Getting Ahead: Integrating Development and Response for Improved Security

Steven B. Lipner

Director of Security Engineering Strategy

Security Business and Technology Unit

Microsoft Corporation

Engineering excellence

Security development lifecycle

Microsoft Security Response Center

Sharing best practices with administrators and developers

Security Development Lifecycle Security Development Lifecycle (SDL)(SDL)

ProcessProcess

EducationEducation

AccountabilityAccountability

Defines security requirements and milestones in every stage of the software development process

Mandatory for products exposed to meaningful security risks

Includes a Final Security Review (FSR) to determine if product is customer ready

Mandatory annual training for developers, testers, program managers, user education staff and architects

Funding academic curriculum development through Microsoft Research

Publish guidance on writing secure code, threat modeling and SDL; as well as courses

In-process metrics to provide early warning

Post-release metrics assess final payoff (# of vulnerabilities)

Training compliance for team and individuals

Requirements Design Implementation Verification Release Support & Servicing

Functional Specifications

Design Specifications

Testing and Verification

Development of New CodeBug fixes

Code Signing & Checkpoint

Express Signoff

RTM

Alpha & Beta Pre releases

Feature ListsQuality

GuidelinesArchitecture Docs

Schedules

Product SupportService Packs/QFEs

Security Updates

FinalSecurityReview

SecurityServicing

&ResponseExecution

PrepareSecurity

ResponsePlan

SecurityPush

Security Kickoff&

RegisterWith SWI

Use SecurityDevelopment Tools

&Security Best

Dev & Test PracticesThreat

Modeling

SecurityDesign

BestPractices

CreateSecurity

DocumentationAnd Tools

For Product

Security Training

Pen Testing

Final Release CandidateProduct Code

Complete

SecurityArchitecture

& Attack Surface Review

Threat ModelingComplete and

MitigationsReflected in

Specifications

Security Development Lifecycle Tasks and Processes

Traditional Microsoft Software Product Development Lifecycle Tasks and Process

Sign off onSecurity

RequirementsIn

Checkpoint Express

Microsoft Security Development LifecycleV 1.4 (Jan 28, 2005)

Final Security Review (FSR)

“From a security viewpoint, is this software ready to deliver to customers?”

Two to six months prior to software completion, depending on the scope of the software.

Software must be in a stable state with only minimal non-security changes expected prior to release

FSR results: If the FSR finds a pattern of remaining vulnerabilities, the proper response is not just to fix the vulnerabilities found, but to revisit the earlier phases and take pointed actions to address root causes (e.g., improve training, enhance tools)

Education for the SDL

Source: Microsoft Security Bulletin Search

6565

3535

DaysDays

30 90150

210270

330390

450510

570630

690720

SQL Server 2000 SQL Server 2000 2002-2005 (YTD)2002-2005 (YTD)

Building A Security Response Process

Security Bulletin Security Bulletin Release ProcessRelease Process

Build a more Simplified, Build a more Simplified, Manageable ProcessManageable Process

Enhance and Improve Enhance and Improve Bulletin Content Bulletin Content

Expand Resources Expand Resources and Supportand Support

Security Incident Security Incident Response ProcessResponse Process

Provide Timely and Provide Timely and Relevant InformationRelevant Information

Help Mitigate and ProtectHelp Mitigate and Protect

Deliver Solution to ResolveDeliver Solution to Resolve

TriagingTriaging

Assess the report and the possible impact on customersUnderstand the severity of the vulnerabilityRate the vulnerability according to severity and likelihood of exploit, and assign it a priority

ManagingManagingFinder Finder

RelationshipRelationship

Establish communications channel

Quick responseRegular updates

Build the communityEncourage responsible reportingMSRC receives incoming

vulnerability reports through:

Secure@Microsoft.com – Direct contact with MSRCMicrosoft TechNet Security Site – anonymous reporting

MSRC responds to all reports:

24 hour response Service Level Agreement to finderInternal response can be immediate when required

Vulnerability Vulnerability ReportingReporting

Content Content CreationCreation

Security bulletin:Affected software/componentsTechnical descriptionWorkarounds and MitigationsFAQsAcknowledgments

