Presentation is loading. Please wait.

Presentation is loading. Please wait.

Getting Ahead: Integrating Development and Response for Improved Security Steven B. Lipner Director of Security Engineering Strategy Security Business.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Getting Ahead: Integrating Development and Response for Improved Security Steven B. Lipner Director of Security Engineering Strategy Security Business."— Presentation transcript:

1 Getting Ahead: Integrating Development and Response for Improved Security Steven B. Lipner Director of Security Engineering Strategy Security Business and Technology Unit Microsoft Corporation

2 Engineering excellence Security development lifecycle Microsoft Security Response Center Sharing best practices with administrators and developers

3 Security Development Lifecycle (SDL) Process Education Accountability Defines security requirements and milestones in every stage of the software development process Mandatory for products exposed to meaningful security risks Includes a Final Security Review (FSR) to determine if product is customer ready Mandatory annual training for developers, testers, program managers, user education staff and architects Funding academic curriculum development through Microsoft Research Publish guidance on writing secure code, threat modeling and SDL; as well as courses In-process metrics to provide early warning Post-release metrics assess final payoff (# of vulnerabilities) Training compliance for team and individuals

4

5 Final Security Review (FSR) “From a security viewpoint, is this software ready to deliver to customers?” Two to six months prior to software completion, depending on the scope of the software. Software must be in a stable state with only minimal non-security changes expected prior to release FSR results: If the FSR finds a pattern of remaining vulnerabilities, the proper response is not just to fix the vulnerabilities found, but to revisit the earlier phases and take pointed actions to address root causes (e.g., improve training, enhance tools)

6 Education for the SDL

7 Source: Microsoft Security Bulletin Search 65 35 Days 3090150210270330390450510570630690720

8 SQL Server 2000 2002-2005 (YTD)

9 Building A Security Response Process Security Bulletin Release Process Build a more Simplified, Manageable Process Enhance and Improve Bulletin Content Expand Resources and Support Security Incident Response Process Provide Timely and Relevant Information Help Mitigate and Protect Deliver Solution to Resolve

10  Releasing a Security Update Triaging Assess the report and the possible impact on customers Understand the severity of the vulnerability Rate the vulnerability according to severity and likelihood of exploit, and assign it a priority Managing Finder Relationship Establish communications channel Quick response Regular updates Build the community Encourage responsible reporting MSRC receives incoming vulnerability reports through: Secure@Microsoft.comSecure@Microsoft.com – Direct contact with MSRC Microsoft TechNet Security Site – anonymous reporting MSRC responds to all reports: 24 hour response Service Level Agreement to finder Internal response can be immediate when required Vulnerability Reporting Content Creation Security bulletin: Affected software/components Technical description Workarounds and Mitigations FAQs Acknowledgments Security bulletins - second Tuesday of every month Coordinate all content and resources Information and guidance to customers Monitor customer issues and press Release Creating the Fix SWI and Product Team: Investigate vulnerability impact Locate variants Investigate surrounding code and design Generate fix for Test Testing Several levels of testing: Setup and Build Verification Depth Integration and Breadth Microsoft Corporate network Controlled beta Update Dev Tools and Practices Update best practices Update testing tools Update development and design process

11 Outreach And Communications Pre Release Security Bulletin Advance Notification - three business days prior to release Second Tuesday Release Day Updates posted on Download Center, Windows Update and/or Office Update Bulletins posted RSS Feeds Customer email and instant message notifications Community outreach MS Field alerts and call downs Post Release Security Bulletins Webcast (Wednesday following release, 11AM PT) Supplementary Webcasts if needed Monitor bulletin uptake and customer issues through PSS and Windows Update Bulletin maintenance

12 Customer Process Improvement Build a more Simplified, Manageable Process Enhance and Improve Bulletin Content Expand Resources and Support Moved to monthly release of security bulletins: A predictable, manageable process Enable advance planning and preparations Software Update Validation Program to help ensure quality Advance notification three business days prior to release Publicly posted on Microsoft.com; Email alert available Revamped technical security bulletin format: Added a monthly summary bulletin that includes a summary table of affected software for each bulletin Added mitigations and workarounds per vulnerability Added more information and guidance on distribution and deployment Improved bulletin search tool on TechNet Security Security Advisories Technical webcast on Wednesday following the release RSS feed for security bulletins New notification services, including a comprehensive version and instant message alerts Malicious Software Removal Tool

