Microsoft Security Development Lifecycle for IT Rob Labbé Security Engagement Manager MSIT Infosec...
-
Upload
rudolf-goodwin -
Category
Documents
-
view
220 -
download
2
Transcript of Microsoft Security Development Lifecycle for IT Rob Labbé Security Engagement Manager MSIT Infosec...
![Page 1: Microsoft Security Development Lifecycle for IT Rob Labbé Security Engagement Manager MSIT Infosec – ACE roblab@microsoft.com.](https://reader035.fdocuments.us/reader035/viewer/2022062713/56649cca5503460f94992ce5/html5/thumbnails/1.jpg)
Microsoft Security Development Lifecycle for IT
Rob LabbéSecurity Engagement ManagerMSIT Infosec – [email protected]
![Page 2: Microsoft Security Development Lifecycle for IT Rob Labbé Security Engagement Manager MSIT Infosec – ACE roblab@microsoft.com.](https://reader035.fdocuments.us/reader035/viewer/2022062713/56649cca5503460f94992ce5/html5/thumbnails/2.jpg)
Microsoft IT Environment
94,000 Vista clients48,000 Windows 7 clients127,238 Office 2007 clients129,000 Exchange 2007 mailboxes359,000 SharePoint SitesMSCRM deployment for premier services businessDynamics business running on Dynamics products
5 data centers9,700 production servers108,000 servers (MSN)98 countries550 buildings260,000+ SMS managed computers585,000 devices141,549 end users
2,400,000 internal e-mails with 18,000,000 inbound
(97% filter rate)36,000,000 IMs per month136,000+ e-mail server accounts137,000,000+ remote connections per month
First and Best Customer
Enterprise Infrastructure
High Scale Processes
![Page 3: Microsoft Security Development Lifecycle for IT Rob Labbé Security Engagement Manager MSIT Infosec – ACE roblab@microsoft.com.](https://reader035.fdocuments.us/reader035/viewer/2022062713/56649cca5503460f94992ce5/html5/thumbnails/3.jpg)
Know Yourself, Know your Enemies
“If you know your enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.”
Sun Tzu, The Art of War
“Hacking Microsoft UK” http://www.youtube.com/watch?v=tJSRnJkH2Ek
![Page 4: Microsoft Security Development Lifecycle for IT Rob Labbé Security Engagement Manager MSIT Infosec – ACE roblab@microsoft.com.](https://reader035.fdocuments.us/reader035/viewer/2022062713/56649cca5503460f94992ce5/html5/thumbnails/4.jpg)
The Reasons for Secure Software
• Data can be stolen by attackers• Data can be corrupted by
viruses• Data can be lost or corrupted by
employees• IT Systems can be used by
attackers• To send Spam, viruses, or
launch other attacks from• IT Systems can be crashed by
attackers
There are
many threats to data
and system
s
![Page 5: Microsoft Security Development Lifecycle for IT Rob Labbé Security Engagement Manager MSIT Infosec – ACE roblab@microsoft.com.](https://reader035.fdocuments.us/reader035/viewer/2022062713/56649cca5503460f94992ce5/html5/thumbnails/5.jpg)
Application Layer = Weak Point• Attackers target the weakest point. The OS
Layer and Network layer are too hard now• On Average over 70% of IT security budget is
spent on Infrastructure, yet over 75% of attacks happen at the Application level
• According to Microsoft research, only 1/3 of developers are confident that they write secure code
• The focus must be on hardening the application layer
![Page 6: Microsoft Security Development Lifecycle for IT Rob Labbé Security Engagement Manager MSIT Infosec – ACE roblab@microsoft.com.](https://reader035.fdocuments.us/reader035/viewer/2022062713/56649cca5503460f94992ce5/html5/thumbnails/6.jpg)
Reasons for IT Security• Card Services - A Real World Example
• $10 Million a month in revenue• Processed credit cards for American Express,
Master Card, and VISA
• They Lost 40 Million records to hacking• Government imposed heavy fines• Subject to audits every 6 months for 20 years• Amex, Master Card and Visa dropped them• A $10 Million a month company destroyed
![Page 7: Microsoft Security Development Lifecycle for IT Rob Labbé Security Engagement Manager MSIT Infosec – ACE roblab@microsoft.com.](https://reader035.fdocuments.us/reader035/viewer/2022062713/56649cca5503460f94992ce5/html5/thumbnails/7.jpg)
Understanding The Attackers
![Page 8: Microsoft Security Development Lifecycle for IT Rob Labbé Security Engagement Manager MSIT Infosec – ACE roblab@microsoft.com.](https://reader035.fdocuments.us/reader035/viewer/2022062713/56649cca5503460f94992ce5/html5/thumbnails/8.jpg)
Author
Script-Kiddie
HobbyistHacker
Expert Specialist
Vandal,Cyberpu
nk
Thief, Booster, Fence,
Classic Criminals
Spy,Terrorist
Mal-Tech Trespasser
National Interest,Chaos
Steal Something of Value / assets
