03 May 2011

Microsoft SDL Process Guidance Update 5.1

Microsoft has released their annual update to the Security Development Lifecycle (SDL) Process Guidance.

Photograph of a high barred access gate with signs saying 'Caution - Anti-climb Paint', 'Warning - These Premises Are Protected by...' and an observation mirror mounted on a wall in the background

SDL 5.1 includes several new, updated and promoted controls which probably reflect better more typical design and coding faults. For example in Phase 2 - Design, these have been added:

  • Mitigate against Cross-Site Scripting (XSS).
  • Apply no-open X-Download-Options HTTP header to user-supplied downloadable files.

In security controls for cryptography:

  • Provide support for certificate revocation.
  • Limit lifetimes for symmetric keys and asymmetric keys without associated certificates.
  • Support cryptographically secure versions of SSL (must not support SSL v2).
  • Use cryptographic certificates reasonably and choose reasonable certificate validity periods.

During Phase 3 - Implementation, the following requirements have been updated:

  • Use minimum code generation suite and libraries.
  • Compile native code with /GS compiler.
  • Use secure methods to access databases.

And still in Implementation, the following have been added/promoted:

  • Do not use Microsoft Visual Basic 6 to build products.
  • Ensure that regular expressions must not execute in exponential time.
  • Harden or disable XML entity resolution.
  • Use safe integer arithmetic for memory allocation for new code.
  • Use secure cookie over HTTPS.
  • AllowPartiallyTrustedCallersAttribute (APTCA) review.
  • Mitigate against cross-site request forgery (CSRF).
  • Load DLLs securely.
  • Minimum ATL Version and Secure COM Coding Requirements.
  • Reflection and authentication relay defense.
  • Sample code should be SDL compliant.
  • Internet Explorer 8 MIME handling: Sniffing OPT-OUT.
  • Safe redirect, online only.
  • Comply with minimal Standard Annotation Language (SAL) code annotation recommendations
  • Use HeapSetInformation.
  • COM best practices.
  • Restrict database permissions.
  • Use Transport Layer encryption securely.

And finally in Phase 4 - Verification:

  • File parsing.
  • Network fuzzing.
  • Binary analysis.

There are also some changes to the SDL-Agile Requirements.

So, quite a significant update really, with many good recommendations being added or improved upon. Whatever your programming language, it is worth cross-checking these items with your own coding standards.

Posted on: 03 May 2011 at 08:43 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

Comments

Comments are filtered automatically and should appear shortly after they been checked.

Post a comment
Confirm acceptance and understanding of the terms of use
New posts to this thread will be sent to your email address
Microsoft SDL Process Guidance Update 5.1
http://www.clerkendweller.com/2011/5/3/Microsoft-SDL-Process-Guidance-Update-51
ISO/IEC 18004:2006 QR code for http://clerkendweller.com

Page http://www.clerkendweller.com/2011/5/3/Microsoft-SDL-Process-Guidance-Update-51
Requested by 184.73.7.143 on Wednesday, 19 June 2013 at 06:54 hrs (London date/time)

Please read our terms of use and obtain professional advice before undertaking any actions based on the opinions, suggestions and generic guidance presented here. Your organisation's situation will be unique and all practices and controls need to be assessed with consideration of your own business context.

Terms of use http://www.clerkendweller.com/page/terms
Privacy statement http://www.clerkendweller.com/page/privacy
© 2011-2013 clerkendweller.com