« Which ASP.NET Controls Automatically HTML Entity Output Encodes? | Main | Google releases Chrome Web browser »

Article: SDL Embraces The Web

Bryan Sullivan from Microsoft has posted an article on SDL use to secure web applications.

"The Security Development Lifecycle (SDL) team recently released details of the SDL process that has been so successful in helping to make Microsoft products more secure. You can find these documents at microsoft.com/sdl.

As you read through this SDL guidance you will find strategies for securing client/server applications. Mitigation strategies for buffer overflow vulnerabilities are also covered extensively. With no less than three required compiler and linker switches (/GS, /SAFESEH, and /NXCOMPAT), 20-or-so code analysis warnings (found with the /analyze option in Visual Studio® 2005 and later), and more than 150 banned API functions, overflow vulnerabilities seem to be public enemy number one for the SDL.

What you won't find in the publicly available SDL documentation is guidance specific to securing Web applications or online services. To be sure, most of the SDL non-implementation requirements apply equally to client/server and Web applications. It's just as important to threat model your Web Forms applications as it is your Windows® Forms applications. Likewise, it is just as important to perform a Final Security Review for a SOAP service as for a Windows service. But what about Web-related vulnerabilities like cross-site scripting (XSS) and SQL injection? If the SDL pays so much attention to defending client/server applications against buffer overflows, why doesn't it pay attention to defending online services against XSS attacks, the public enemy number one of the Web?

The answer is, it does pay attention to these issues. The Microsoft® Online Services Security and Compliance team has been instrumental in identifying Web application security issues and addressing them in the SDL. However, these SDL requirements have previously not been available outside of Microsoft. The Web application-specific SDL requirements are some of the newest requirements, and the team wanted to make sure they were demonstrably effective before taking them outside the company. As online vulnerabilities rise across the industry, the team is confident enough in the effectiveness of the online service SDL requirements to share them here for the first time.

Please note that the rest of this column assumes you are familiar with Web application security issues such as XSS and SQL injection. If you are not comfortable with these concepts, please read up on them before continuing—good background material on these vulnerabilities can be found in the book 19 Deadly Sins of Software Security by Michael Howard, David LeBlanc, and John Viega (McGraw-Hill 2005)."

Article: http://msdn.microsoft.com/en-us/magazine/cc794277.aspx


Feed You can follow this conversation by subscribing to the comment feed for this post.

All Comments are Moderated and will be delayed!

"But what about Web-related vulnerabilities like cross-site scripting (XSS) and SQL injection?"
Ummmm....how does scanning software know if the system allows HTML/JavaScript injection as a feature or not??? That's why Systems Analysts are handy...they get to identify where it should and shouldn't occur. This situation differs greatly from Buffer Overflow type vulnerabilities, which have no case for being present (i.e. Buffer Overflow cannot be argued as a feature).

You are correct automated scanning software has no insight/context into business requirements for html/script usage provided by the user. For overflows/format string vulns/other it is more straight forward as you point out.

In a prior job there were site sections allowing user supplied html while the majority didn't. Humans review each flagged vulnerability and identify if it is a feature/intentional. On that note these tools are not designed to test systems where some HTML is allowed and others are rejected, these sorts of tests require a human to review.