• Blogroll

  • DevelopSec

• Archives

  • March 2024
  • December 2023
  • January 2023
  • August 2022
  • February 2020
  • October 2019
  • May 2019
  • June 2018
  • November 2017
  • June 2017
  • February 2017
  • October 2016
  • September 2016
  • May 2016
  • February 2016
  • January 2016
  • November 2015
  • October 2015
  • September 2015
  • April 2015
  • October 2014
  • August 2014
  • December 2013
  • November 2013
  • October 2013
  • July 2013
  • May 2013
  • April 2013
  • March 2013
  • January 2013
  • December 2012
  • September 2012
  • August 2012
  • July 2012
  • April 2012
  • March 2012
  • February 2012
  • January 2012
  • September 2011
  • July 2011
  • June 2011
  • April 2011
  • March 2011
  • February 2011
  • January 2011
  • November 2010
  • October 2010
  • September 2010
  • July 2010
  • May 2010
  • April 2010
  • February 2010
  • January 2010
  • December 2009
  • October 2009
  • August 2009
  • April 2009
  • March 2009
  • January 2008
  • December 2007
  • October 2007

Microsoft’s SDL Process Guidance 5.1 Released

April 14th, Microsoft released their annual update to the SDL Process Guidance. The updated document can be downloaded from http://www.microsoft.com/downloads/en/details.aspx?FamilyID=e5ff2f9d-7e72-485a-9ec0-5d6d076a8807&displaylang=en. Microsoft has done a good job of updating their SDL documentation to help cover the most important items. Here are some of the changes made in this release (Not all updates are included here).

Design Phase
Mitigating against Cross-Site Scripting (XSS). XSS has topped the OWASP Top Ten for a long time. In the most recent version it is ranked as #2 on the list. The document provides some tools to help protect against this. One recommendation is to use the Microsoft Anti-XSS Library to encode untrusted output.

Apply no-open header to user-supplied downloadable files. More details are in the document, but this specifically applies to the X-Download-Options HTTP Header.

Implementation Phase
Use Secure Methods to access databases. This is related to SQL Injection vulnerabilities. Use Parameterized queries or stored procedures rather than dynamic sql. Use least privilege.

Don’t use Visual Basic 6 to build products. This is a push to get away from VB6 and entirely into .Net.

Ensure that regular expressions must not execute in exponential time. Recently, it was brought up that an improperly formed regular expression could cause a denial of service with specially crafted input. Use the RegExFuzzer to test all regular expressions.

Use Secure Cookie over HTTPS. Make sure that authentication cookies and other secure cookies have the “Secure” flag set to only allow transmission over SSL.

Mitigate against Cross-Site Request Forgery (CSRF). See the document for more details.

Sample Code should be SDL compliant. I think this is something that should have been required all along. There are a few reasons for this. First, often sample code turns into production code. Developers learn from sample code, so if the sample is insecure, chances are good that the new code will also be insecure.

Verification Phase
File fuzzing when input to a file parser crosses a trust boundary. Fuzzing is the newest trend in effectively testing file parsers. If data is going to a file parser, fuzzing is a must.

Comments

• Follow Us

  

  

  

  
  
  
  

• Recent Posts

  • Securing the Forms Authentication Cookie with Secure Flag
  • Does ASP:Textbox TextMode Securely Enforce Input Validation?
  • Disabling SpellCheck on Sensitive Fields
  • What is the difference between encryption and hashing?
  • XmlSecureResolver: XXE in .Net