Blog Series: Get Familiar with the SDL-LOB Process. Introduction to Phase Three: Implementation for LOB.

Hello, Anmol here. For this blog series I’ll discuss the the Security Development Lifecycle for Line-of-Business applications (SDL-LOB) process and covering all 5 phases. Today I’ll discuss Phase Three: Implementation for LOB. The SDL-LOB defines the standards and best practices for providing security and privacy for new and existing line-of-business (LOB) applications currently under development or being planned for development. If you missed prior phases, here’s Phase 1 and Phase 2.

Highlight for phase three are:

· Incorporate Security Checklist and Review Policies

· Conduct ‘Self’ Code Review

· Run Code Analysis Tools and Incorporate Security Libraries

You may be wondering, what is a ‘self’ review? A ‘self’ review involves assessing your application to ensure it complies with security checklists and standards; and conducting a self-directed code review and code analysis of the application. An internal review is performed by the application development team. It’s important for development teams to adopt coding techniques and methodologies. More importantly, the next step is to incorporate documented coding practices and forming a security checklist. A checklist creates a threshold for you to measure against, i.e., at minimum these items must be met. Using a security checklist is not a new concept; however ensuring items not met on the checklist are sufficiently documented and accounted for is the key to its effectiveness. See checklist items from the Security Checklist Index from Microsoft Patterns and Practices. In this phase, development teams also conduct an independent “self” code review. To perform this task, there are several available security tools Microsoft offers including static analysis, runtime security tools and libraries. The Anti-XSS library can protect ASP.NET Web-based applications from XSS (cross-site scripting) attacks. It offers a more rigorous “white-list” approach than the native encoding methods found in .NET. Run CAT.NET on managed code (C#, Visual Basic .NET, J#) applications. CAT.NET is a snap-in to the Visual Studio IDE that helps you identify exploitable code paths for security vulnerabilities, such as XSS, SQL Injection, Process Command Injection and more. Get familiar with the SDL-LOB document and learn more about available tools and additional details on how to perform internal reviews for your application.

Next time I’ll discuss Phase Four: Verification for LOB. Till then happy & secure coding.

-Anmol Malhotra
Senior Security Engineer
ACE Team