Pre-SDL Requirements: Security Training for LOB

In this section and in the remainder of the SDL-LOB, only supplements to the original SDL are highlighted. To create a complete security plan for LOB applications, you should consult each section of the main SDL and the supplemental information contained in each phase of the SDL-LOB.

In addition to the basic concepts outlined in the main SDL, LOB training should include the following additional topics:

Basic Concepts

• Secure design, including the following topics:
  • Authentication
  • Authorization
  • Asset handling
  • Auditing and logging
  • Secure communication. The HTTP data for web applications travels across networks in plain text and is subject to network eavesdropping attacks. This also applies to client-to-server and server-to-server communication.

• Secure coding, including the following topics:
  • Integer overflow/underflow.
  • Input validation and handling.

• Regulatory, which can include the following topics:
  • Compliance with SOX, HIPAA, GLBA, PCI.

Resources

• Security Training: See Securing Applications on MSDN
• SDL Quick Security Reference: SQL Injection

Content Disclaimer

This documentation is not an exhaustive reference on the SDL process as practiced at Microsoft. Additional assurance work may be performed by product teams (but not necessarily documented) at their discretion. As a result, this example should not be considered as the exact process that Microsoft follows to secure all products. This documentation is provided “as-is.” Information and views expressed in this document, including URL and other Internet website references, may change without notice. You bear the risk of using it. This documentation does not provide you with any legal rights to any intellectual property in any Microsoft product. You may copy and use this document for your internal, reference purposes. © 2012 Microsoft Corporation. All rights reserved. Licensed under Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported