Jeremy Dallman here to announce that we are releasing the latest version of the Microsoft Security Development Lifecycle process guidance – Version 5 (SDLv5). It is now available for download as well as updated in the MSDN library.
We have released incremental updates to the SDL process guidance document since 2008 in an effort to provide transparency into how we implement the SDL at Microsoft. If you are just getting started on investigating or implementing the SDL, we would encourage you to start with the SDL Optimization Model and the Simplified Implementation of the SDL paper and then use the SDLv5 guidance as an additional reference tool as needed for your own implementation.
What is new in the SDLv5 documentation?
We made a handful of significant changes in SDLv5 documentation. I summarize them below, but also encourage you to read the document for the detailed notes related to each (search in document for “New for SDL 5.0” and “Updated for SDL 5.0”).
1. SDL for Agile included: The largest change in SDLv5 is the inclusion of SDL for Agile Development as an Addendum at the end. We took the SDL-Agile guidance that was published in November 2009 and included it in the parent SDL document to make it a one-stop resource.
2. New and updated security requirements and recommendations
Requirements Phase (1 new)
· Include third-party code licensing security requirements in all new contracts.
Design Phase (3 new)
· Hardware: Perform hardware security design review.
· Server/SaaS: Perform integration-points security design review.
· Web application: Implement strong log-out and session management
Implementation Phase (10 new, 1 update)
· Use Secure methods to access databases
· Avoid LINQ ExecuteQuery
· Avoid EXEC in stored procedures
· Update: new minimum required versions for code analysis tools (also see Appendix E)
· Web applications: Use HTTPOnly cookies.
· Implement reflection and authentication relay defense.
· NULL out free’d memory pointers in new code
· All sample code should be SDL compliant
· Internet Explorer 8 MIME handling: HTTP response sniffing opt-out
· Lock ActiveX controls to a defined set of domains
· Verify use of ClickJacking defenses in code
Verification Phase (2 new, 2 updates)
· Network fuzzing: Any new network parsers must be able to accept 100,000 malformed packets without failure
· Update: Web applications: Use ViewStateUserKey or ValidateAntiForgeryTokenAttribute against CSRF attacks
· Update: Do not use banned APIs in old or new code
· Web applications: Use a passive security auditor
Feel free to email ask questions via the email feature in the blog or the comments section below.