Personal Fame,To Embarrass,To Win
Curiosity
NothingAnyone
Un-intentional
Disgruntled Employee
![Page 9: Microsoft Security Development Lifecycle for IT Rob Labbé Security Engagement Manager MSIT Infosec – ACE roblab@microsoft.com.](https://reader035.fdocuments.us/reader035/viewer/2022062713/56649cca5503460f94992ce5/html5/thumbnails/9.jpg)
Hackers are very smart
![Page 10: Microsoft Security Development Lifecycle for IT Rob Labbé Security Engagement Manager MSIT Infosec – ACE roblab@microsoft.com.](https://reader035.fdocuments.us/reader035/viewer/2022062713/56649cca5503460f94992ce5/html5/thumbnails/10.jpg)
We need better security
![Page 11: Microsoft Security Development Lifecycle for IT Rob Labbé Security Engagement Manager MSIT Infosec – ACE roblab@microsoft.com.](https://reader035.fdocuments.us/reader035/viewer/2022062713/56649cca5503460f94992ce5/html5/thumbnails/11.jpg)
Implement an SDL• Implement an SDL to build security
into your development process• Train your developers in secure
coding techniques• Incorporate Threat Modeling, Secure
Code Review, Security Focused Testing into the process
![Page 12: Microsoft Security Development Lifecycle for IT Rob Labbé Security Engagement Manager MSIT Infosec – ACE roblab@microsoft.com.](https://reader035.fdocuments.us/reader035/viewer/2022062713/56649cca5503460f94992ce5/html5/thumbnails/12.jpg)
Purpose of the SDL• Inventory and assess applications• Identify and ensure resolution of
security/privacy vulnerabilities found in those applications
• Enable Application Risk Management:• Strategic• Tactical• Operational• Legal
![Page 13: Microsoft Security Development Lifecycle for IT Rob Labbé Security Engagement Manager MSIT Infosec – ACE roblab@microsoft.com.](https://reader035.fdocuments.us/reader035/viewer/2022062713/56649cca5503460f94992ce5/html5/thumbnails/13.jpg)
The SDL is NOT Optional• At Microsoft all line-of-business
application teams must go through SDL-IT, All shrink-wrapped products must go through the SDL
• If they fail to do so, they cannot go into production
• Enforcement of the SDL-IT process attributes to it’s success
![Page 14: Microsoft Security Development Lifecycle for IT Rob Labbé Security Engagement Manager MSIT Infosec – ACE roblab@microsoft.com.](https://reader035.fdocuments.us/reader035/viewer/2022062713/56649cca5503460f94992ce5/html5/thumbnails/14.jpg)
Visibly Measure the Process
• Have internally visible score cards• Have contests to see if you can find
bugs and offer prizes• Offer incentives to teams with the
best security records (no cheating!)
![Page 15: Microsoft Security Development Lifecycle for IT Rob Labbé Security Engagement Manager MSIT Infosec – ACE roblab@microsoft.com.](https://reader035.fdocuments.us/reader035/viewer/2022062713/56649cca5503460f94992ce5/html5/thumbnails/15.jpg)
SDL aligns with SDLC
SDLC
SDL-IT
Envision
Application Entry / Risk Assessment
Threat Model / Design Review
Design
Internal Review
Develop / Purchase
Pre-Production Assessment
Test Release / Sustainment
Post-Production Assessment
![Page 16: Microsoft Security Development Lifecycle for IT Rob Labbé Security Engagement Manager MSIT Infosec – ACE roblab@microsoft.com.](https://reader035.fdocuments.us/reader035/viewer/2022062713/56649cca5503460f94992ce5/html5/thumbnails/16.jpg)
Application Entry / Risk Assessment
• Objective:• Application Inventory• Determine Application Risk Categorization
• High Risk Security/Privacy Release• Medium Risk Security/Privacy Release• Low Risk Security/Privacy Release
Threat Model /Design Review
Internal Review
Pre-ProductionAssessment
Post-ProductionAssessment
App Entry
![Page 17: Microsoft Security Development Lifecycle for IT Rob Labbé Security Engagement Manager MSIT Infosec – ACE roblab@microsoft.com.](https://reader035.fdocuments.us/reader035/viewer/2022062713/56649cca5503460f94992ce5/html5/thumbnails/17.jpg)
Threat Model / Design Review
• Objective:• Threat modeling provides a consistent methodology for objectively evaluating
threats to applications.• Review application design to verify compliance with security standards and best
practices• Verify application meets application principles
• Confidentiality• Integrity• Authentication• Authorization• Availability• Non-repudiation
Threat Model /Design Review
Internal Review
Pre-ProductionAssessment
Post-ProductionAssessment
App Entry
![Page 18: Microsoft Security Development Lifecycle for IT Rob Labbé Security Engagement Manager MSIT Infosec – ACE roblab@microsoft.com.](https://reader035.fdocuments.us/reader035/viewer/2022062713/56649cca5503460f94992ce5/html5/thumbnails/18.jpg)
