Bryan Sullivan Senior Security Program Mgr Microsoft SIA205.

Slides:



Advertisements
Similar presentations
SDL in an Agile World MSSD-3 третья по счету конференция, посвященная всестороннему обсуждению популярной и важной темы – минимизация уязвимостей программного.
Advertisements

© 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered.
Scott myKB.com, Inc. Session Code: DEV301r.
Agenda Customer pain points and how data classification can help Ecosystem Windows Server 2008 R2 for file Classification Infrastructure Demos Customer.
12 November 2009 Bryan Sullivan Senior Security Program Manager, Microsoft SDL.
MIX 09 4/15/ :14 PM © 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered.
Windows 7 Training Microsoft Confidential. Windows ® 7 Compatibility Version Checking.
Session 1.
Built by Developers for Developers…. © 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names.
© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or.
Feature: Assign an Item to Multiple Sites © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names.
Dan Parish Program Manager Microsoft Session Code: OFC 304.
© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or.
Feature: Document Attachment –Replace OLE Notes © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product.
Feature: Customer Combiner and Modifier © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are.
Chris Menegay VP of Consulting Notion Solutions, Inc. DTL319.
© 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or.
Ram Cherala Principal Program Manager Microsoft Corporation DTL320.
Tejasvi Kumar Developer Technology Specialist | Microsoft India

customer.
Siddharth Bhatia Senior Program Manager Microsoft Session Code: DTL301.
Aaron Margosis Principal Consultant Microsoft Session Code: CLI405.
demo © 2008 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names.
Eric Carter Development Manager Microsoft Corporation OFC324.
demo Demo.
demo QueryForeign KeyInstance /sm:body()/x:Order/x:Delivery/y:TrackingId1Z
Feature: Suggested Item Enhancements – Analysis and Assignment © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and.
© 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks.
© 2008 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or.
Arend-Jan Speksnijder Solutions Architect Microsoft Dynamics Lighthouse team Dynamics AX2009 Technical Overview and Demo (DYN301)
Sara Ford Program Manager Microsoft Corporation DPR301.

David B. Cross Product Unit Manager Microsoft Corporation Session Code: SIA303 Donny Rose Senior Program Manager.
Scott Morrison Program Manager Microsoft Corporation Session Code: WUX308.
Ian Griffiths Principle Interact Software Ltd. Brian A. Randell Senior Consultant MCW Technologies DEV302.
TechEd /22/2018 7:16 PM © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks.
6/13/2018 1:23 AM © 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered.
9/11/2018 5:53 PM © 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered.
Tech·Ed North America /14/2018 7:13 PM
Sysinternals Tutorials
11/21/2018 4:57 AM SIA303 Advanced Persistent Threats (APT): Understanding the New Era of Attacks! Marcus Murray Security Team Manager, Microsoft MVP –
11/22/2018 8:05 PM © 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered.
Jason Zander Unplugged
Brian Keller Sr. Technical Evangelist Microsoft Session Code: DEV310
12/5/2018 3:24 PM © 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered.
Ben Robb MVP, SharePoint Server cScape Ltd Session Code: OFS207
12/27/ :01 PM © 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered.
Tech·Ed North America /2/2019 4:47 PM
TechEd /11/ :44 AM © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered.
Tech·Ed North America /17/2019 1:47 AM
1/17/2019 9:05 PM © 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered.
Tech·Ed North America /17/2019 6:01 PM
Brian Keller Sr. Technical Evangelist Microsoft Session Code: DEV310
Peter Provost Sr. Program Manager Microsoft Session Code: DEV312
Building Silverlight Apps with RIA Services
Windows 8 Security Internals
Виктор Хаджийски Катедра “Металургия на желязото и металолеене”
Tech·Ed North America /25/ :53 PM
Hack-proofing your Clients using Windows 7 Security!
Шитманов Дархан Қаражанұлы Тарих пәнінің
Lap Around the Windows Azure Platform
SharePoint 2013 Authentication with Azure – Part 2
Building BI applications using PowerPivot for Excel
5/24/ :22 AM © 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered.
Welcome to Architect Insight 2010
Tech·Ed North America /17/2019 4:14 PM
What’s New in Visual Studio 2012 for Web Developers
Presentation transcript:

Bryan Sullivan Senior Security Program Mgr Microsoft SIA205

What does “Agile” mean, anyway?

The Agile Manifesto Individuals and interactions Working software Customer collaboration Responding to change Processes and tools Comprehensive documentation Contract negotiation Following a plan

Security Development Lifecycle Ongoing Process Improvements ProcessEducationAccountability The SDL: Microsoft’s industry leading software security assurance process designed to protect customers by reducing the number and severity of software vulnerabilities before release.

Challenges: Adapting SDL to Agile Iterative nature of Agile Projects may never end Just-in-time planning/YAGNI mentality General avoidance of project artifacts Emphasis on project/iteration backlogs General avoidance of automated tools

Challenges: Adapting SDL to Agile Iterative nature of Agile Projects may never end Just-in-time planning/YAGNI mentality General avoidance of project artifacts Emphasis on project/iteration backlogs General avoidance of automated tools

Security Development Lifecycle SDL “Classic” phased approach Fits spiral or waterfall… …but Agile doesn’t have phases

Idea: Move SDL to product backlog Very Agile But not secure!

Idea: Do the full SDL every iteration Very secure But not Agile!

Iterative nature of Agile From the Principles Behind the Agile Manifesto: “Deliver working software frequently, from a couple of weeks to a couple of months, with a preference to the shorter timescale.”

