meaghanlewis
commented
5 years ago Question: does this just apply to our repository or other resources we interact with (Central)?
Open meaghanlewis opened 5 years ago
meaghanlewis
commented
5 years ago Question: does this just apply to our repository or other resources we interact with (Central)?
We need to perform fuzz testing around the following areas:
- All applicable file parsers must be fuzz tested and issues fixed: https://devdiv.visualstudio.com/DevDiv/_workitems/edit/803976
Onboard to Microsoft Security Risk Detection (aka Project Springfield), fuzz test your application, and triage resulting bugs according to the SDL bug bar. All failures must be tracked as bugs, triaged according to the SDL Bug Bar and all critical, important, or moderate security bugs must be fixed. (Note: here's a related URL: http://aka.ms/msrd)
Note:
- Native network protocol parsers must be fuzz tested and issues fixed: https://devdiv.visualstudio.com/DevDiv/_workitems/edit/803974
A network interface (i.e. network protocol parser) must be fuzz tested if it receives network traffic from an untrusted or less privileged source, or where the traffic may have been tampered with en route. (this includes traffic originating from an authenticated source)
Verify all network parsers are able to withstand 100,000 malformed packets.
Note:
- RPC/IPC Listeners, URI Protocol Handlers and other types of interfaces must be fuzz tested and issues fixed: https://devdiv.visualstudio.com/DevDiv/_workitems/edit/803972
There are a number of ways for programs to pass data between themselves, including traditional RPC/IPC and URI protocol handlers.
All "listeners" implemented in applicable programming languages are in-scope and must be fuzzed accordingly. For RPC interfaces where data crosses a trust boundary or could originate from a less trusted source, you must complete 24 hours of fuzzing and triage and fix bugs according to the SDL Bug Bar.
Note: