VSTS and Security Best Practices

I haven't had a chance to look at the new iteration of the MSF Agile process template for Visual Studio Team System, but I think I heard that there is a Risk work item type in it.

I got to thinking today as I was looking at a Chinese PPT slide deck for an MSDN web cast that my Chinese host presented yesterday (about 200 in attendance he said), as I was looking at STRIDE and DREAD, that really, security best practices should be a part of the MSF VSTS process template.

I think it would take the form of at least one work item type, and perhaps a test type as well (tho tests are not part of the process template).

"Defence in depth" should be integrated into the SDLC, a part of the process.

Perhaps someone else has said this already, and likely better than I have, if so, I add my voice to theirs.

 

1 Comment

  • In one of my presentations I demonstrate the customization of a process template using the Imaginet Team System Customization toolkit.. Here I demo adding a "Threat" work item type and provide fields to capture categorization (STRIDE) and Prioritization metrics (DREAD).



    I do agree that this should be encapsulated in the process template itself. This is also not in the current builds of MSF for CMMI Improvement that I've seen either.



    I would suspect that at some point someone will likely post a work item definition to handle this at VSTSRocks.net.



    Heck, I could probably post the work item definition I created for the demo - however, the schema of the work item type and underlying process guidance has likely changed enough for it to be invalid in any release other than beta 2.

Comments have been disabled for this content.