How to open a parachute during free-fall: Introducing Quick Security References (QSRs)

Jeremy Dallman here to tell you about some new security guidance papers we are releasing today.

 

“My company was just attacked by something called SQL Injection! I have no idea what that is, or what I should do next! Where do I start?”

 

Unfortunately, this is a frequent scenario for many developers and IT Pros who have just discovered their systems, websites or applications have been compromised.

 

We’ve spoken to a number of people in the IT community who equate this to being tossed a parachute and thrown out of a plane into free-fall with no idea what to do next.  These folks know the parachute will help them, but need a quick and easy way to find the D-Ring.

 

Today we are releasing the first of a new type of security guidance paper. We are calling them “Quick Security References” (QSRs). 

 

A QSR is designed to provide the information necessary to quickly understand and address specific security threats from the perspectives of four IT-focused job roles (business decision makers, architect/program manager, developer, and tester).  QSRs will also help establish security practices and provide a framework for addressing future incidents. 

 

For those familiar with the SDL Optimization Model, the guidance contained in a QSR is targeted at organizations that fall into the “Basic” level of organizational maturity.

 

The first two QSRs focus on Cross-Site Scripting and SQL Injection. We chose these two topics since they represent the most common attack types a development or IT Pro team will encounter today.

 

These papers were the result of some collaboration with some experts in both XSS and SQL Injection. I would like to thank each of them for sharing their knowledge and contributing to the paper.

 

Acknowledgements:

 

For the XSS paper:

 

Contributors: Jeremiah Grossman, Robert  Hansen, Gareth Heyes, Dennis Hurst, David Ladd, Eric Lawrence, Katie Moussouris, Billy Rios, David Ross, Bryan Sullivan, and Jeremy Dallman.

 

For the SQL Injection paper:

 

Author: Bala Neerumalla

 

Contributors: Raul Garcia, David Ladd, Katie Moussouris, Bryan Sullivan, and Jeremy Dallman

 

The QSR papers can be accessed from the SDL website or downloaded directly from the Microsoft Download Center.