VSTS and Security Best Practices

Published 22 July 05 10:54 AM | MikeD

I haven't had a chance to look at the new iteration of the MSF Agile process template for Visual Studio Team System, but I think I heard that there is a Risk work item type in it.

I got to thinking today as I was looking at a Chinese PPT slide deck for an MSDN web cast that my Chinese host presented yesterday (about 200 in attendance he said), as I was looking at STRIDE and DREAD, that really, security best practices should be a part of the MSF VSTS process template.

I think it would take the form of at least one work item type, and perhaps a test type as well (tho tests are not part of the process template).

"Defence in depth" should be integrated into the SDLC, a part of the process.

Perhaps someone else has said this already, and likely better than I have, if so, I add my voice to theirs.

 

Filed under:

Comments

# Joel Semeniuk said on August 10, 2005 01:31 AM:

In one of my presentations I demonstrate the customization of a process template using the Imaginet Team System Customization toolkit.. Here I demo adding a "Threat" work item type and provide fields to capture categorization (STRIDE) and Prioritization metrics (DREAD).

I do agree that this should be encapsulated in the process template itself. This is also not in the current builds of MSF for CMMI Improvement that I've seen either.

I would suspect that at some point someone will likely post a work item definition to handle this at VSTSRocks.net.

Heck, I could probably post the work item definition I created for the demo - however, the schema of the work item type and underlying process guidance has likely changed enough for it to be invalid in any release other than beta 2.