One New QSR
Jeremy Dallman of the Microsoft Security Development Lifecycle (SDL) recently announced the availability of a new Quick Security Reference (QSR) document.
These are papers which look at specific security threats from certain particular IT job role perspectives, viz. business decision makers, architects / program managers, developers, and testers. Jeremy describes the place of these documents in the Security Development Lifecycle as follows. If a security related attack is like being thrown out of your plane into free fall, and the SDL is your parachute, then QSRs are a quick and easy way to find the D-Ring...
The new paper covers the subject of Exposure of Sensitive Information. This is not one of the catchy exploit-named areas of security, but it's an increasingly important aspect of your strategy in times when the failure to protect information and its accidental disclosure are increasingly being targeted in the search for vulnerabilities.
Our company has ISO 27001 certification as a business, but we are still just at the very start of the process to introduce adoption of the SDL maturity levels (below) into our software design, development and test practices.
Along with the extensive SDL Implementers' Guides, these excellent little quick reference documents - and this new one in particular - will be extremely useful training resources in the coming months. Even more so in fact, now that all SDL documentation is available under a Creative Commons licence. That includes for example, the flashy colour graphics in this article!
Two Old QSRs
Reminder: the first two QSRs cover the perennially popular subjects of Cross-Site Scripting and SQL Injection, topics chosen because they represent the most common attack types that almost any Development or IT Professional team will encounter today: