« Clientless SSL VPN products break web browser domain-based security models | Main | Potential risks of using Google's free DNS service? »

Preventing Security Development Errors: Lessons Learned at Windows Live by Using ASP.NET MVC

Microsoft has published a paper on its ASP.NET MVC framework, how to use it, and how utilization of an SDL eliminates the potential to introduce vulnerabilities such as XSRF. From the paper

"On the Microsoft platform, most Web applications are based on ASP.NET and the Microsoft®.NET Framework. ASP.NET MVC is a new framework based on ASP.NET that developers can use to build Web applications that follow the Model-View-Controller (MVC) pattern. The Windows Live team decided to use ASP.NET MVC as the basis for its services and framework. You can find more information about ASP.NET MVC on the Microsoft ASP.NET MVC Web site at http://www.asp.net/mvc/.

The Windows Live team used the Security Development Lifecycle (SDL) to analyze the security risks that the Windows Live services would face. In addition, the team used the SDL to mitigate these risks by designing the software carefully, following best practices in implementing these services, and subjecting the software to rigorous security testing prior to public release. The white paper "Applying the Security Development Lifecycle at Windows Live" describes the approach that the Windows Live team took to applying SDL to its services.

This paper discusses in depth the application of one of the principles of the SDL, “security by default.” It describes the approach that the Windows Live team took when it adopted the ASP.NET MVC framework, helping to prevent developers from making security errors while developing the services that Windows Live includes. Organizations building their own solutions based on ASP.NET MVC might consider adopting some of these practices as part of their development effort. In addition, this paper describes the benefits of introducing security mitigations into applications and services when the underlying framework is changed."

Whitepaper: http://www.microsoft.com/downloads/details.aspx?FamilyID=7606f801-70c5-49ca-a18c-91d4ed725833&displaylang=en


Feed You can follow this conversation by subscribing to the comment feed for this post.

All Comments are Moderated and will be delayed!