The Security Development Lifecycle book is available for downloading

Very recently, Microsoft has published online the foundation book describing SDL (Security Development Lifecycle).

security-development-lifecycle-no-cd

The principles behind the SDL were born as a response to the Windows Longhorn project reset in the early 2000s. Back then, the entire project was wiped out and started from scratch due to the presence of critical vulnerabilities in various components – according to MS insiders. At the time, Microsoft had a questionable reputation with regards to security of its products. Therefore, the company made a huge investment in security improvement. SDL was created as the common approach to developing products, starting from the very bottom to top – from design to release.

The book was published in good old 2006, which can be seen as the Stone age comparing to the threats and attack vectors present nowadays. Nevertheless, it still remains a valuable source of knowledge and actions for the teams and companies that struggle with improving a security of the products. In my opinion, it is impossible to deliver a secure solution without integrating SDL principles into every chunk of the development process.

The most recent overview of SDL can be found at the dedicated Microsoft page.

The best part of it is the set of tools and instruments designed and used by MS at each of the steps of SDL – with links for downloads. It can be seen as a great reference to the spectrum of problems that SDL solves – you don’t have to replicate it to your organization in the exact way it works at MS but at least it helps understand the challenges and possible solutions.

4 ways of developing DevOps competences

I’ve been in DevOps for about 5 years so far and recently summed up the main ways of learning in this business.

The main challenges of DevOps learning are related to extremely wide technology and skills coverage that are presumed to be useful in this occupation.

While the toolset of DevOps highly depends on the technology stack, there are common areas of knowledge that (basing on my fails and trials) turned out to be crucial for system vision and approach.

First of all, DevOps is not only about development, as we can see from the name but also there is an Ops part. Therefore, any reading related to Operations Management is beneficial. You need to know how the company works from the inside out in order to be efficient in DevOps when improving delivery processes. One of my favorites are:

They will tell you how to build operations of your company as a factory – and you may argue that you work in lean/agile/cool startup and have nothing to do with blue collars from industrial areas – and would be mistaken. It is important to start looking at work being done by your company, as at something that you can measure and improve – not ephemerally but by means of time,  throughput and quality.

The second thing I learned about DevOps – is to always keep asking yourself – am I doing a right thing? Am I delivering value and improving the processes?  Do it all the time even out of work – for example, when attending tech conferences and reading literature. Try to make sure you are on track with the latest trends, and here I mean being on track conceptually. Do not try to chase each and every new tools or release – it rarely makes a really big difference comparing to using the old ones. Concentrate on following the concepts – whenever someone introduces a new way to doing DevOps – it is time to start digging in. When you introduce new concepts and take the best ideas to work – you change the rules of the game and you may get much better results than simply replacing the tools.

The third point – is to constantly and continuously improve your OWN operations. Think about how you handle the work that lands on your desk, think about yourself as a factory and the output that you produce. What do you need to improve? You may start with Time management, Memory skills, and Communication.

And the last, fourth way of learning is to always communicate your ideas – in blogs, comments, discussions with colleagues, and see how people react to them. This will help you understand the main pain points and weak spots of your concepts and improve them, with an assistance of others and from their perspective.

Books for getting more power with PowerShell

When you look at available PowerShell books, almost every link at the Internet points you to the infamous:

Jones, Don, and Jeffrey T. Hicks. Learn Windows PowerShell 3 in a Month of Lunches. Manning, 2013.

This book is indeed very good and professionally written. However, it doesn’t explain some basics which are very important for understanding PS features. It feels like you are being dragged into a dark and scary forest of this bloody PowerShell. On the serious note, I could say that this book was written by PS gurus who can barely walk in the shoes of ordinary Linux users or SW engineers.

Instead of it, I would recommend checking out this one:

Santos, Donabel. “PowerShell for SQL Server essentials.” (2015).

It has it all, plus puts it into SQL server context. Delicious!

I very much like the author’s style and the way of approaching main concepts. He just explains it to you as to a colleague without trying to impress you with his deep knowledge of the subject.

Great job, Mr. Santos!