Microsoft releases Cross Site Scripting Security reference.
Cross-site scripting attacks are on the rise because they are easy for attackers to craft and execute. In addition, they allow attackers to gather the most valuable content (user data) rapidly and in a manner that can easily go unnoticed by the user and often the Web site or application itself. As XSS attacks continue, it is imperative that development organizations prepare themselves with the solutions needed to rapidly address the problems as they occur. It is equally important that long-term solutions including security policies/requirements are in place to design, implement, verify, and release code that proactively protects your customers from XSS attacks.
Microsoft has released another document as part of their SDLC document library. This time is a 21 page document titled “Quick Security Reference : Cross Site Scripting”. The scope of this document is to increase awareness of XSS Vulnerabilities to each persona involved in software development. In particular Microsoft identifies four different roles: Business decision maker, architect, developer and tester.
Quick Security Reference Cross Site Scripting Reference also includes results of a basic survey of software companies that have established practices for fixing vulnerabilities that lead to attacks approximate that the costs associated with remediating a Web site that has encountered XSS like attack is around 40-man-hours per incident. That cost combined with the cost of hiring or training engineer to address the problem (~100$/hour) and the average number of seven XSS (or similar) exploitable vulnerabilities per Web site brings the total estimated cost to $28,000 to fix each problem reactively.
Figure 1. “12 Web application vulnerabilities between January 2006 and June 2007” shows XSS at the top of the ladder leaving no doubt that XSS is definitely one of the most exploited vulnerabilities in today applications.
Each persona is then introduced to different topics related to XSS, strictly related to their role and responsibilities. An architect will be more involved in Input Validation Rules, Output encoding strategies, Future Design Considerations rather then Identifying Untrusted Input and Writing Secure Code just to mention few. Useful insights on how to identify and classify an XSS type vulnerability (Reflected, Stored, Local) and software development best practices are also part of the document.
In conclusion; Software developers may find this document surprisingly useful as it covers almost everything they need to know in order to prevent, discover, mitigate and fix XSS vulnerabilities.
