JPAS Updates Steven Burke Industrial Security Supervisor Lockheed Martin.
Getting Ahead: Integrating Development and Response for Improved Security Steven B. Lipner Director...
-
date post
18-Dec-2015 -
Category
Documents
-
view
219 -
download
1
Transcript of Getting Ahead: Integrating Development and Response for Improved Security Steven B. Lipner Director...
Getting Ahead: Integrating Development and Response for Improved Security
Steven B. Lipner
Director of Security Engineering Strategy
Security Business and Technology Unit
Microsoft Corporation
Engineering excellence
Security development lifecycle
Microsoft Security Response Center
Sharing best practices with administrators and developers
Security Development Lifecycle Security Development Lifecycle (SDL)(SDL)
ProcessProcess
EducationEducation
AccountabilityAccountability
Defines security requirements and milestones in every stage of the software development process
Mandatory for products exposed to meaningful security risks
Includes a Final Security Review (FSR) to determine if product is customer ready
Mandatory annual training for developers, testers, program managers, user education staff and architects
Funding academic curriculum development through Microsoft Research
Publish guidance on writing secure code, threat modeling and SDL; as well as courses
In-process metrics to provide early warning
Post-release metrics assess final payoff (# of vulnerabilities)
Training compliance for team and individuals
Requirements Design Implementation Verification Release Support & Servicing
Functional Specifications
Design Specifications
Testing and Verification
Development of New CodeBug fixes
Code Signing & Checkpoint
Express Signoff
RTM
Alpha & Beta Pre releases
Feature ListsQuality
GuidelinesArchitecture Docs
Schedules
Product SupportService Packs/QFEs
Security Updates
FinalSecurityReview
SecurityServicing
&ResponseExecution
PrepareSecurity
ResponsePlan
SecurityPush
Security Kickoff&
RegisterWith SWI
Use SecurityDevelopment Tools
&Security Best
Dev & Test PracticesThreat
Modeling
SecurityDesign
BestPractices
CreateSecurity
DocumentationAnd Tools
For Product
Security Training
Pen Testing
Final Release CandidateProduct Code
Complete
SecurityArchitecture
& Attack Surface Review
Threat ModelingComplete and
MitigationsReflected in
Specifications
Security Development Lifecycle Tasks and Processes
Traditional Microsoft Software Product Development Lifecycle Tasks and Process
Sign off onSecurity
RequirementsIn
Checkpoint Express
Microsoft Security Development LifecycleV 1.4 (Jan 28, 2005)
Final Security Review (FSR)
“From a security viewpoint, is this software ready to deliver to customers?”
Two to six months prior to software completion, depending on the scope of the software.
Software must be in a stable state with only minimal non-security changes expected prior to release
FSR results: If the FSR finds a pattern of remaining vulnerabilities, the proper response is not just to fix the vulnerabilities found, but to revisit the earlier phases and take pointed actions to address root causes (e.g., improve training, enhance tools)
Source: Microsoft Security Bulletin Search
6565
3535
DaysDays
30 90150
210270
330390
450510
570630
690720
Building A Security Response Process
Security Bulletin Security Bulletin Release ProcessRelease Process
Build a more Simplified, Build a more Simplified, Manageable ProcessManageable Process
Enhance and Improve Enhance and Improve Bulletin Content Bulletin Content
Expand Resources Expand Resources and Supportand Support
Security Incident Security Incident Response ProcessResponse Process
Provide Timely and Provide Timely and Relevant InformationRelevant Information
Help Mitigate and ProtectHelp Mitigate and Protect
Deliver Solution to ResolveDeliver Solution to Resolve
TriagingTriaging
Assess the report and the possible impact on customersUnderstand the severity of the vulnerabilityRate the vulnerability according to severity and likelihood of exploit, and assign it a priority
ManagingManagingFinder Finder
RelationshipRelationship
Establish communications channel
Quick responseRegular updates
Build the communityEncourage responsible reportingMSRC receives incoming
vulnerability reports through:
[email protected] – Direct contact with MSRCMicrosoft TechNet Security Site – anonymous reporting
MSRC responds to all reports:
24 hour response Service Level Agreement to finderInternal response can be immediate when required
Vulnerability Vulnerability ReportingReporting
Content Content CreationCreation
