unity-ssdlc
Intro and Overview
This is a public version of Unity's internal Secure Software Development Lifecycle (SSDLC). It is meant to provide a reusable reference framework, not just to share with others, but also to take contributions to improve and evolve.
The Unity Security Team has worked hard to improve the trustworthiness of Unity's products and services. As part of that, we developed our own internal SSDLC to help our internal developers design and develop more secure products. After a few iterations, we found that we had an interesting collection of articles and trainings that may be useful, for not just Unity's developers, but potentially other companies as well. So we decided to share what we have, hopefully contributing something useful back to the broader software security community.
We know this isn't perfect - there's rough edges, with some typos and embarrassing grammar, and it's certainly not close to being exhaustive. But, there's definitely useful information here. Not only the actual content, but also the sharing with other companies what an actual, in use, SSDLC might look like. With this in mind, please be kind in your constructive criticism, and let us know if you've found this useful!
How To Use
SSDLC starts at Overview
Feel free to clone the whole repo and use in your organization! We'd appreciate your feedback as well :)
Unity SSDLC Structure
Our SSDLC is currently a suite of offerings by the Unity Application Security team. Part documentation, part training (in person and online) and a fun CTF (Capture The Flag) server we host.
SSDLC Documentation
The SSDLC is an ever-evolving set of documents that our team has drafted as an attempt to capture industry best practices in a single location for our developers. The recommendations aren't perfect, and are always in draft. There are gaps, both in the technology we cover and how deep we are in each topic, however, we felt it better to share with our developers (and you!) as much as we could. It does no good for us to hoard a complete library of knowledge because we're missing just one more article :)
This SSDLC is intended to be a practical reference for developers to help them design and develop more secure products spread over 3 main topics: Coding Practice, Language Best Practices, and Security Process. Further, we'll be sharing our Tools and Automation and Trainings in the future.
Trainings
NOTE: The Trainings are still TBD - We'll get them in here as soon as we can! As a further supplement to our SSDLC, the Unity Security team has developed several presentations to provide more entertaining security content. The training was built with the intent to deliver the sessions in-person, as part of mini internal security conferences. Ideally, we'd also record these presentations to share with folks who can't make it to the live sessions.
We can't share all our presentations here; we wanted to make these relevant and personal to the teams we present to, so many contain findings in our own products, with real-time demos of us exploiting the vulnerabilities we've discovered in our own code! In this way, developers can see the real risk of insecure code, potentially in the code they wrote themselves. We never shame or intentionally call out a team or specific developers - this is meant to be a learning experience, not a hurtful one.
CTF(s)
NOTE: Our CTF is not quite ready for public release - We'll have this updated as soon as we can! To go along with our mini-conferences, we also run a small CTF (Capture The Flag) in parallel with presentations. This is meant to give our development teams the opportunity to have a hands-on experience with insecure applications, starting with very simple examples, working up to more advanced challenges. This is not meant to be a full fledged Defcon-style CTF - we just want to teach some security basics, and whet the hacking appetite of our teams.
Contributions
To learn how to contribute, take a look at our Contributing.md. Let us know if you have any questions not called out in there.
Contact Us
License
License found in: LICENSE.md
Copyright © 2021 Unity Technologies
Disclaimer
THE INFORMATION PROVIDED HERE DOES NOT REPRESENT OR DESCRIBE ALL OF UNITY’S SSDLC PRACTICES, AND, AS SUCH, DOES NOT REPRESENT ALL PROCESSES EMPLOYED BY UNITY CONCERNING SOFTWARE SECURITY. THE INFORMATION PROVIDED IS AN EXAMPLE FRAMEWORK, BUT NO REPRESENTATIONS OR WARRANTIES ARE MADE OF IT AND NO GUARANTEES ARE PROVIDED CONCERNING ANY SPECIFIC RESULTS. INFORMATION IS PROVIDED “AS-IS” AND “AS AVAILABLE”. ANY USE OF THE INFORMATION PROVIDED IS AT YOUR OWN RISK AND LIABILITY. FURTHER, UNITY MAY CHANGE ANY INFORMATION PROVIDED HERE AT ANY TIME WITHOUT NOTICE TO YOU.
THE INFORMATION AS DOCUMENTED HERE IS SUBJECT TO COPYRIGHT AND OTHER INTELLECTUAL PROPERTY LAWS. PLEASE REVIEW THE LICENSE FILE TO FAMILIARISE YOURSELF WITH THE TERMS OF THE LICENSES PROVIDED BY UNITY.