Jeremy Dallman here to tell you about some new security guidance papers we are releasing today.

“My company was just attacked by something called SQL Injection! I have no idea what that is, or what I should do next! Where do I start?”

Unfortunately, this is a frequent scenario for many developers and IT Pros who have just discovered their systems, websites or applications have been compromised.

We’ve spoken to a number of people in the IT community who equate this to being tossed a parachute and thrown out of a plane into free-fall with no idea what to do next.  These folks know the parachute will help them, but need a quick and easy way to find the D-Ring.

Today we are releasing the first of a new type of security guidance paper. We are calling them “Quick Security References” (QSRs). 

A QSR is designed to provide the information necessary to quickly understand and address specific security threats from the perspectives of four IT-focused job roles (business decision makers, architect/program manager, developer, and tester).  QSRs will also help establish security practices and provide a framework for addressing future incidents. 

For those familiar with the SDL Optimization Model, the guidance contained in a QSR is targeted at organizations that fall into the “Basic” level of organizational maturity.

The first two QSRs focus on Cross-Site Scripting and SQL Injection. We chose these two topics since they represent the most common attack types a development or IT Pro team will encounter today.

These papers were the result of some collaboration with some experts in both XSS and SQL Injection. I would like to thank each of them for sharing their knowledge and contributing to the paper.


For the XSS paper:

Contributors: Jeremiah Grossman, Robert  Hansen, Gareth Heyes, Dennis Hurst, David Ladd, Eric Lawrence, Katie Moussouris, Billy Rios, David Ross, Bryan Sullivan, and Jeremy Dallman.

For the SQL Injection paper:

Author: Bala Neerumalla

Contributors: Raul Garcia, David Ladd, Katie Moussouris, Bryan Sullivan, and Jeremy Dallman

The QSR papers can be accessed from the SDL website or downloaded directly from the Microsoft Download Center.