Idea: Drop some requirements But every requirement is, well, required Need to keep all requirements Need to reorganize into Agile-friendly form

SDL-Agile process

Three classes of requirements Every Sprint Training Threat modeling etc... One-Time Only Set up tracking Upgrade compilers etc... Bucket Fuzz parsers Create response plan etc…

Requirements as backlog items One-time requirements get added to the Product Backlog (with deadlines) So do bucket requirements Every-sprint requirements go to the Sprint Backlog directly Product Backlog Set up tracking system Upgrade to VS2010 Fuzz image parser Fuzz network parser … Sprint Backlog Threat model new stored procedures Run static analysis …

Agile sashimi At the end of every sprint: All every-sprint requirements complete No bucket items more than six months old No expired one-time requirements No open security bugs over the bugbar dinner.wordpress.com

Bug bar EoP: Remote Anonymous Info Disc: HBI/PII Critical EoP: Local Anonymous DoS: Asymmetric Persistent Important Info Disc: LBI DoS: Temporary Moderate Info Disc: Random memory Low

Challenges: Adapting SDL to Agile Iterative nature of Agile Projects may never end Just-in-time planning/YAGNI mentality General avoidance of project artifacts Emphasis on project/iteration backlogs General avoidance of automated tools

Security Incident Response Because 2:00 AM Christmas morning is a poor time to hold a Scrum meeting…

Challenges: Adapting SDL to Agile Iterative nature of Agile Projects may never end Just-in-time planning/YAGNI mentality General avoidance of project artifacts Emphasis on project/iteration backlogs General avoidance of automated tools

Security bug tracking Must track bug cause Buffer overflow XSS Etc And effect STRIDE Important for bugbar criteria

Threat modeling “The cornerstone of the SDL” Data Flow Diagrams (DFDs) STRIDE/element Mitigations Assumptions External dependencies

Sidebar: Exception workflow Level 1 Level 2 Level 3 Level 4 Level 5

Challenges: Adapting SDL to Agile Iterative nature of Agile Projects may never end Just-in-time planning/YAGNI mentality General avoidance of project artifacts Emphasis on project/iteration backlogs General avoidance of automated tools

Writing secure code 90% Writing Secure Features Overflow defense Input validation Output encoding 10% Writing Security Features Cryptography Firewalls ACLs

Secure code does not featurize Not a User Story Doesn’t go in the Product Backlog Can’t get prioritized in or out Can’t decide to not do security this sprint

Taskifying the SDL Some are straightforward... Enable compiler switches Run static analysis tools …some are tougher (not actionable) Avoid banned APIs Access databases safely

Two strategies Verify these things by hand (alone or in pairs) Verify these things with tools

Challenges: Adapting SDL to Agile Iterative nature of Agile Projects may never end Just-in-time planning/YAGNI mentality General avoidance of project artifacts Emphasis on project/iteration backlogs General avoidance of automated tools

Static analysis requirements FxCop CAT.NET PREFast (/analyze) And/or your alternative tool(s) of choice These are “every-sprint” requirements Better still: Continuous Integration

Dynamic analysis requirements Fuzzers (homegrown) File parsers RPC interfaces ActiveX controls COM objects AppVerifier Passive HTTP traffic analysis And/or your alternative tool(s) of choice These are “bucket” requirements Or CI…

Secure coding libraries AntiXss StrSafe SafeInt Use always, check every sprint This is the future of the SDL

Strengths: Adapting SDL to Agile Bucket activities easily move in & out of sprints Teams self-select best security activities SDL versioning is simpler and more current Each iteration is a gate

Strengths: Adapting SDL to Agile Bucket activities easily move in & out of sprints Teams self-select best security activities SDL versioning is simpler and more current Each iteration is a gate “Welcome changing requirements, even late in development. Agile processes harness change for the customer’s competitive advantage.”

Strengths: Adapting SDL to Agile Bucket activities easily move in & out of sprints Teams self-select best security activities SDL versioning is simpler and more current Each iteration is a gate “At regular intervals, the team reflects on how to become more effective, then tunes and adjusts its behavior accordingly.”

Strengths: Adapting SDL to Agile Bucket activities easily move in & out of sprints Teams self-select best security activities SDL versioning is simpler and more current Each iteration is a gate

SDL-Agile “versioning” SDL-Classic Updated yearly Grandfather clause SDL-Agile Updated at any time Automatic updating

Strengths: Adapting SDL to Agile Bucket activities easily move in & out of sprints Teams self-select best security activities SDL versioning is simpler and more current Each iteration is a gate

“Security and privacy are most effective when ‘built-in’ throughout the entire development lifecycle” “Security is most effective when it is ‘baked-in’ from the start” This fits Agile perfectly

The Agile Manifesto Individuals and interactions Working software Customer collaboration Responding to change Processes and tools Comprehensive documentation Contract negotiation Following a plan

The SDL-Agile Manifesto Continuous, incremental effort Automated tasks Planned incident response Heroic pushes Manual processes Ad-hoc response

Security Development Lifecycle v4.1a - including SDL for Agile Development Guidance

More Resources My alias: bryansul

Sessions On-Demand & Community Resources for IT Professionals Resources for Developers Microsoft Certification & Training Resources Resources Required Slide Speakers, TechEd 2009 is not producing a DVD. Please announce that attendees can access session recordings at TechEd Online. Required Slide Speakers, TechEd 2009 is not producing a DVD. Please announce that attendees can access session recordings at TechEd Online.

Complete an evaluation on CommNet and enter to win an Xbox 360 Elite!

© 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION. Required Slide