13 Security Advisories Supplement Microsoft Security Bulletins Content More information Provide guidance and information about security related software changes or software updates Some examples of future topics may include: "Defense in Depth" security enhancements or changes unrelated to security vulnerabilities Guidance and mitigations that may be applicable for publicly disclosed vulnerabilities Top level summary detailing the reason for issuing the advisory Frequently asked questions Suggested actions May be updated any time we have new information Reference a unique Knowledge Base Article number for additional information Sign up for the Security Notification Service Comprehensive Edition at www.microsoft.com/technet/security/bulletin/notify.mspx www.microsoft.com/technet/security/bulletin/notify.mspx www.microsoft.com/technet/security/advisory

14 Security Incident Response Overview SSIRP - Software Security Incident Response Plan Companywide process to deal with critical security threats Mobilize Microsoft resources worldwide Goals: Quickly gain a thorough understanding of the problem Provide customers with timely, relevant, consistent information Deliver tools, security updates and other assistance to restore normal operation

15 Responding To A Security Incident Watch Observe environment to detect any potential issues Leverage existing relationships with: Partners Security researchers and finders Monitor customer requests and press inquiries Alert and Mobilize Convene and evaluate severity Mobilize security response teams and support groups into two main groups: Emergency Engineering Team Emergency Communications Team Start monitoring WW press interest and customer support lines for this issue AssessandStabilize Assess the situation and the technical information available Start working on solution Communicate initial guidance and workarounds to customers, partners and press Notify and inform Microsoft sales and support field Resolve Provide information and tools to restore normal operations Appropriate solution is provided to customers, such as a security update, tool or fix Conduct internal process reviews and gather lessons learned

16 Microsoft releases security bulletins for February 05, including MS05-009 which addresses a vulnerability in PNG Processing affecting MSN Messenger 6.1 & 6.2 Start monitoring customer help lines, newsgroup & community activities and press inquiries First reports of public exploit for MSN Messenger Alert security response teams and pull people into the emergency engineering and communications rooms Decision to start mandatory upgrades of MSN Messenger Notify customers and partners of mandatory upgrade decision: Updated Microsoft websites Partner and WW Field alerts Proactive move to mandatory upgrades minimized the impact and spread of the worm Case Study: MSN Messenger Watch (Feb. 8-9 2005) Alert & Mobilize (Feb. 9 2005) Resolve (Feb. 10-11 2005) Assess & Stabilize (Feb. 9 2005) Start analyzing technical details Initial guidance, recommending customers upgrade to the latest version of MSN Messenger which includes the fix, is communicated to customers Landing page off of www.microsoft.com/security/incident/im.mspx www.microsoft.com/security/incident/im.mspx Email alerts sent through the security notification services Send out partner and WW Field alerts

17 Sign up to receive security updates notifications via email, instant message, mobile devices or RSS Download and deploy security updates (Microsoft Download Center, Windows Update) Attend the monthly TechNet Security Bulletin Webcast Review information and guidelines on the Microsoft TechNet Security site www.microsoft.com/technet/security/default.mspx Report security vulnerabilities through secure@microsoft.com secure@microsoft.com Review SDL for your development projects http://msdn.microsoft.com/security/default.aspx?pull= /library/en-us/dnsecure/html/sdl.asp What You Should Do Check out the MSRC Blog at http://blogs.technet.com/msrc http://blogs.technet.com/msrc

18 Resources Microsoft Security Web sites: www.microsoft.com/security and www.microsoft.com/technet/securitywww.microsoft.com/security www.microsoft.com/technet/security Sign up to receive notifications on security updates: www.microsoft.com/security/bulletins/alerts.mspx www.microsoft.com/security/bulletins/alerts.mspx Sign up for the Security Bulletin Web cast: www.microsoft.com/technet/security/bulletin/summary.mspx www.microsoft.com/technet/security/bulletin/summary.mspx RSS Feeds for Security Bulletins: www.microsoft.com/technet/security/bulletin/secrssinfo.mspx www.microsoft.com/technet/security/bulletin/secrssinfo.mspx More from the Microsoft Security Response Center: Web site: www.microsoft.com/msrcwww.microsoft.com/msrc Blog: http://blogs.technet.com/msrchttp://blogs.technet.com/msrc Security Bulletins Search: www.microsoft.com/technet/security/current.aspx www.microsoft.com/technet/security/current.aspx Security Advisories: www.microsoft.com/technet/security/advisorywww.microsoft.com/technet/security/advisory Security Guidance Center for Enterprises: www.microsoft.com/security/guidance www.microsoft.com/security/guidance MSDN Security Developer Center http://msdn.microsoft.com/security/ Protect Your PC: www.microsoft.com/protectwww.microsoft.com/protect

19 © 2003 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.

