16 April 2010

Security Development Lifecycle for Agile Development

Security Development Lifecycle for Agile Development has now been added into the latest release of Microsoft's Security Development Lifecycle (SDL) Process Guidance.

Photograph of blue and green neon-lit escalators in the City of London

SDLv5, issued on 31 March 2010, includes the Agile guidance first published in November 2009. This provides advice on applying lightweight software security practices when using Agile software development methods, such as Extreme Programming (XP) and Scrum.

Additional changes particularly relevant to web applications include:

  • Use ViewStateUserKey or ValidateAntiForgeryTokenAttribute to add a layer of defense against Cross-Site Request Forgery (XSRF) attacks.
  • Conduct an integration-points security design review with dependent product teams across your end-to-end scenarios.
  • Strong log-out and session management. Proper session handling is one of the most important parts of Web application security.
  • Include third-party code licensing security requirements in all new contracts.
  • Use secure methods to access databases. Creating dynamic queries using string concatenation potentially allows an attacker to execute an arbitrary query through the application.
  • All HTTP-based applications that use cookies must specify HttpOnly in the cookie definition for all cookies not explicitly required by legitimate scripts in the Web page.
  • Internet Explorer 8 MIME handling: Sniffing OPT-OUT. This recommendation addresses functionality new in Internet Explorer 8 that may have security implications in some cases. It is recommended that for each HTTP response that could contain user controllable content, you utilize the HTTP Header X-Content-Type-Options:nosniff.
  • Identify any ActiveX controls, new and existing, that can be locked to a preselected set of domains, and incorporate the SiteLock 1.15 Template for ActiveX Controls during implementation to lock each control to that set of domains.
  • ClickJacking defense. For each page that could contain user controllable content, you should use a "frame-breaker" script and include the HTTP response header named X-FRAME-OPTIONS in each authenticated page.
  • Use a passive security auditor. Use Watcher and Fiddler to detect vulnerabilities.

There's plenty more to read though.

Posted on: 16 April 2010 at 06:31 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

Comments

Comments are filtered automatically and should appear shortly after they been checked.

Post a comment
Confirm acceptance and understanding of the terms of use
New posts to this thread will be sent to your email address
Security Development Lifecycle for Agile Development
http://www.clerkendweller.com/2010/4/16/Security-Development-Lifecycle-for-Agile-Development
ISO/IEC 18004:2006 QR code for http://clerkendweller.com

Page http://www.clerkendweller.com/2010/4/16/Security-Development-Lifecycle-for-Agile-Development
Requested by 38.107.179.222 on Tuesday, 7 February 2012 at 21:47 hrs (London date/time)

Please read our terms of use and obtain professional advice before undertaking any actions based on the opinions, suggestions and generic guidance presented here. Your organisation's situation will be unique and all practices and controls need to be assessed with consideration of your own business context.

Terms of use http://www.clerkendweller.com/page/terms
Privacy statement http://www.clerkendweller.com/page/privacy
© 2010-2012 clerkendweller.com