martes, 6 de abril de 2010

Microsoft Security Development Lifecycle (SDL) Version 5

A new version of the Microsoft Security Development Lifecycle (SDL) Process Guidance is now accessible on MSDN and available via the Microsoft Download Center. Developers interested in securing their software using the same methods as the Redmond company can take advantage of SDL version 5.0 online, or download the resource for usage in offline scenarios. The download offered by the software giant is designed to illustrate the process guidance applied to bulletproof Microsoft products and technologies including Windows 7 and Office 2010.
Following the release of Windows Vista, Microsoft warned developers of third-party Windows applications that attackers would increasingly use their products as attack vectors, as the security bar for the OS was raised considerably through SDL. The Redmond company subsequently opened up SDL to all devs, in the hope that the entire software ecosystem built around Windows could benefit from the same security focus during the development process as the platform itself.
For those unfamiliar with SDL, the Microsoft Security Development Lifecycle is a collection of security and privacy resources such as requirements and recommendations that the company applies to increase the level of protection of its own users. Jeremy Dallman, security program manager, Security Development Lifecycle Team, enumerated the changes introduced in the “SDLv5 documentation:

1. SDL for Agile included: The largest change in SDLv5 is the inclusion of SDL for Agile Development as an Addendum at the end. We took the SDL-Agile guidance that was published in November 2009 and included it in the parent SDL document to make it a one-stop resource.

2. New and updated security requirements and recommendations
“Requirements Phase (1 new) - New Requirements: Include third-party code licensing security requirements in all new contracts.

Design Phase (3 new) - New Requirements:
• Hardware: Perform hardware security design review.
• Server/SaaS: Perform integration-points security design review.
• Web application: Implement strong log-out and session management.

Implementation Phase (10 new, 1 update)

New/Updated Requirements:
• Use Secure methods to access databases.
• Avoid LINQ ExecuteQuery.
• Avoid EXEC in stored procedures.
• Update: new minimum required versions for code analysis tools (also see Appendix E).

New Recommendations
• Web applications: Use HTTPOnly cookies.
• Implement reflection and authentication relay defense.
• NULL out free’d memory pointers in new code.
• All sample code should be SDL compliant.
• Internet Explorer 8 MIME handling: HTTP response sniffing opt-out.
• Lock ActiveX controls to a defined set of domains.
• Verify use of ClickJacking defenses in code.

Verification Phase (2 new, 2 updates).
New/Updated Requirements
• Network fuzzing: Any new network parsers must be able to accept 100,000 malformed packets without failure.
• Update: Web applications: Use ViewStateUserKey or ValidateAntiForgeryTokenAttribute against CSRF attacks.
• Update: Do not use banned APIs in old or new code.

New Recommendations
• Web applications: Use a passive security auditor.

Post relacionado:

No hay comentarios: