Download presentation
Presentation is loading. Please wait.
1
Getting Ahead: Integrating Development and Response for Improved Security Steven B. Lipner Director of Security Engineering Strategy Security Business and Technology Unit Microsoft Corporation
2
Engineering excellence Security development lifecycle Microsoft Security Response Center Sharing best practices with administrators and developers
3
Security Development Lifecycle (SDL) Process Education Accountability Defines security requirements and milestones in every stage of the software development process Mandatory for products exposed to meaningful security risks Includes a Final Security Review (FSR) to determine if product is customer ready Mandatory annual training for developers, testers, program managers, user education staff and architects Funding academic curriculum development through Microsoft Research Publish guidance on writing secure code, threat modeling and SDL; as well as courses In-process metrics to provide early warning Post-release metrics assess final payoff (# of vulnerabilities) Training compliance for team and individuals
5
Final Security Review (FSR) “From a security viewpoint, is this software ready to deliver to customers?” Two to six months prior to software completion, depending on the scope of the software. Software must be in a stable state with only minimal non-security changes expected prior to release FSR results: If the FSR finds a pattern of remaining vulnerabilities, the proper response is not just to fix the vulnerabilities found, but to revisit the earlier phases and take pointed actions to address root causes (e.g., improve training, enhance tools)
6
Education for the SDL
7
Source: Microsoft Security Bulletin Search 65 35 Days 3090150210270330390450510570630690720
8
SQL Server 2000 2002-2005 (YTD)
9
Building A Security Response Process Security Bulletin Release Process Build a more Simplified, Manageable Process Enhance and Improve Bulletin Content Expand Resources and Support Security Incident Response Process Provide Timely and Relevant Information Help Mitigate and Protect Deliver Solution to Resolve
10
Releasing a Security Update Triaging Assess the report and the possible impact on customers Understand the severity of the vulnerability Rate the vulnerability according to severity and likelihood of exploit, and assign it a priority Managing Finder Relationship Establish communications channel Quick response Regular updates Build the community Encourage responsible reporting MSRC receives incoming vulnerability reports through: Secure@Microsoft.comSecure@Microsoft.com – Direct contact with MSRC Microsoft TechNet Security Site – anonymous reporting MSRC responds to all reports: 24 hour response Service Level Agreement to finder Internal response can be immediate when required Vulnerability Reporting Content Creation Security bulletin: Affected software/components Technical description Workarounds and Mitigations FAQs Acknowledgments Security bulletins - second Tuesday of every month Coordinate all content and resources Information and guidance to customers Monitor customer issues and press Release Creating the Fix SWI and Product Team: Investigate vulnerability impact Locate variants Investigate surrounding code and design Generate fix for Test Testing Several levels of testing: Setup and Build Verification Depth Integration and Breadth Microsoft Corporate network Controlled beta Update Dev Tools and Practices Update best practices Update testing tools Update development and design process
11
Outreach And Communications Pre Release Security Bulletin Advance Notification - three business days prior to release Second Tuesday Release Day Updates posted on Download Center, Windows Update and/or Office Update Bulletins posted RSS Feeds Customer email and instant message notifications Community outreach MS Field alerts and call downs Post Release Security Bulletins Webcast (Wednesday following release, 11AM PT) Supplementary Webcasts if needed Monitor bulletin uptake and customer issues through PSS and Windows Update Bulletin maintenance
12
Customer Process Improvement Build a more Simplified, Manageable Process Enhance and Improve Bulletin Content Expand Resources and Support Moved to monthly release of security bulletins: A predictable, manageable process Enable advance planning and preparations Software Update Validation Program to help ensure quality Advance notification three business days prior to release Publicly posted on Microsoft.com; Email alert available Revamped technical security bulletin format: Added a monthly summary bulletin that includes a summary table of affected software for each bulletin Added mitigations and workarounds per vulnerability Added more information and guidance on distribution and deployment Improved bulletin search tool on TechNet Security Security Advisories Technical webcast on Wednesday following the release RSS feed for security bulletins New notification services, including a comprehensive version and instant message alerts Malicious Software Removal Tool
13
Security Advisories Supplement Microsoft Security Bulletins Content More information Provide guidance and information about security related software changes or software updates Some examples of future topics may include: "Defense in Depth" security enhancements or changes unrelated to security vulnerabilities Guidance and mitigations that may be applicable for publicly disclosed vulnerabilities Top level summary detailing the reason for issuing the advisory Frequently asked questions Suggested actions May be updated any time we have new information Reference a unique Knowledge Base Article number for additional information Sign up for the Security Notification Service Comprehensive Edition at www.microsoft.com/technet/security/bulletin/notify.mspx www.microsoft.com/technet/security/bulletin/notify.mspx www.microsoft.com/technet/security/advisory
14
Security Incident Response Overview SSIRP - Software Security Incident Response Plan Companywide process to deal with critical security threats Mobilize Microsoft resources worldwide Goals: Quickly gain a thorough understanding of the problem Provide customers with timely, relevant, consistent information Deliver tools, security updates and other assistance to restore normal operation
15
Responding To A Security Incident Watch Observe environment to detect any potential issues Leverage existing relationships with: Partners Security researchers and finders Monitor customer requests and press inquiries Alert and Mobilize Convene and evaluate severity Mobilize security response teams and support groups into two main groups: Emergency Engineering Team Emergency Communications Team Start monitoring WW press interest and customer support lines for this issue AssessandStabilize Assess the situation and the technical information available Start working on solution Communicate initial guidance and workarounds to customers, partners and press Notify and inform Microsoft sales and support field Resolve Provide information and tools to restore normal operations Appropriate solution is provided to customers, such as a security update, tool or fix Conduct internal process reviews and gather lessons learned
16
Microsoft releases security bulletins for February 05, including MS05-009 which addresses a vulnerability in PNG Processing affecting MSN Messenger 6.1 & 6.2 Start monitoring customer help lines, newsgroup & community activities and press inquiries First reports of public exploit for MSN Messenger Alert security response teams and pull people into the emergency engineering and communications rooms Decision to start mandatory upgrades of MSN Messenger Notify customers and partners of mandatory upgrade decision: Updated Microsoft websites Partner and WW Field alerts Proactive move to mandatory upgrades minimized the impact and spread of the worm Case Study: MSN Messenger Watch (Feb. 8-9 2005) Alert & Mobilize (Feb. 9 2005) Resolve (Feb. 10-11 2005) Assess & Stabilize (Feb. 9 2005) Start analyzing technical details Initial guidance, recommending customers upgrade to the latest version of MSN Messenger which includes the fix, is communicated to customers Landing page off of www.microsoft.com/security/incident/im.mspx www.microsoft.com/security/incident/im.mspx Email alerts sent through the security notification services Send out partner and WW Field alerts
17
Sign up to receive security updates notifications via email, instant message, mobile devices or RSS Download and deploy security updates (Microsoft Download Center, Windows Update) Attend the monthly TechNet Security Bulletin Webcast Review information and guidelines on the Microsoft TechNet Security site www.microsoft.com/technet/security/default.mspx Report security vulnerabilities through secure@microsoft.com secure@microsoft.com Review SDL for your development projects http://msdn.microsoft.com/security/default.aspx?pull= /library/en-us/dnsecure/html/sdl.asp What You Should Do Check out the MSRC Blog at http://blogs.technet.com/msrc http://blogs.technet.com/msrc
18
Resources Microsoft Security Web sites: www.microsoft.com/security and www.microsoft.com/technet/securitywww.microsoft.com/security www.microsoft.com/technet/security Sign up to receive notifications on security updates: www.microsoft.com/security/bulletins/alerts.mspx www.microsoft.com/security/bulletins/alerts.mspx Sign up for the Security Bulletin Web cast: www.microsoft.com/technet/security/bulletin/summary.mspx www.microsoft.com/technet/security/bulletin/summary.mspx RSS Feeds for Security Bulletins: www.microsoft.com/technet/security/bulletin/secrssinfo.mspx www.microsoft.com/technet/security/bulletin/secrssinfo.mspx More from the Microsoft Security Response Center: Web site: www.microsoft.com/msrcwww.microsoft.com/msrc Blog: http://blogs.technet.com/msrchttp://blogs.technet.com/msrc Security Bulletins Search: www.microsoft.com/technet/security/current.aspx www.microsoft.com/technet/security/current.aspx Security Advisories: www.microsoft.com/technet/security/advisorywww.microsoft.com/technet/security/advisory Security Guidance Center for Enterprises: www.microsoft.com/security/guidance www.microsoft.com/security/guidance MSDN Security Developer Center http://msdn.microsoft.com/security/ Protect Your PC: www.microsoft.com/protectwww.microsoft.com/protect
19
© 2003 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.