« Microsoft's Stance on Banned APIs | Main | Threat Models Improve Your Security Process »

Agile SDL Streamline Security Practices For Agile Development

"In the September 2008 issue of MSDN Magazine, I wrote a column about the additions that Microsoft has made to the Security Development Lifecycle (SDL) process to address security vulnerabilities in online services. I talked about the importance of input validation and output encoding in order to prevent cross-site scripting attacks; about using parameterized stored procedures and restricting database permissions in order to defend against SQL injection attacks. I also discussed restricting the use of wildcards in cross-domain policy files so you can defend against request forgery attacks (see "SDL Embraces The Web").                                        

All of these SDL additions are necessary to protect your Web apps, but they raise challenges for Web app development teams. In order to make the SDL more practical for Web app and online services teams, the process itself needs to change to better fit the development processes that those teams use. In other words, it's not just that the SDL needs new, Web-specific requirements; it's that those requirements need to be applied in a different manner as well.

The biggest difficulty in adapting the SDL to the needs of Web applications is simply one of time. The SDL was originally developed to improve the security of large, complex products like Windows, Microsoft Office, and SQL Server, and it has done so very successfully. Part of the reason for its success is its thoroughness: in its latest version, the SDL has more than 80 separate requirements and recommendations that product teams follow to improve their products' security and privacy." - Bryan Sullivan

Read more: http://msdn.microsoft.com/en-us/magazine/dd153756.aspx


Feed You can follow this conversation by subscribing to the comment feed for this post.

All Comments are Moderated and will be delayed!