Security bulletin:Affected software/componentsTechnical descriptionWorkarounds and MitigationsFAQsAcknowledgments
Security bulletins - second Tuesday of every monthCoordinate all content and resourcesInformation and guidance to customersMonitor customer issues and press
ReleaseRelease
Creating Creating the Fixthe Fix
SWI and Product Team:Investigate vulnerability impactLocate variantsInvestigate surrounding code and design
Generate fix for Test
TestingTesting
Several levels of testing:Setup and Build VerificationDepthIntegration and BreadthMicrosoft Corporate network Controlled beta
Update Dev Update Dev Tools and Tools and PracticesPractices
Update best practicesUpdate testing toolsUpdate development and design process
Outreach And Communications
Pre Pre ReleaseRelease
Security Bulletin Advance Notification - three business days prior to release
Second Second TuesdayTuesday
Release Release DayDay
Updates posted on Download Center, Windows Update and/or Office Update
Bulletins posted
RSS Feeds
Customer email and instant message notifications
Community outreach
MS Field alerts and call downs
Post Post ReleaseRelease
Security Bulletins Webcast (Wednesday following release, 11AM PT)
Supplementary Webcasts if needed
Monitor bulletin uptake and customer issues through PSS and Windows Update
Bulletin maintenance
Customer Process Improvement
Build a more Build a more Simplified, Simplified,
Manageable Manageable ProcessProcess
Enhance and Enhance and Improve Bulletin Improve Bulletin
Content Content
Expand Expand Resources and Resources and
SupportSupport
Moved to monthly release of security bulletins:A predictable, manageable processEnable advance planning and preparationsSoftware Update Validation Program to help ensure quality
Advance notification three business days prior to releasePublicly posted on Microsoft.com; Email alert available
Revamped technical security bulletin format:Added a monthly summary bulletin that includes a summary table of affected software for each bulletin
Added mitigations and workarounds per vulnerability
Added more information and guidance on distribution and deployment
Improved bulletin search tool on TechNet Security
Security AdvisoriesTechnical webcast on Wednesday following the releaseRSS feed for security bulletinsNew notification services, including a comprehensive version and instant message alertsMalicious Software Removal Tool
Security AdvisoriesSecurity Advisories
Supplement Supplement Microsoft Security Microsoft Security
BulletinsBulletins
ContentContent
More informationMore information
Provide guidance and information about security related software changes or software updatesSome examples of future topics may include:
"Defense in Depth" security enhancements or changes unrelated to security vulnerabilitiesGuidance and mitigations that may be applicable for publicly disclosed vulnerabilities
Top level summary detailing the reason for issuing the advisoryFrequently asked questionsSuggested actionsMay be updated any time we have new information
Reference a unique Knowledge Base Article number for additional informationSign up for the Security Notification Service Comprehensive Edition at www.microsoft.com/technet/security/bulletin/notify.mspx
www.microsoft.com/technet/security/advisory
Security Incident ResponseOverview
SSIRP - Software Security Incident Response Plan
Companywide process to deal with critical security threats
Mobilize Microsoft resources worldwide
Goals:Quickly gain a thorough understanding of the problem
Provide customers with timely, relevant, consistent information
Deliver tools, security updates and other assistance to restore normal operation
WatchWatch
Observe Observe environment to environment to detect any detect any potential issuespotential issues
Leverage existing Leverage existing relationships relationships with:with:
PartnersPartners
Security Security researchers researchers and findersand finders
Monitor customer Monitor customer requests and requests and press inquiriespress inquiries
AlertAlertand and
MobilizeMobilize
Convene and Convene and evaluate severityevaluate severity
Mobilize security Mobilize security response teams response teams and support and support groups into two groups into two main groups:main groups:
Emergency Emergency Engineering TeamEngineering Team
Emergency Emergency Communications Communications TeamTeam
Start monitoring Start monitoring WW press interest WW press interest and customer and customer support lines for support lines for this issuethis issue
AssessAssessandand
StabilizeStabilize
