Presentation is loading. Please wait.

Presentation is loading. Please wait.

Getting Vulnerabilities Out of Software

Published byFrancis Clarke Modified over 5 years ago

Similar presentations

Presentation on theme: "Getting Vulnerabilities Out of Software"— Presentation transcript:

1 Getting Vulnerabilities Out of Software
Mark Pustilnik Security Development Lead Secure Windows Initiative Attack Team Microsoft (also a UW PMP alumnus)

2 Introductions Who am I and what do I do?
A few words about the Secure Windows Initiative team at Microsoft What is behind Microsoft’s turnaround in security? Leading a small team of world-class security researchers We are at the center of a large concerted effort by Microsoft to shore up security across the entire product line. Quoting eWeek article: Given the events of the last six years, security experts say that what once was unthinkable may someday come to pass: hackers turning their attention from Microsoft to easier pickings in the software of other companies. Microsoft's development process and procedures are unique, and uniquely suited to a mammoth software development shop. However, companies that want to make their software more secure will have to take many of the same steps as Microsoft to turn their ship around.

3 Ongoing Process Conception – avoid the impossible
Design – catches bad bugs Implementation – more prescriptive Support – addresses things you miss and emerging threats These are very loaded topics. Conception: Can not commence design unless you know what you are after. Design: Bugs introduced at design level cause biggest grief to software author; interoperating system may prove difficult or impossible to patch if underlying design is flawed. Implementation: causes biggest grief to customers, even if patch is easy to code/install (anyone remember Blaster?). Support: must have part of the process. Because you will NOT get all security bugs out of your software.

4 Conception Case study: DRM solutions What do you expect DRM to do?
What are the challenges? Messaging: promises vs. delivery What can realistically be delivered? DRM does not work because your hardware is not trusted. Teams embarking upon digital rights management need to understand the limitations of computer architecture and structure their goals accordingly. Messaging: make sure you do not overpromise, or that will be perceived as a bug. Microsoft’s DRM promises are around: authentication, integrity and difficulty of circumvention, NOT about guaranteed restriction of distribution Possible solutions all revolve around making cost of success greater than the worth of result. Problem is low cost of replication.

5 Design It’s all about security guarantees
Case study: security guarantees of on-line backup software S.G. - A surprisingly difficult concept to understand. Everything revolves around S.G.’s. S.G. is what your customer expects from your software. Case study: Others won’t access my content; restored files do not compromise security; traffic can not be eavesdropped or tampered with in transit; storage is secure; Can/should unencrypted content ever leave your machine? Threat modeling is important and powerful

6 Implementation Cookbook analysis (if design is solid)
Case study: Aren’t you glad you authenticated? Large, constantly evolving landscape. Very domain specific. Discuss attack on Kerberos authentication in the absence of signing/encryption.

7 Support Organizational structure (people)
Platform support (technology) Customer Expectations (management) Your software will need support. Bugs in existing software New types of vulnerabilities being discovered Must plan for it by having an organization centered around security response (collect reports, monitor community, respond to threats) Technology can help disseminate updates (think Windows Update). Currently a hodgepodge of solutions, but centralized solutions are emerging.

Download ppt "Getting Vulnerabilities Out of Software"

Similar presentations

Overview of local security issues in Campus Grid environments Bruce Beckles University of Cambridge Computing Service.

Overview of local security issues in Campus Grid environments Bruce Beckles University of Cambridge Computing Service.
Kerberos 1 Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, 530–520 BC. From Italy (?).

Kerberos 1 Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, 530–520 BC. From Italy (?).
Cryptography and Network Security 2 nd Edition by William Stallings Note: Lecture slides by Lawrie Brown and Henric Johnson, Modified by Andrew Yang.

Cryptography and Network Security 2 nd Edition by William Stallings Note: Lecture slides by Lawrie Brown and Henric Johnson, Modified by Andrew Yang.
1 Computer Security Instructor: Dr. Bo Sun. 2 Course Objectives Understand basic issues, concepts, principles, and mechanisms in computer network security.