Internal Review
• Review security checklist/policy site • Team conducts ‘self’ code review and attack and
penetration testing
Threat Model /Design Review
Internal Review
Pre-ProductionAssessment
Post-ProductionAssessmentApp Entry
![Page 19: Microsoft Security Development Lifecycle for IT Rob Labbé Security Engagement Manager MSIT Infosec – ACE roblab@microsoft.com.](https://reader035.fdocuments.us/reader035/viewer/2022062713/56649cca5503460f94992ce5/html5/thumbnails/19.jpg)
Pre-Production Assessment
• Objective:• Low Risk Applications
• Host Level Scan • Windows • IIS • SQL
• High/Medium Risk Applications• Host Level Scan• White Box Code Review
Threat Model /Design Review
Internal Review
Pre-ProductionAssessment
Post-ProductionAssessmentApp Entry
![Page 20: Microsoft Security Development Lifecycle for IT Rob Labbé Security Engagement Manager MSIT Infosec – ACE roblab@microsoft.com.](https://reader035.fdocuments.us/reader035/viewer/2022062713/56649cca5503460f94992ce5/html5/thumbnails/20.jpg)
White Box Code Review• Process
• Application team provides source code
• Analysts review application code uncovering security vulnerabilities
• Vulnerabilities logged in bug database
• Application team required to address all sev 1 bugs prior to going into production
![Page 21: Microsoft Security Development Lifecycle for IT Rob Labbé Security Engagement Manager MSIT Infosec – ACE roblab@microsoft.com.](https://reader035.fdocuments.us/reader035/viewer/2022062713/56649cca5503460f94992ce5/html5/thumbnails/21.jpg)
Some common attack patterns white box review
may reveal• Cross-Site Script Vulnerabilities • SQL Injection • Buffer Overflow • Poor Authorization Controls • Secrets Stored In Clear Text
![Page 22: Microsoft Security Development Lifecycle for IT Rob Labbé Security Engagement Manager MSIT Infosec – ACE roblab@microsoft.com.](https://reader035.fdocuments.us/reader035/viewer/2022062713/56649cca5503460f94992ce5/html5/thumbnails/22.jpg)
Post-Production Assessment
• Objective:• High/Medium/Low Risk Applications
• Host Level Scan • Windows • IIS • SQL
Threat Model /Design Review
Internal Review
Pre-ProductionAssessment
Post-ProductionAssessmentApp Entry
![Page 23: Microsoft Security Development Lifecycle for IT Rob Labbé Security Engagement Manager MSIT Infosec – ACE roblab@microsoft.com.](https://reader035.fdocuments.us/reader035/viewer/2022062713/56649cca5503460f94992ce5/html5/thumbnails/23.jpg)
Conclusion• The need for security is obvious, we
have to protect the company and our customers
• To do that we need• Management Support• Secure Development Life Cycles• Developers trained in secure
development• A Security First attitude!
![Page 24: Microsoft Security Development Lifecycle for IT Rob Labbé Security Engagement Manager MSIT Infosec – ACE roblab@microsoft.com.](https://reader035.fdocuments.us/reader035/viewer/2022062713/56649cca5503460f94992ce5/html5/thumbnails/24.jpg)
Conclusions• Continuous improvement of the process• Invest time in upfront activities:
• Threat Modeling• Design Reviews
• A holistic view• People• Process• Tools
• It may seem hard to get started – ask for help!
People: Providing guidance on secure application
development
Tools: Providing the most innovative tools
Process: Security cannot be an afterthought
![Page 25: Microsoft Security Development Lifecycle for IT Rob Labbé Security Engagement Manager MSIT Infosec – ACE roblab@microsoft.com.](https://reader035.fdocuments.us/reader035/viewer/2022062713/56649cca5503460f94992ce5/html5/thumbnails/25.jpg)
Call To Action• Implement a Secure Development
Lifecycle• Create more secure and reliable
software• Build Trust!
![Page 26: Microsoft Security Development Lifecycle for IT Rob Labbé Security Engagement Manager MSIT Infosec – ACE roblab@microsoft.com.](https://reader035.fdocuments.us/reader035/viewer/2022062713/56649cca5503460f94992ce5/html5/thumbnails/26.jpg)
Resources• ACE Team Blog: • http://blogs.msdn.com/ace_team/default.as
px• Threat Modeling Tool • http://go.microsoft.com/fwlink?linkid=7700
2• Threat Modeling Blog: • http://blogs.msdn.com/threatmodeling/
![Page 27: Microsoft Security Development Lifecycle for IT Rob Labbé Security Engagement Manager MSIT Infosec – ACE roblab@microsoft.com.](https://reader035.fdocuments.us/reader035/viewer/2022062713/56649cca5503460f94992ce5/html5/thumbnails/27.jpg)
© 2006 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.