My first MSDN document has been published. Team Foundation Server (TFS) and the Open Web Application Security Project (OWASP) Top Ten describes how TFS complies with the ten most common threats for web applications.
Recently, our sales guys were working with a customer that has an IT policy which states that any web applications they deploy internally must be compliant with the Open Web Application Security Project’s (OWASP) Top Ten Threats. This applies to custom developed software and off the shelf software.
The Open Web Application Security Project (OWASP) is a worldwide free and open community focused on improving the security of application software. The OWASP Top Ten provides a powerful awareness document for Web application security. The OWASP Top Ten represents a broad consensus about what the most critical Web application security flaws are. The current version is the OWASP Top Ten 2007.
Even though the OWASP Top Ten shouldn’t be used as a policy or standard, we wasn’t in a position to argue this point and were tasked to prove that TFS itself is compliant with the threats.
It was an interesting process learning about the different projects and initiatives. In the end it turns out that Microsoft employs a few of the founders of the OWASP project and they now work on the SDL team.
The core of it comes down to the fact that the engineering teams at Microsoft practice the Security Development Lifecycle which covers these threats.
The Microsoft Security Development Lifecycle (SDL) is the industry-leading software security assurance process. A Microsoft-wide initiative and a mandatory policy since 2004, SDL has played a critical role in embedding security and privacy into Microsoft software and culture. Combining a holistic and practical approach, SDL introduces security and privacy early and throughout the development process.
Every shipping Microsoft product must be approved by the Secure Windows Initiative (SWI) team and go through a process of review and registration in a central repository. Visual Studio Team System 2008 Team Foundation Server SP1 has achieved compliance with Microsoft’s Security Development Lifecycle (SDL).