The rich clients and services that make up the next generation of the Windows Live suite have been bulletproofed against security threats using the same strategy that proved a success for major Microsoft software products such as Windows 7 and Windows Vista. Essentially, the Redmond company applied the Security Development Lifecycle (SDL) to Windows Live Wave 4’s web applications, including Windows Live Hotmail, but also additional services running on web servers hosted for Microsoft such as SkyDrive, for example. In addition, the client applications were also built per SDL’s best practices, including Windows Live Messenger, Mail, Photo Galley, etc.
Microsoft is now offering a new whitepaper for download, detailing the SDL-related work done with the development of Windows Live Wave 4. “Applying the Security Development Lifecycle at Windows Live” is available through the Microsoft Download Center, free of charge, of course.
“The Windows Live team adopted many of the newer Web-focused requirements of the SDL. This paper summarizes these new requirements, describes the process that the Windows Live team followed in integrating the SDL starting with Wave 2, and captures some of the lessons that they learned along the way. This paper also describes how the use of SDL by the Windows Live team has evolved, starting with Windows Live Wave 2, through Windows Live Wave 3, and on to the upcoming release, Windows Live Wave 4,” Jeremy Dallman, one of the security gurus behind SDL, reveals.
Dallman emphasizes that, while developing Windows Live Wave 4, Microsoft has to tailor SDL to the specific products comprised in the suite. In this regard, Cloud-based applications require a certain approach, as they are targeted by specific threats, while desktop clients need to be secured against other risks.
“The most common vulnerabilities observed in the Web applications are cross-site scripting (XSS), cross-site request forgery (XSRF), open redirects (XSRs), and JavaScript object notation (JSON) hijacking. In the client applications, past vulnerabilities are often due to buffer overflows and integer overflows. Some other common security vulnerabilities, such as Structured Query Language (SQL) injection attacks, are not as prevalent in Windows Live products because of their limited use of SQL,” Dallman adds.
As the rest of Windows Live Wave 4 services and clients