Security bulletins - second Tuesday of every monthCoordinate all content and resourcesInformation and guidance to customersMonitor customer issues and press

ReleaseRelease

Creating Creating the Fixthe Fix

SWI and Product Team:Investigate vulnerability impactLocate variantsInvestigate surrounding code and design

Generate fix for Test

TestingTesting

Several levels of testing:Setup and Build VerificationDepthIntegration and BreadthMicrosoft Corporate network Controlled beta

Update Dev Update Dev Tools and Tools and PracticesPractices

Update best practicesUpdate testing toolsUpdate development and design process

Outreach And Communications

Pre Pre ReleaseRelease

Security Bulletin Advance Notification - three business days prior to release

Second Second TuesdayTuesday

Release Release DayDay

Updates posted on Download Center, Windows Update and/or Office Update

Bulletins posted

RSS Feeds

Customer email and instant message notifications

Community outreach

MS Field alerts and call downs

Post Post ReleaseRelease

Security Bulletins Webcast (Wednesday following release, 11AM PT)

Supplementary Webcasts if needed

Monitor bulletin uptake and customer issues through PSS and Windows Update

Bulletin maintenance

Customer Process Improvement

Build a more Build a more Simplified, Simplified,

Manageable Manageable ProcessProcess

Enhance and Enhance and Improve Bulletin Improve Bulletin

Content Content

Expand Expand Resources and Resources and

SupportSupport

Moved to monthly release of security bulletins:A predictable, manageable processEnable advance planning and preparationsSoftware Update Validation Program to help ensure quality

Advance notification three business days prior to releasePublicly posted on Microsoft.com; Email alert available

Revamped technical security bulletin format:Added a monthly summary bulletin that includes a summary table of affected software for each bulletin

Added mitigations and workarounds per vulnerability

Added more information and guidance on distribution and deployment

Improved bulletin search tool on TechNet Security

Security AdvisoriesTechnical webcast on Wednesday following the releaseRSS feed for security bulletinsNew notification services, including a comprehensive version and instant message alertsMalicious Software Removal Tool

Security AdvisoriesSecurity Advisories

Supplement Supplement Microsoft Security Microsoft Security

BulletinsBulletins

ContentContent

More informationMore information

Provide guidance and information about security related software changes or software updatesSome examples of future topics may include:

"Defense in Depth" security enhancements or changes unrelated to security vulnerabilitiesGuidance and mitigations that may be applicable for publicly disclosed vulnerabilities

Top level summary detailing the reason for issuing the advisoryFrequently asked questionsSuggested actionsMay be updated any time we have new information

Reference a unique Knowledge Base Article number for additional informationSign up for the Security Notification Service Comprehensive Edition at www.microsoft.com/technet/security/bulletin/notify.mspx

www.microsoft.com/technet/security/advisory

Security Incident ResponseOverview

SSIRP - Software Security Incident Response Plan

Companywide process to deal with critical security threats

Mobilize Microsoft resources worldwide

Goals:Quickly gain a thorough understanding of the problem

Provide customers with timely, relevant, consistent information

Deliver tools, security updates and other assistance to restore normal operation

WatchWatch

Observe Observe environment to environment to detect any detect any potential issuespotential issues

Leverage existing Leverage existing relationships relationships with:with:

PartnersPartners

Security Security researchers researchers and findersand finders

Monitor customer Monitor customer requests and requests and press inquiriespress inquiries

AlertAlertand and

MobilizeMobilize

Convene and Convene and evaluate severityevaluate severity

Mobilize security Mobilize security response teams response teams and support and support groups into two groups into two main groups:main groups:

Emergency Emergency Engineering TeamEngineering Team

Emergency Emergency Communications Communications TeamTeam

Start monitoring Start monitoring WW press interest WW press interest and customer and customer support lines for support lines for this issuethis issue

AssessAssessandand

StabilizeStabilize

Assess the Assess the situation and the situation and the technical technical information information availableavailable

Start workingStart workingon solutionon solution

Communicate Communicate initial guidance initial guidance and workarounds and workarounds to customers, to customers, partners and partners and presspress

