14 DAY TRIAL // At Microsoft, security work focuses on more than simply bulletproofing the company’s own products, and has spanned into educating third-party professionals on the steps needed to secure their own software and environments. At the start of this week, the software giant made available the company’s Quick Security Reference. QSRs, short for Quick Security Reference, are security guidance whitepapers designed to allow IT pros to quickly access the necessary resources and information set up to help them fend off common attacks active in the wild.
Jeremy Dallman, security program manager, Security Development Lifecycle Team, noted that the QRSs were guidance papers for IT pros that have just discovered the infrastructure they’re responsible for is under attack or has even been compromised and don’t know what to do next. Dallman promises that the QRSs will serve as guidance on how to open a parachute for people already in free-fall.
“A QSR is designed to provide the information necessary to quickly understand and address specific security threats from the perspectives of four IT-focused job roles (business decision makers, architect/program manager, developer, and tester). QSRs will also help establish security practices and provide a framework for addressing future incidents,” Dallman stated. “For those familiar with the SDL Optimization Model, the guidance contained in a QSR is targeted at organizations that fall into the “Basic” level of organizational maturity.”
At the start of this week, the Redmond company made available for download the first two QSRs. With the references offered to customers on January 18th, 2010, as free downloads, Microsoft is providing guidance on how to tackle scenarios involving Cross-Site Scripting and SQL Injection attacks.
“We chose these two topics since they represent the most common attack types a development or IT Pro team will encounter today,” Dallman added. “These papers were the result of some collaboration with some experts in both XSS and SQL Injection. I would like to thank each of them for sharing their knowledge and contributing to the paper.”