Bryan Sullivan from Microsoft has posted an article on SDL use to secure web applications.
"The Security Development
Lifecycle (SDL) team recently released details of the SDL process that
has been so successful in helping to make Microsoft products more
secure. You can find these documents at microsoft.com/sdl.
As
you read through this SDL guidance you will find strategies for
securing client/server applications. Mitigation strategies for buffer
overflow vulnerabilities are also covered extensively. With no less
than three required compiler and linker switches (/GS, /SAFESEH, and
/NXCOMPAT), 20-or-so code analysis warnings (found with the /analyze
option in Visual Studio® 2005 and later), and
more than 150 banned API functions, overflow vulnerabilities seem to be
public enemy number one for the SDL.
What
you won’t find in the publicly available SDL documentation is guidance
specific to securing Web applications or online services. To be sure,
most of the SDL non-implementation requirements apply equally to
client/server and Web applications. It’s just as important to threat
model your Web Forms applications as it is your Windows®
Forms applications. Likewise, it is just as important to perform a
Final Security Review for a SOAP service as for a Windows service. But
what about Web-related vulnerabilities like cross-site scripting (XSS)
and SQL injection? If the SDL pays so much attention to defending
client/server applications against buffer overflows, why doesn’t it pay
attention to defending online services against XSS attacks, the public
enemy number one of the Web?
The answer is, it does pay attention to these issues. The Microsoft®
Online Services Security and Compliance team has been instrumental in
identifying Web application security issues and addressing them in the
SDL. However, these SDL requirements have previously not been available
outside of Microsoft. The Web application-specific SDL requirements are
some of the newest requirements, and the team wanted to make sure they
were demonstrably effective before taking them outside the company. As
online vulnerabilities rise across the industry, the team is confident
enough in the effectiveness of the online service SDL requirements to
share them here for the first time.
Please
note that the rest of this column assumes you are familiar with Web
application security issues such as XSS and SQL injection. If you are
not comfortable with these concepts, please read up on them before
continuing—good background material on these vulnerabilities can be
found in the book 19 Deadly Sins of Software Security by Michael
Howard, David LeBlanc, and John Viega (McGraw-Hill 2005)."
Article: http://msdn.microsoft.com/en-us/magazine/cc794277.aspx
