"In the September 2008 issue of MSDN Magazine,
I wrote a column about the additions that Microsoft has made to the
Security Development Lifecycle (SDL) process to address security
vulnerabilities in online services. I talked about the importance of
input validation and output encoding in order to prevent cross-site
scripting attacks; about using parameterized stored procedures and
restricting database permissions in order to defend against SQL
injection attacks. I also discussed restricting the use of wildcards in
cross-domain policy files so you can defend against request forgery
attacks (see "SDL Embraces The Web").
of these SDL additions are necessary to protect your Web apps, but they
raise challenges for Web app development teams. In order to make the
SDL more practical for Web app and online services teams, the process
itself needs to change to better fit the development processes that
those teams use. In other words, it’s not just that the SDL needs new,
Web-specific requirements; it’s that those requirements need to be
applied in a different manner as well.
The
biggest difficulty in adapting the SDL to the needs of Web applications
is simply one of time. The SDL was originally developed to improve the
security of large, complex products like Windows, Microsoft Office, and
SQL Server, and it has done so very successfully. Part of the reason
for its success is its thoroughness: in its latest version, the SDL has
more than 80 separate requirements and recommendations that product
teams follow to improve their products’ security and privacy." – Bryan Sullivan
Read more: http://msdn.microsoft.com/en-us/magazine/dd153756.aspx
