Presentation is loading. Please wait.

Presentation is loading. Please wait.

How We Got Here PC and Internet changed the rules –Viruses, information sharing, “outside” and “inside” indistinguishable –Vulnerability research for.

Published byLeslie Tyler Modified over 8 years ago

Similar presentations

Presentation on theme: "How We Got Here PC and Internet changed the rules –Viruses, information sharing, “outside” and “inside” indistinguishable –Vulnerability research for."— Presentation transcript:

1

2

3 How We Got Here PC and Internet changed the rules –Viruses, information sharing, “outside” and “inside” indistinguishable –Vulnerability research for reputation Vulnerability research led to security response process –Fix the problems when they’re found “Secure Windows Initiative” to make software secure –Assigned three program managers to review Windows –Evolved to training and “bug bashes”

4 How We Got Here Thought we’d done “better” with XP, and then… –Code Red –Nimda –UPNP From: Bill Gates Sent: Thursday, 18, 2002 Subject: Trustworthy Computing As I've talked with customers over the last year - from individual consumers to big enterprise customers - it's clear that everyone recognizes that computers play an increasingly important and useful role in our lives. At the same time, many of the people I talk to are concerned about the security of the technologies they depend on…

5 How We Got Here: The Security Push Security push –Team-wide stand-downs and training –Threat model, review code, run tools, conduct tests, modify defaults –(Relatively) quick way to significant improvement –Immature and ad hoc processes “Security science” –Identify and remove new classes of vulnerabilities Security “audit” –Independent review – what did the push miss?

6 Getting Widespread Buy-in Security pushes were an “obviously” necessary response… Security pushes achieved rapid improvements (some dramatic) but… Leverage comes from early (design time) focus on security Ongoing attacks demonstrated continued need Executive buy-in was surprisingly easy –Everyone understood what bad things could happen –Security pushes had accomplished enough to allow us to claim we could do this

7 The Classic SDL at Microsoft Ongoing Process Improvements Technology and Process EducationAccountability

8

9 “Security is everyone’s job” – but have to know what to do Training was an initial focus – even before the SDL Security push taught us what we could – and could not – expect development teams to do – experiences with –Threat modeling –Penetration testing –Code review Focus on deterministic requirements – avoid “I wouldn’t have designed it that way…” Focus on tools – an excellent way to scale Scaling for Success

10 Managing Change The first (2004) iteration of the SDL was pretty rough –Developed rapidly based on security push lessons Initial updates at 6-month intervals –Responses to new threats –New application classes (online services, Modern apps) –New requirements and techniques (e.g. banned APIs, fuzzers) Since SDL v4 (October 2007), annual updates –More time for tool development –More time for beta and feedback –More time for usability Every update receives both broad and senior review

11 Automation and Tools At Microsoft today, the SDL requires three classes of tools –Automated tools to help find (and remove or mitigate) security problems –Automated tools to help product teams record and track their compliance with the SDL –Automated tools to help the MSEC PM (security advisor) help the product teams We started with only the first (problem finders) All three are critical to our implementation of the SDL – and we changed our release cadence largely in recognition of this fact

12 Realistic Roles and Requirements Not every engineer is a security expert Security experts are a scarce resource Security requirements are as clear as possible –Run this tool –Look for this pattern in this code –Build this kind of test and fix the errors it finds Avoid mandating security expert involvement Some good requirements may not be “ready for prime time”

13 Minimize Interference The SDL tells product teams how to improve security –Started with focus on large boxed products – Windows, Office, SQL Intent was to allow product teams flexibility – for everything but security Agile SDL took us several tries to get “right” Product teams integrate SDL in their own ways

14

15 SDL Impact Vulnerability counts have dropped – independent longitudinal study Office 2003 – 126 Exploitable Vulnerabilities Office 2010 – 7 Exploitable Vulnerabilities 30% decline in the exploitability of vulnerabilities in all Microsoft products Exploitability of low complexity vulnerabilities has decreased year on year since inception of SDL Reduce vulnerabilities, limit exploitability and severity

16 Who Needs the SDL?

17 Adapting the SDL to Organizations Beyond Microsoft Non-proprietary Scalable to organizations of any size Platform agnostic Based on the SDL process used at Microsoft

18 Who Uses the SDL? Short answer: we don’t know everyone You have to click through a EULA to download the tools, but you don’t have to register so… We have worked with some large organizations on adopting and adapting the SDL – some public and some not

19 SDL Portal http://www.microsoft.com/sdl SDL Blog http://blogs.msdn.com/sdl/ SDL Process on MSDN (Web) http://msdn.microsoft.com/en- us/library/cc307748.aspx Simplified Implementation of the Microsoft SDL http://go.microsoft.com/?linkid=970 8425 Resources

20

Download ppt "How We Got Here PC and Internet changed the rules –Viruses, information sharing, “outside” and “inside” indistinguishable –Vulnerability research for."

