During our recent Customer Advisory Board, one of the members (using WAF in production, now in the process of adding Database Security Gateways) mentioned that his organization was looking into Security Development Life Cycle (SDLC) as the first line of defense for data security, but after they had realized that fixing code could last many months, they turned to using WAF first and then implemented SDLC simultaneously.
I was intrigued by this comment and decide to find some statistics that can light a healthy discussion. Being one of Murphy's fans (the man and thepub establishment ) I know that 'there's always one more bug, but still, I decided to give it a try.
One of the first pages that Google ranked for me, was Microsoft's Secure Development Life Cycle blog. In one of the article I read, Michael was discussing the recent SQL injection attack and his advice was clear:
Microsoft is one of the greatest SDLC evangelical organizations. In March 2005, they provided some statistics about the The Trustworthy Computing Security Development Lifecycle . This document proves how SDLC can reduce the number of critical vulnerabilities. It will not reduce it to zero, but will certainly improve overall security. The following diagrams illustrate some of the benefits of SDLC:
Impressive. SDLC minimize the risk (though not completely eliminating it).
How long does it take?
Microsoft's document states different numbers, so let's pick the shortest period :
Give SQL Injection (as well as other application vulnerabilities) the respect it deserves. Use a system that is capable to prevent attacks while allowing the developers to fix the code. Use Application Data Security solutions.
I was intrigued by this comment and decide to find some statistics that can light a healthy discussion. Being one of Murphy's fans (the man and the
One of the first pages that Google ranked for me, was Microsoft's Secure Development Life Cycle blog. In one of the article I read, Michael was discussing the recent SQL injection attack and his advice was clear:
I think the first lesson from this attack is this:
If you have a Web server (doesn't matter what type), and it's hooked up to a database (doesn't matter what type) you need to go in and review your code that performs the database work.
Great. Code review is not too tough, even someone like me can handle it. What's next?
So now that you've determined the database access code, now what? The SDL is very specific about what do here, there are three requirements - they are requirements not recommendations, which means you must do the following coding requirements and defenses
- Use SQL Parameterized Queries
- Use Stored Procedures
- Use SQL Execute-only Permission
Microsoft is one of the greatest SDLC evangelical organizations. In March 2005, they provided some statistics about the The Trustworthy Computing Security Development Lifecycle . This document proves how SDLC can reduce the number of critical vulnerabilities. It will not reduce it to zero, but will certainly improve overall security. The following diagrams illustrate some of the benefits of SDLC:
Impressive. SDLC minimize the risk (though not completely eliminating it).
How long does it take?
Microsoft's document states different numbers, so let's pick the shortest period :
During the release phase, the software should be subject to a Final Security Review ("FSR"). The goal of the FSR is to answer one question. "From a security viewpoint, is this software ready to deliver to customers?" The FSR is conducted two to six months prior to software completion, depending on the scope of the software. The software must be in a stable state before the FSR, with only minimal non-security changes expected prior to release.In other words, it'll take weeks to months (depending on the size of the code) before discovered vulnerabilities will be detected. Not to mention bugs that are introduced in the last minute, or bugs that were NOT discovered during the review.
Give SQL Injection (as well as other application vulnerabilities) the respect it deserves. Use a system that is capable to prevent attacks while allowing the developers to fix the code. Use Application Data Security solutions.
Leave a comment