It's interesting that the Microsoft Secure Development Lifecycle is approaching XSS attacks in the same way desktop vulnerabilities are tackled.
In a sense, the SDL is metasecurity -- while still addressing direct security issues (individual attacks/vulnerability), the SDL also looks at the process by which applications are written and actually prevents future vulnerabilities from being created. And on the meta-meta-level, the SDL also examines the SDL.
I'm only quoting a small part of the article. Please read the whole thing and follow the links out -- there is a lot of very interesting work being done around XSS at Microsoft right now.
From Steve Lipner via the SDL Blog:
David's years of work researching XSS led him to come up with an approach that blocks many of the most common vulnerabilities to reflected attacks found on the web today. The solution is compatible with existing web pages (doesn't "break the web") and thus we were able to enable it by default for users of Internet Explorer 8. Because it's a client-side mitigation, it will help protect users from attacks even though the sites they visit may be vulnerable to XSS.
Our work on buffer overrun defenses follows a somewhat similar pattern - we started by prescribing coding techniques, banning the use of some APIs, and building tools that detect coding constructs that look like buffer overruns. [From The Security Development Lifecycle : SDL and the XSS Filter]
Comments