Assess the Assess the situation and the situation and the technical technical information information availableavailable
Start workingStart workingon solutionon solution
Communicate Communicate initial guidance initial guidance and workarounds and workarounds to customers, to customers, partners and partners and presspress
Notify and inform Notify and inform Microsoft sales Microsoft sales and support fieldand support field
ResolveResolve
Provide Provide information and information and tools to restore tools to restore normal operationsnormal operations
Appropriate Appropriate solution is solution is provided to provided to customers, such customers, such as a security as a security update, tool or fixupdate, tool or fix
Conduct internal Conduct internal process reviews process reviews and gather and gather lessons learnedlessons learned
Microsoft releases security bulletins for February 05, including MS05-009 which Microsoft releases security bulletins for February 05, including MS05-009 which addresses a vulnerability in PNG Processing affecting MSN Messenger 6.1 & 6.2addresses a vulnerability in PNG Processing affecting MSN Messenger 6.1 & 6.2
Start monitoring customer help lines, newsgroup & community activities and press Start monitoring customer help lines, newsgroup & community activities and press inquiries inquiries
First reports of public exploit for MSN MessengerFirst reports of public exploit for MSN Messenger
Alert security response teams and pull people into the emergency Alert security response teams and pull people into the emergency engineering and communications roomsengineering and communications rooms
Decision to start mandatory upgrades of MSN MessengerDecision to start mandatory upgrades of MSN Messenger
Notify customers and partners of mandatory upgrade decision:Notify customers and partners of mandatory upgrade decision:Updated Microsoft websitesUpdated Microsoft websites
Partner and WW Field alertsPartner and WW Field alerts
Proactive move to mandatory upgrades minimized the impact and Proactive move to mandatory upgrades minimized the impact and spread of the worm spread of the worm
Case Study: MSN MessengerCase Study: MSN Messenger
WatchWatch(Feb. 8-9 (Feb. 8-9 2005)2005)
Alert & Alert & MobilizeMobilize(Feb. 9 2005)(Feb. 9 2005)
ResolveResolve(Feb. 10-11 2005)(Feb. 10-11 2005)
Assess & Assess & StabilizeStabilize(Feb. 9 2005)(Feb. 9 2005)
Start analyzing technical detailsStart analyzing technical details
Initial guidance, recommending customers upgrade to the latest version of Initial guidance, recommending customers upgrade to the latest version of MSN Messenger which includes the fix, is communicated to customersMSN Messenger which includes the fix, is communicated to customers
Landing page off of www.microsoft.com/security/incident/im.mspx Landing page off of www.microsoft.com/security/incident/im.mspx
Email alerts sent through the security notification servicesEmail alerts sent through the security notification services
Send out partner and WW Field alertsSend out partner and WW Field alerts
Sign up to receive security updates notifications via email, instant message, mobile devices or RSS
Download and deploy security updates (Microsoft Download Center, Windows Update)
Attend the monthly TechNet Security Bulletin Webcast
Review information and guidelines on the Microsoft TechNet Security site
www.microsoft.com/technet/security/default.mspx
Report security vulnerabilities through [email protected]
Review SDL for your development projects http://msdn.microsoft.com/security/default.aspx?pull=/library/en-us/dnsecure/html/sdl.asp
Check out the MSRC Blog at http://blogs.technet.com/msrc
Resources
Microsoft Security Web sites: www.microsoft.com/security and www.microsoft.com/technet/security Sign up to receive notifications on security updates: www.microsoft.com/security/bulletins/alerts.mspx Sign up for the Security Bulletin Web cast: www.microsoft.com/technet/security/bulletin/summary.mspxRSS Feeds for Security Bulletins: www.microsoft.com/technet/security/bulletin/secrssinfo.mspx More from the Microsoft Security Response Center:
Web site: www.microsoft.com/msrc Blog: http://blogs.technet.com/msrc
Security Bulletins Search: www.microsoft.com/technet/security/current.aspxSecurity Advisories: www.microsoft.com/technet/security/advisory Security Guidance Center for Enterprises: www.microsoft.com/security/guidanceMSDN Security Developer Centerhttp://msdn.microsoft.com/security/Protect Your PC: www.microsoft.com/protect
© 2003 Microsoft Corporation. All rights reserved.© 2003 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.