14 DAY TRIAL // Windows Vista was the first product to come out of Redmond developed under the comprehensive guidelines of the Security Development Lifecycle, also known as SDL. Windows Server 2008 was built under SDL as well, and Microsoft now applies the advanced secure development practices, guidelines and resources to all new products including those in the cloud. Bryan Sullivan, Security Product Manager SDL team, revealed that the Redmond company is currently hard at work adapting SDL to tailor the development process of web applications, a move increasingly necessary as Microsoft is making headway with the introduction of its Software + Services strategy.
The main difference between web applications and box products is the release cycle. While two- or three-year long release cycles are not uncommon for box offerings, web solutions generally hit the market within months or even weeks from the moment the projects get green light.
"This presents something of a dilemma from a security standpoint. We can?t and won?t allow our software to be released with known security vulnerabilities, but we also need to allow teams to spend the grand majority of their time implementing new features. In order to reconcile these requirements, we need to continue to adapt the SDL to the needs of lightweight, agile development teams," Sullivan said.
Sullivan even pointed to the end of this summer for the first taste of the new SDL, one that would permit the same level of security built into Windows Vista and Windows Server 2008 to be offered with web applications. "I?m currently working with Michael [Michael Howard is a Senior Security Program Manager in the Security Engineering group at Microsoft] and several other people in teams across the company (including Online Services Security & Compliance, ACE, and SWI) to make these changes in the SDL, to fine-tune it so that it works even better for online services and other short-release-cycle products than it does already," Sullivan added.
The new SDL Microsoft is looking to provide additional security mitigations set up to add protection for end users against the most common web solutions vulnerabilities which, according to the Open Web Application Security Project, are (in order of their importance): "Cross-Site Scripting; Injection Flaws; Malicious File Execution; Insecure Direct Object Reference; Cross Site Request Forgery; Information Leakage and Improper Error Handling; Broken Authentication and Session Management; Insecure Cryptographic Storage; Insecure Communications and Failure to Restrict URL Access."
"Today, the single biggest threat to Web application security is the Cross-Site Scripting (XSS) vulnerability. In fact, I?ll go so far as to say that XSS is the new buffer overflow, the Public Enemy #1 for Web applications. With a successful XSS exploit, an attacker may be able to accomplish all of the following: hijack the victim?s application session and impersonate him/her; phish the victim?s username and password; log the victim?s keystrokes and send them back to the attacker; forge malicious requests with the victim?s authentication credentials, create a worm that will attack not only the victim but all of the victim?s email contacts, and all of their contacts, and so on," Sullivan explained.