Microsoft’s SDL Process Guidance 5.1 Released

Posted by on April 20, 2011

April 14th, Microsoft released their annual update to the SDL Process Guidance. The updated document can be downloaded from Microsoft has done a good job of updating their SDL documentation to help cover the most important items. Here are some of the changes made in this release (Not all updates are included here).

Design Phase
Mitigating against Cross-Site Scripting (XSS). XSS has topped the OWASP Top Ten for a long time. In the most recent version it is ranked as #2 on the list. The document provides some tools to help protect against this. One recommendation is to use the Microsoft Anti-XSS Library to encode untrusted output.

Apply no-open header to user-supplied downloadable files. More details are in the document, but this specifically applies to the X-Download-Options HTTP Header.

Implementation Phase
Use Secure Methods to access databases. This is related to SQL Injection vulnerabilities. Use Parameterized queries or stored procedures rather than dynamic sql. Use least privilege.

Don’t use Visual Basic 6 to build products. This is a push to get away from VB6 and entirely into .Net.

Ensure that regular expressions must not execute in exponential time. Recently, it was brought up that an improperly formed regular expression could cause a denial of service with specially crafted input. Use the RegExFuzzer to test all regular expressions.

Use Secure Cookie over HTTPS. Make sure that authentication cookies and other secure cookies have the “Secure” flag set to only allow transmission over SSL.

Mitigate against Cross-Site Request Forgery (CSRF). See the document for more details.

Sample Code should be SDL compliant. I think this is something that should have been required all along. There are a few reasons for this. First, often sample code turns into production code. Developers learn from sample code, so if the sample is insecure, chances are good that the new code will also be insecure.

Verification Phase
File fuzzing when input to a file parser crosses a trust boundary. Fuzzing is the newest trend in effectively testing file parsers. If data is going to a file parser, fuzzing is a must.


Comments are closed.