SDL 5.1 includes several new, updated and promoted controls which probably reflect better more typical design and coding faults. For example in Phase 2 - Design, these have been added:
- Mitigate against Cross-Site Scripting (XSS).
- Apply no-open X-Download-Options HTTP header to user-supplied downloadable files.
In security controls for cryptography:
- Provide support for certificate revocation.
- Limit lifetimes for symmetric keys and asymmetric keys without associated certificates.
- Support cryptographically secure versions of SSL (must not support SSL v2).
- Use cryptographic certificates reasonably and choose reasonable certificate validity periods.
During Phase 3 - Implementation, the following requirements have been updated:
- Use minimum code generation suite and libraries.
- Compile native code with /GS compiler.
- Use secure methods to access databases.
And still in Implementation, the following have been added/promoted:
- Do not use Microsoft Visual Basic 6 to build products.
- Ensure that regular expressions must not execute in exponential time.
- Harden or disable XML entity resolution.
- Use safe integer arithmetic for memory allocation for new code.
- Use secure cookie over HTTPS.
- AllowPartiallyTrustedCallersAttribute (APTCA) review.
- Mitigate against cross-site request forgery (CSRF).
- Load DLLs securely.
- Minimum ATL Version and Secure COM Coding Requirements.
- Reflection and authentication relay defense.
- Sample code should be SDL compliant.
- Internet Explorer 8 MIME handling: Sniffing OPT-OUT.
- Safe redirect, online only.
- Comply with minimal Standard Annotation Language (SAL) code annotation recommendations
- Use HeapSetInformation.
- COM best practices.
- Restrict database permissions.
- Use Transport Layer encryption securely.
And finally in Phase 4 - Verification:
- File parsing.
- Network fuzzing.
- Binary analysis.
There are also some changes to the SDL-Agile Requirements.
So, quite a significant update really, with many good recommendations being added or improved upon. Whatever your programming language, it is worth cross-checking these items with your own coding standards.
Posted on: 03 May 2011 at 08:43 hrs