Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Agenda
Applications under attack Origins of the Microsoft SDL What is Microsoft doing about the threat? Measurable improvements at Microsoft
Cybercrime Evolution
19861995 19952003 2004+ 2006+
Now
SDL is enhanced
Bill Gates writes Trustworthy Computing memo early 2002 Windows security push for Windows Server 2003 Security push
Microsoft Senior Leadership Team agrees to require SDL for all products that:
Fuzz testing Code analysis Crypto design requirements Privacy Banned APIs and more
Optimize the process through feedback, analysis and automation Evangelize the SDL to the software development community:
SDL Process Guidance SDL Optimization Model SDL Pro Network SDL Threat Modeling Tool SDL Process Templates
Which apps are required to follow SDL? Any release commonly Any release that accepts
used or deployed within and/or processes data an enterprise, from business, or organization an unauthenticated source Any release that regularly stores, Any functionality that processes, or parses any file type that communicates PII (as is not defined in protected, (i.e. not Microsoft Privacy Guidelines limited to system administrators) for Developing Software Products and Services Any release that ) or other contains ActiveX and/or sensitive customer COM controls
Process
Guide product teams to meet SDL requirements
Accountabilit y
Establish release criteria and sign-off as part of FSR Incident Respons e (MSRC)
Response
Assess organizational knowledge on security and privacy establish training program as necessary Establish training criteria
Content covering secure design, development, test and privacy
Opportunity to consider security at the outset of a project Development team identifies security and privacy requirements Development team identifies lead security and privacy contacts Security Advisor assigned Security Advisor reviews product plan, makes
Identify design techniques (layering, managed code, least privilege, attack surface minimization) Document attack surface and limit through default settings Define supplemental security ship criteria due to unique product issues
Full spectrum review used to determine processes, documentation and tools necessary to ensure secure deployment and operation Specification of approved build tools and options Static analysis (PREFix, /analyze (PREfast), FXCop) Banned APIs Use of operating system defense in depth
Started as early as possible conducted after code complete stage Start security response planning including response plans for vulnerability reports Re-evaluate attack surface Fuzz testing files, installable controls and network facing code Conduct security push (as necessary, increasingly rare)
Not a substitute for security work done during development Code review Penetration testing and other security testing Review design and architecture in light of new threats
Creation of a clearly defined support policy consistent with MS corporate policies Provide Software Security Incident Response Plan (SSIRP)
Identify contacts for MSRC and resources to respond to events 24x7x365 contact information for 3-5 engineering, 3-5 marketing, and 1-2 management (PUM and higher) individuals
Ensure ability to service all code including out of band releases and all licensed 3rd party code.
Response
Security response plan complete Customer documentation up-to-date Archive RTM source code, symbols, threat models to a central location Complete final signoffs on Checkpoint Express validating security, privacy and corporate compliance policies
Plan the work, work the plan Execution on response tasks outlined during Security Response Planning and Release Phases
Internal review Incorporate security checklists and standards Conduct self code review Security Code analysis
Pre-production assessment
Post-production assessment
Before SDL
After SDL
Before SDL
After SDL
Summary
Attacks are moving to the application layer
Measurable results for Microsoft software Microsoft is committed to making SDL widely available and accessible
Resources
SDL Portal
http://www.microsoft.com/sdl
SDL Blog
http://blogs.msdn.com/sdl/
(Web) http://msdn.microsoft.com/en-us/library/cc30
(MS
Word) http://www.microsoft.com/downloads/details
Questions?
2008 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.