish my synopsis on time, so it is not a big issue. Thanks to this
+project I have learned a lot about application security and how to make secure
+applications. I got really interested in this subject and I would like to
+continue studying it in the future.
 
 \newpage