1 Computer Security Instructor: Dr. Bo Sun. 2 Course Objectives Understand basic issues, concepts, principles, and mechanisms in computer network security.
1 No Silver Bullet : Inherent Limitations of Computer Security Technologies Jeffrey W. Humphries Texas A&M University.

1 No Silver Bullet : Inherent Limitations of Computer Security Technologies Jeffrey W. Humphries Texas A&M University.
Security Controls – What Works

Security Controls – What Works
1 Cryptography and Network Security Third Edition by William Stallings Lecturer: Dr. Saleem Al_Zoubi.

1 Cryptography and Network Security Third Edition by William Stallings Lecturer: Dr. Saleem Al_Zoubi.
Chapter 7 HARDENING SERVERS.

Chapter 7 HARDENING SERVERS.
MyCloudIT Removes the Complexity of Moving Cloud Customers’ Entire IT Infrastructures to Microsoft Azure – Including the Desktop MICROSOFT AZURE ISV: MYCLOUDIT.

MyCloudIT Removes the Complexity of Moving Cloud Customers’ Entire IT Infrastructures to Microsoft Azure – Including the Desktop MICROSOFT AZURE ISV: MYCLOUDIT.
Small Business Security By Donatas Sumyla. Content Introduction Tools Symantec Corp. Company Overview Symantec.com Microsoft Company Overview Small Business.

Small Business Security By Donatas Sumyla. Content Introduction Tools Symantec Corp. Company Overview Symantec.com Microsoft Company Overview Small Business.
A centralized system.  Active Directory is Microsoft's trademarked directory service, an integral part of the Windows architecture. Like other directory.

A centralized system.  Active Directory is Microsoft's trademarked directory service, an integral part of the Windows architecture. Like other directory.
11 REVIEWING MICROSOFT ACTIVE DIRECTORY CONCEPTS Chapter 1.

11 REVIEWING MICROSOFT ACTIVE DIRECTORY CONCEPTS Chapter 1.
Storage Security and Management: Security Framework

Storage Security and Management: Security Framework
Cloud Models – Iaas, Paas, SaaS, Chapter- 7 Introduction of cloud computing.

Cloud Models – Iaas, Paas, SaaS, Chapter- 7 Introduction of cloud computing.
Eng. Wafaa Kanakri Second Semester 1435 CRYPTOGRAPHY & NETWORK SECURITY Chapter 1:Introduction Eng. Wafaa Kanakri UMM AL-QURA UNIVERSITY

Eng. Wafaa Kanakri Second Semester 1435 CRYPTOGRAPHY & NETWORK SECURITY Chapter 1:Introduction Eng. Wafaa Kanakri UMM AL-QURA UNIVERSITY
CSI Software Offers Fully Integrated, Single-Source Enterprise Software for Membership-Based Facilities COMPANY PROFILE: CSI SOFTWARE CSI Software was.

CSI Software Offers Fully Integrated, Single-Source Enterprise Software for Membership-Based Facilities COMPANY PROFILE: CSI SOFTWARE CSI Software was.
Privilege separation in Condor Bruce Beckles University of Cambridge Computing Service.

Privilege separation in Condor Bruce Beckles University of Cambridge Computing Service.
Alert Logic Provides a Fully Managed Security and Compliance Solution Based in the Cloud, Powered by the Robust Microsoft Azure Platform MICROSOFT AZURE.

Alert Logic Provides a Fully Managed Security and Compliance Solution Based in the Cloud, Powered by the Robust Microsoft Azure Platform MICROSOFT AZURE.
Securely Synchronize and Share Enterprise Files across Desktops, Web, and Mobile with EasiShare on the Powerful Microsoft Azure Cloud Platform MICROSOFT.

Securely Synchronize and Share Enterprise Files across Desktops, Web, and Mobile with EasiShare on the Powerful Microsoft Azure Cloud Platform MICROSOFT.
1 Chapter 1 – Background Computer Security T/ Tyseer Alsamany - Computer Security.

1 Chapter 1 – Background Computer Security T/ Tyseer Alsamany - Computer Security.

Similar presentations

Ads by Google