Notify and inform Notify and inform Microsoft sales Microsoft sales and support fieldand support field

ResolveResolve

Provide Provide information and information and tools to restore tools to restore normal operationsnormal operations

Appropriate Appropriate solution is solution is provided to provided to customers, such customers, such as a security as a security update, tool or fixupdate, tool or fix

Conduct internal Conduct internal process reviews process reviews and gather and gather lessons learnedlessons learned

Microsoft releases security bulletins for February 05, including MS05-009 which Microsoft releases security bulletins for February 05, including MS05-009 which addresses a vulnerability in PNG Processing affecting MSN Messenger 6.1 & 6.2addresses a vulnerability in PNG Processing affecting MSN Messenger 6.1 & 6.2

Start monitoring customer help lines, newsgroup & community activities and press Start monitoring customer help lines, newsgroup & community activities and press inquiries inquiries

First reports of public exploit for MSN MessengerFirst reports of public exploit for MSN Messenger

Alert security response teams and pull people into the emergency Alert security response teams and pull people into the emergency engineering and communications roomsengineering and communications rooms

Decision to start mandatory upgrades of MSN MessengerDecision to start mandatory upgrades of MSN Messenger

Notify customers and partners of mandatory upgrade decision:Notify customers and partners of mandatory upgrade decision:Updated Microsoft websitesUpdated Microsoft websites

Partner and WW Field alertsPartner and WW Field alerts

Proactive move to mandatory upgrades minimized the impact and Proactive move to mandatory upgrades minimized the impact and spread of the worm spread of the worm

Case Study: MSN MessengerCase Study: MSN Messenger

WatchWatch(Feb. 8-9 (Feb. 8-9 2005)2005)

Alert & Alert & MobilizeMobilize(Feb. 9 2005)(Feb. 9 2005)

ResolveResolve(Feb. 10-11 2005)(Feb. 10-11 2005)

Assess & Assess & StabilizeStabilize(Feb. 9 2005)(Feb. 9 2005)

Start analyzing technical detailsStart analyzing technical details

Initial guidance, recommending customers upgrade to the latest version of Initial guidance, recommending customers upgrade to the latest version of MSN Messenger which includes the fix, is communicated to customersMSN Messenger which includes the fix, is communicated to customers

Landing page off of www.microsoft.com/security/incident/im.mspx Landing page off of www.microsoft.com/security/incident/im.mspx

Email alerts sent through the security notification servicesEmail alerts sent through the security notification services

Send out partner and WW Field alertsSend out partner and WW Field alerts

Sign up to receive security updates notifications via email, instant message, mobile devices or RSS

Download and deploy security updates (Microsoft Download Center, Windows Update)

Attend the monthly TechNet Security Bulletin Webcast

Review information and guidelines on the Microsoft TechNet Security site

www.microsoft.com/technet/security/default.mspx

Report security vulnerabilities through secure@microsoft.com

Review SDL for your development projects http://msdn.microsoft.com/security/default.aspx?pull=/library/en-us/dnsecure/html/sdl.asp

Check out the MSRC Blog at http://blogs.technet.com/msrc

Resources

Microsoft Security Web sites: www.microsoft.com/security and www.microsoft.com/technet/security Sign up to receive notifications on security updates: www.microsoft.com/security/bulletins/alerts.mspx Sign up for the Security Bulletin Web cast: www.microsoft.com/technet/security/bulletin/summary.mspxRSS Feeds for Security Bulletins: www.microsoft.com/technet/security/bulletin/secrssinfo.mspx More from the Microsoft Security Response Center:

Web site: www.microsoft.com/msrc Blog: http://blogs.technet.com/msrc

Security Bulletins Search: www.microsoft.com/technet/security/current.aspxSecurity Advisories: www.microsoft.com/technet/security/advisory Security Guidance Center for Enterprises: www.microsoft.com/security/guidanceMSDN Security Developer Centerhttp://msdn.microsoft.com/security/Protect Your PC: www.microsoft.com/protect

© 2003 Microsoft Corporation. All rights reserved.© 2003 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.