Getting Vulnerabilities Out of Software

Slides:



Advertisements
Similar presentations
Overview of local security issues in Campus Grid environments Bruce Beckles University of Cambridge Computing Service.
Advertisements

Kerberos 1 Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, 530–520 BC. From Italy (?).
Cryptography and Network Security 2 nd Edition by William Stallings Note: Lecture slides by Lawrie Brown and Henric Johnson, Modified by Andrew Yang.
1 Computer Security Instructor: Dr. Bo Sun. 2 Course Objectives Understand basic issues, concepts, principles, and mechanisms in computer network security.
1 No Silver Bullet : Inherent Limitations of Computer Security Technologies Jeffrey W. Humphries Texas A&M University.
Security Controls – What Works
1 Cryptography and Network Security Third Edition by William Stallings Lecturer: Dr. Saleem Al_Zoubi.
Chapter 7 HARDENING SERVERS.
MyCloudIT Removes the Complexity of Moving Cloud Customers’ Entire IT Infrastructures to Microsoft Azure – Including the Desktop MICROSOFT AZURE ISV: MYCLOUDIT.
Small Business Security By Donatas Sumyla. Content Introduction Tools Symantec Corp. Company Overview Symantec.com Microsoft Company Overview Small Business.
A centralized system.  Active Directory is Microsoft's trademarked directory service, an integral part of the Windows architecture. Like other directory.
11 REVIEWING MICROSOFT ACTIVE DIRECTORY CONCEPTS Chapter 1.
Storage Security and Management: Security Framework
Cloud Models – Iaas, Paas, SaaS, Chapter- 7 Introduction of cloud computing.
Eng. Wafaa Kanakri Second Semester 1435 CRYPTOGRAPHY & NETWORK SECURITY Chapter 1:Introduction Eng. Wafaa Kanakri UMM AL-QURA UNIVERSITY
CSI Software Offers Fully Integrated, Single-Source Enterprise Software for Membership-Based Facilities COMPANY PROFILE: CSI SOFTWARE CSI Software was.
Privilege separation in Condor Bruce Beckles University of Cambridge Computing Service.
Alert Logic Provides a Fully Managed Security and Compliance Solution Based in the Cloud, Powered by the Robust Microsoft Azure Platform MICROSOFT AZURE.
Securely Synchronize and Share Enterprise Files across Desktops, Web, and Mobile with EasiShare on the Powerful Microsoft Azure Cloud Platform MICROSOFT.
1 Chapter 1 – Background Computer Security T/ Tyseer Alsamany - Computer Security.
Topic 1 – Introduction Huiqun Yu Information Security Principles & Applications.
What Can Go Wrong During a Pen-test? Effectively Engaging and Managing a Pen-test.
Built on Azure, Moodle Helps Educators Create Proprietary Private Web Sites Filled with Dynamic Courses that Extend Learning Anytime, Anywhere MICROSOFT.
Rob Davidson, Partner Technology Specialist Microsoft Management Servers: Using management to stay secure.
Configuring, Managing and Maintaining Windows Server® 2008 Servers Course 6419A.
Power LogOn® Adds Card-Based, Multi- Factor Authentication to Microsoft Azure Logon, Plus Password Management for All Other Logons MICROSOFT AZURE ISV.
MICROSOFT TESTS /291/293 Fairfax County Adult Education Courses 1477/1478/1479.
Data Center Management Microsoft System Center. Objective: Drive Cost of Data Center Management 78% Maintenance 22% New Issue:Issue: 78% of IT budgets.
Active Directory. Computers in organizations Computers are linked together for communication and sharing of resources There is always a need to administer.
Easy-to-Use RedFlag System Delivers Notifications via Phone, , Text, Social Media, and More to Improve Effectiveness of Your Communications COMPANY.
1 Computer Security Instructor: Dr. Bo Sun. 2 Course Objectives Understand basic issues, concepts, principles, and mechanisms in computer network security.
DenyAll Delivering Next-Generation Application Security to the Microsoft Azure Platform to Secure Cloud-Based and Hybrid Application Deployments MICROSOFT.
By the end of this lesson you will be able to: 1. Determine the preventive support measures that are in place at your school.
Information Security Principles and Practices by Mark Merkow and Jim Breithaupt Chapter 1: Why Study Information Security?
Snip2Code: Search, Share and Collect Code Snippets Faster, Easier, Efficiently with Power of Microsoft Azure Platform MICROSOFT AZURE ISV PROFILE: SNIP2CODE.
Database Security Carl J. Hoppe 20 November 2013.
Lecture 1 Introduction Dr. nermin hamza 1. Aim of Course Overview Cryptography Symmetric and Asymmetric Key management Researches topics 2.
KPI Suite is a Complete Web Application Built on the Azure Platform for Data Collection, Analysis and Monitoring of Key Performance Indicators MICROSOFT.
Unit 3 Virtualization.
Planning for Application Recovery
MICROSOFT AZURE ISV PROFILE: BMC SOFTWARE
TOPdesk Service Management Software on Azure
Understanding Android Security
Top Ten List for Directors of Technology
Data & Network Security
Wonderware Online Cost-Effective SaaS Solution Powered by the Microsoft Azure Cloud Platform Delivers Industrial Insights to Users and OEMs MICROSOFT AZURE.
Threat Management Gateway
Symantec Code Signing Certificate
Firewalls.
SmartHOTEL Solutions Powered by Microsoft Azure Provide Hoteliers with Comprehensive, One-Stop Automated Management of All Booking Channels MICROSOFT AZURE.
Built on the Powerful Microsoft Azure Platform, Lievestro Delivers Care Information, Capacity Management Solutions to Hospitals, Medical Field MICROSOFT.
Microsoft is one of the biggest corporations in the United States and as such, it is very common to find that it has a customer support number which serves.
Replace with Application Image
Built on the Powerful Microsoft Azure Platform, iSwarm Helps Businesses Analyze Social Media Conversations, then Connect with Individuals MICROSOFT AZURE.
Be Better: Achieve Customer Service Excellence and Create a Lean RMA and Returns Process with Renewity RMA and the Power of Microsoft Azure MICROSOFT AZURE.
The Only Digital Asset Management System on Microsoft Azure, MediaValet Is Uniquely Equipped to Meet Any Company’s Needs MICROSOFT AZURE ISV PROFILE: MEDIAVALET.
MyAppFree, Powered by Microsoft Azure, Lets Global Users Discover and Download Tested and Handpicked Windows Apps and Games for Free MICROSOFT AZURE ISV.
Carl Data Solutions Collects Utility Sensor and Meter Data to Provide Advanced Reporting, Alarming, and Analytics with Microsoft Azure MICROSOFT AZURE.
AEGIS: Secure Processor for Certified Execution
Software Testing and Maintenance Maintenance and Evolution Overview
Cryptography and Network Security
Configuring, Managing and Maintaining Windows Server® 2008 Servers Course 6419A.
Enterprise Program Management Office
Windows 10 Enterprise subscriptions in CSP – Messaging Summary
Reportin Integrates with Microsoft Office 365 to Provide an End-to-End Platform for Financial Teams That Simplifies Report Creation and Management OFFICE.
Topic 5: Communication and the Internet
Understanding Android Security
Cryptography and Network Security
OU BATTLECARD: Oracle Identity Management Training
OU BATTLECARD: Oracle Systems Learning Subscription
Presentation transcript:

Getting Vulnerabilities Out of Software Mark Pustilnik Security Development Lead Secure Windows Initiative Attack Team Microsoft (also a UW PMP alumnus)

Introductions Who am I and what do I do? A few words about the Secure Windows Initiative team at Microsoft http://www.eweek.com/article2/0,1895,1879502,00.asp What is behind Microsoft’s turnaround in security? Leading a small team of world-class security researchers We are at the center of a large concerted effort by Microsoft to shore up security across the entire product line. Quoting eWeek article: Given the events of the last six years, security experts say that what once was unthinkable may someday come to pass: hackers turning their attention from Microsoft to easier pickings in the software of other companies.   Microsoft's development process and procedures are unique, and uniquely suited to a mammoth software development shop. However, companies that want to make their software more secure will have to take many of the same steps as Microsoft to turn their ship around.

Ongoing Process Conception – avoid the impossible Design – catches bad bugs Implementation – more prescriptive Support – addresses things you miss and emerging threats These are very loaded topics. Conception: Can not commence design unless you know what you are after. Design: Bugs introduced at design level cause biggest grief to software author; interoperating system may prove difficult or impossible to patch if underlying design is flawed. Implementation: causes biggest grief to customers, even if patch is easy to code/install (anyone remember Blaster?). Support: must have part of the process. Because you will NOT get all security bugs out of your software.

Conception Case study: DRM solutions What do you expect DRM to do? What are the challenges? Messaging: promises vs. delivery What can realistically be delivered? DRM does not work because your hardware is not trusted. Teams embarking upon digital rights management need to understand the limitations of computer architecture and structure their goals accordingly. Messaging: make sure you do not overpromise, or that will be perceived as a bug. Microsoft’s DRM promises are around: authentication, integrity and difficulty of circumvention, NOT about guaranteed restriction of distribution Possible solutions all revolve around making cost of success greater than the worth of result. Problem is low cost of replication.

Design It’s all about security guarantees Case study: security guarantees of on-line backup software S.G. - A surprisingly difficult concept to understand. Everything revolves around S.G.’s. S.G. is what your customer expects from your software. Case study: Others won’t access my content; restored files do not compromise security; traffic can not be eavesdropped or tampered with in transit; storage is secure; Can/should unencrypted content ever leave your machine? Threat modeling is important and powerful

Implementation Cookbook analysis (if design is solid) Case study: Aren’t you glad you authenticated? Large, constantly evolving landscape. Very domain specific. Discuss attack on Kerberos authentication in the absence of signing/encryption.

Support Organizational structure (people) Platform support (technology) Customer Expectations (management) Your software will need support. Bugs in existing software New types of vulnerabilities being discovered Must plan for it by having an organization centered around security response (collect reports, monitor community, respond to threats) Technology can help disseminate updates (think Windows Update). Currently a hodgepodge of solutions, but centralized solutions are emerging.

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.