Similar presentations

SDL in an Agile World MSSD-3 третья по счету конференция, посвященная всестороннему обсуждению популярной и важной темы – минимизация уязвимостей программного.

SDL in an Agile World MSSD-3 третья по счету конференция, посвященная всестороннему обсуждению популярной и важной темы – минимизация уязвимостей программного.
AGILE DEVELOPMENT Outlines : Quick Look of agile development Agility

AGILE DEVELOPMENT Outlines : Quick Look of agile development Agility
Provide a platform built on security, privacy, and trust Maintain an evergreen service Offer highly configurable and scalable services.

Provide a platform built on security, privacy, and trust Maintain an evergreen service Offer highly configurable and scalable services.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
© 2008 All Right Reserved Fortify Software Inc. Hybrid 2.0 – In search of the holy grail… A Talk for OWASP BeNeLux by Roger Thornton Founder/CTO Fortify.

© 2008 All Right Reserved Fortify Software Inc. Hybrid 2.0 – In search of the holy grail… A Talk for OWASP BeNeLux by Roger Thornton Founder/CTO Fortify.
USING EMET TO DEFEND AGAINST TARGETED ATTACKS PRESENTED BY ROBERT HENSING – SENIOR CONSULTANT – MICROSOFT CORPORATION MICHAEL MATTES – SENIOR CONSULTANT.

USING EMET TO DEFEND AGAINST TARGETED ATTACKS PRESENTED BY ROBERT HENSING – SENIOR CONSULTANT – MICROSOFT CORPORATION MICHAEL MATTES – SENIOR CONSULTANT.
Engineering Secure Software. The Power of Source Code  White box testing Testers have intimate knowledge of the specifications, design, Often done by.

Engineering Secure Software. The Power of Source Code  White box testing Testers have intimate knowledge of the specifications, design, Often done by.
2002-2003 2004 2005-2007 Now Bill Gates writes “Trustworthy Computing” memo early 2002 “Windows security push” for Windows Server 2003 Security push.

Now Bill Gates writes “Trustworthy Computing” memo early 2002 “Windows security push” for Windows Server 2003 Security push.
12 November 2009 Bryan Sullivan Senior Security Program Manager, Microsoft SDL.

12 November 2009 Bryan Sullivan Senior Security Program Manager, Microsoft SDL.
Walter Bodwell Planigle. An Introduction – Walter Bodwell 18 years in software First did agile at a startup in 1999 Went back to waterfall (after acquisition)

Walter Bodwell Planigle. An Introduction – Walter Bodwell 18 years in software First did agile at a startup in 1999 Went back to waterfall (after acquisition)
Tom Sheridan IT Director Gas Technology Institute (GTI)

Tom Sheridan IT Director Gas Technology Institute (GTI)
W5HH Principle As applied to Software Projects

W5HH Principle As applied to Software Projects
Tableau Visual Intelligence Platform

Tableau Visual Intelligence Platform
Chapter 8 Managing IT Project Delivery

Chapter 8 Managing IT Project Delivery
Small Business Security By Donatas Sumyla. Content Introduction Tools Symantec Corp. Company Overview Symantec.com Microsoft Company Overview Small Business.

Small Business Security By Donatas Sumyla. Content Introduction Tools Symantec Corp. Company Overview Symantec.com Microsoft Company Overview Small Business.
U-Mail System Design Specification Joseph Woo, Chris Hacking, Alex Benson, Elliott Conant, Alex Meng, Michael Ratanapintha April 28, 2008 1.

U-Mail System Design Specification Joseph Woo, Chris Hacking, Alex Benson, Elliott Conant, Alex Meng, Michael Ratanapintha April 28,
Tableau Visual Intelligence Platform

Tableau Visual Intelligence Platform
SCC EHR Workshop for Contractors: Implementation Considerations May 25, 2011.

SCC EHR Workshop for Contractors: Implementation Considerations May 25, 2011.
Formality, Agility, Security, and Evolution in Software Development Cody Ronning 2/16/2015.

Formality, Agility, Security, and Evolution in Software Development Cody Ronning 2/16/2015.
Kaspersky Open Space Security: Release 2 World-class security solution for your business.

Kaspersky Open Space Security: Release 2 World-class security solution for your business.

Similar presentations

Ads by Google