Applying the SDL at Windows Live

Jeremy Dallman here to introduce a new paper we released earlier this week that introduces you to the Windows Live team’s implementation of the SDL in their web application scenario. The paper will join our other internal SDL case studies and white papers in the Publications section of our SDL web portal and can also be downloaded directly:

Applying the SDL at Windows Live.

The Windows Live™ team adopted many of the newer Web-focused requirements of the SDL. This paper summarizes these new requirements, describes the process that the Windows Live team followed in integrating the SDL starting with Wave 2, and captures some of the lessons that they learned along the way. This paper also describes how the use of SDL by the Windows Live team has evolved, starting with Windows Live Wave 2, through Windows Live Wave 3, and on to the upcoming release, Windows Live Wave 4.

This paper focuses on two classes of Windows Live products:

· Web applications, such as Windows Live Hotmail®, running on Web servers hosted for Microsoft.

· Client applications, such as Windows Live Messenger, running on users’ desktops.

The security threats and mitigations for these two classes of products are very different. The most common vulnerabilities observed in the Web applications are cross-site scripting (XSS), cross-site request forgery (XSRF), open redirects (XSRs), and JavaScript object notation (JSON) hijacking. In the client applications, past vulnerabilities are often due to buffer overflows and integer overflows. Some other common security vulnerabilities, such as Structured Query Language (SQL) injection attacks, are not as prevalent in Windows Live products because of their limited use of SQL.

This paper walks you through a phase-by-phase description of how the Windows Live team mitigated these threats by implementing the SDL while giving you a good view of how the SDL is applied by web application development organizations inside Microsoft.