Download ppt "Getting Ahead: Integrating Development and Response for Improved Security Steven B. Lipner Director of Security Engineering Strategy Security Business."

Similar presentations

Dial In Number 1-877-593-2001 Pin: 3959 Information About Microsoft September 21, 2012 Security Bulletin Jeremy Tinder Security Program Manager Microsoft.

Dial In Number Pin: 3959 Information About Microsoft September 21, 2012 Security Bulletin Jeremy Tinder Security Program Manager Microsoft.
Incident Response Managing Security at Microsoft Published: April 2004.

Incident Response Managing Security at Microsoft Published: April 2004.
XProtect ® Professional Efficient solutions for mid-sized installations.

XProtect ® Professional Efficient solutions for mid-sized installations.
Microsoft ® System Center Configuration Manager 2007 R3 and Forefront ® Endpoint Protection Infrastructure Planning and Design Published: October 2008.

Microsoft ® System Center Configuration Manager 2007 R3 and Forefront ® Endpoint Protection Infrastructure Planning and Design Published: October 2008.
How does Microsoft approach change management communication? What happens when I have an outage? What is the Service Health Dashboard? What is the future.

How does Microsoft approach change management communication? What happens when I have an outage? What is the Service Health Dashboard? What is the future.
Major Incident Process

Major Incident Process
Security Development Lifecycle Randy Guthrie Microsoft Developer Evangelist

Security Development Lifecycle Randy Guthrie Microsoft Developer Evangelist
Summer 200811 IAVA1 NATIONAL INFORMATION ASSURANCE TRAINING STANDARD FOR SYSTEM ADMINISTRATORS (SA) Minimum.

Summer IAVA1 NATIONAL INFORMATION ASSURANCE TRAINING STANDARD FOR SYSTEM ADMINISTRATORS (SA) Minimum.
Malware Response Infrastructure Planning and Design Published: February 2011 Updated: November 2011.

Malware Response Infrastructure Planning and Design Published: February 2011 Updated: November 2011.
resolve problems quickly resolve problems quickly minimise repeat problems minimise repeat problems Improve productivity of support staff Improve productivity.

resolve problems quickly resolve problems quickly minimise repeat problems minimise repeat problems Improve productivity of support staff Improve productivity.
Effort in hours Duration Over Weeks Or Months Inception Launch Web Lifecycle Methodology Maintenance Phases 1234576891011 Copyright Wonderlane Studios.

Effort in hours Duration Over Weeks Or Months Inception Launch Web Lifecycle Methodology Maintenance Phases Copyright Wonderlane Studios.
4th Annual Innovation Challenge Kick-Off and Overview Fall 2013 www.csulb.edu/innovationchallenge.

4th Annual Innovation Challenge Kick-Off and Overview Fall
Deploying Visual Studio Team System 2008 Team Foundation Server at Microsoft Published: June 2008 Using Visual Studio 2008 to Improve Software Development.

Deploying Visual Studio Team System 2008 Team Foundation Server at Microsoft Published: June 2008 Using Visual Studio 2008 to Improve Software Development.
Cliff Evans Security and Privacy Lead Trustworthy Computing Group Microsoft UK.

Cliff Evans Security and Privacy Lead Trustworthy Computing Group Microsoft UK.
IT:Network:Microsoft Applications

IT:Network:Microsoft Applications
Release & Deployment ITIL Version 3

Release & Deployment ITIL Version 3
Security of Communication & IT systems Bucharest, 21 st September 2004 Stephen McGibbon Chief Technology Officer, Eastern Europe, Russia & CIS Senior Director,

Security of Communication & IT systems Bucharest, 21 st September 2004 Stephen McGibbon Chief Technology Officer, Eastern Europe, Russia & CIS Senior Director,
1 © 2006 Cisco Systems, Inc. All rights reserved. Session Number Presentation_ID Using the Cisco Technical Support & Documentation Website for Security.

1 © 2006 Cisco Systems, Inc. All rights reserved. Session Number Presentation_ID Using the Cisco Technical Support & Documentation Website for Security.
Partner Network Portal Anna Jones :: July 2006 Partner Training Webinar Communications Sector.

Partner Network Portal Anna Jones :: July 2006 Partner Training Webinar Communications Sector.
4/20/2017 6:38 PM © 2004 Microsoft Corporation. All rights reserved.

4/20/2017 6:38 PM © 2004 Microsoft Corporation. All rights reserved.

Similar presentations

Ads by Google