Ivan Medvedev Principal Security Development Lead Microsoft Corporation

Similar documents
The Security Development Lifecycle. OWASP 24 June The OWASP Foundation

The SDL Progress Report. Progress reducing software vulnerabilities and developing threat mitigations at Microsoft

Microsoft SDL: Agile Development

The Security Development Lifecycle. Steven B. Lipner, CISSP Senior Director Security Engineering Strategy Microsoft Corp.

OWASP Spain Barcelona 2014

Security Development Lifecycle for Agile Development

Bypassing Memory Protections: The Future of Exploitation

ASL IT SECURITY XTREME XPLOIT DEVELOPMENT

Software Development: The Next Security Frontier

SAFECode Security Development Lifecycle (SDL)

90% of data breaches are caused by software vulnerabilities.

DEVELOPING SECURE SOFTWARE

WHITEPAPER. Nessus Exploit Integration

Automating Security Testing. Mark Fallon Senior Release Manager Oracle

Software Vulnerability Exploitation Trends. Exploring the impact of software mitigations on patterns of vulnerability exploitation

Background. How much does EMET cost? What is the license fee? EMET is freely available from Microsoft without material cost.

Turn the Page: Why now is the time to migrate off Windows Server 2003

Secure Development LifeCycles (SDLC)

Custom Penetration Testing

The Security Development Lifecycle

ArcGIS Server Security Threats & Best Practices David Cordes Michael Young

Adobe Flash Player and Adobe AIR security

Secure Web Application Coding Team Introductory Meeting December 1, :00 2:00PM Bits & Pieces Room, Sansom West Room 306 Agenda

Levels of Software Testing. Functional Testing

Microsoft Security Development Lifecycle for IT. Rob Labbé Application Consulting and Engineering Services

Developing secure software A practical approach

DISA's Application Security and Development STIG: How OWASP Can Help You. AppSec DC November 12, The OWASP Foundation

Threat Modeling. Categorizing the nature and severity of system vulnerabilities. John B. Dickson, CISSP

Magento Security and Vulnerabilities. Roman Stepanov

3. Broken Account and Session Management. 4. Cross-Site Scripting (XSS) Flaws. Web browsers execute code sent from websites. Account Management

Payment Card Industry (PCI) Terminal Software Security. Best Practices

FINAL DoIT v.4 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS APPLICATION DEVELOPMENT AND MAINTENANCE PROCEDURES

Computer Security: Principles and Practice

Onegini Token server / Web API Platform

Role Description dotnet and SharePoint Developer; Enterprise Systems Integration; IT & Business Systems; BBC Engineering.

Enterprise Apps: Bypassing the Gatekeeper

The Hacker Strategy. Dave Aitel Security Research

elearning for Secure Application Development

Bypassing Browser Memory Protections in Windows Vista

Penetration Testing with Kali Linux

CS 356 Lecture 25 and 26 Operating System Security. Spring 2013

Secure Development Lifecycle. Eoin Keary & Jim Manico

APPLICATION SECURITY RESPONSE: WHEN HACKERS COME A-KNOCKING

Where every interaction matters.

SECURITY B-SIDES: ATLANTA STRATEGIC PENETRATION TESTING. Presented by: Dave Kennedy Eric Smith

Testhouse Training Portfolio

Bug hunting. Vulnerability finding methods in Windows 32 environments compared. FX of Phenoelit

Security Considerations for the Spiral Development Model

Quality Assurance - Karthik

The best way to get Microsoft Visual Studio 2005 is by purchasing or renewing an MSDN Subscription today.

WHITEPAPER Executive Summary Fortify Software

AB Suite in the Application Lifecycle

Introduction to Web Application Security. Microsoft CSO Roundtable Houston, TX. September 13 th, 2006

IoT Security Concerns and Renesas Synergy Solutions

How to select the right Marketing Cloud Edition

Hotpatching and the Rise of Third-Party Patches

Thick Client Application Security

Microsoft IT Deploys and Manages Office 365 ProPlus

Telecom Testing and Security Certification. A.K.MITTAL DDG (TTSC) Department of Telecommunication Ministry of Communication & IT

Agile and Secure: Can We Be Both?

Software Quality Testing Course Material

Protect Your Organization With the Certification That Maps to a Master s-level Education in Software Assurance

Adobe Systems Incorporated

Training Agendas and Pricing

Patch and Vulnerability Management Program

Qualifying Microsoft Training for Software Assurance Training Vouchers (SATVs)

Application Security Testing

DevOps Best Practices for Mobile Apps. Sanjeev Sharma IBM Software Group

Virtualization System Security

Enterprise Application Security Workshop Series

Web Application Penetration Testing

VMware vsphere Data Protection 6.1

Securing ios Applications. Dr. Bruce Sams, OPTIMAbit GmbH

Seven Practical Steps to Delivering More Secure Software. January 2011

Streamlining Patch Testing and Deployment

Securing and Accelerating Databases In Minutes using GreenSQL

CSUSB Web Application Security Standard CSUSB, Information Security & Emerging Technologies Office

Why should I care about PDF application security?

FISMA / NIST REVISION 3 COMPLIANCE

CPA SECURITY CHARACTERISTIC SECURE VOIP CLIENT

Keyword: Cloud computing, service model, deployment model, network layer security.

ensuring security the way how we do it

Advanced Endpoint Protection Overview

Cloud Security Through Threat Modeling. Robert M. Zigweid Director of Services for IOActive

Office 365 SharePoint Online White Paper

Operating System Security

Web Application Security

Is Drupal secure? A high-level perspective on web vulnerabilities, Drupal s solutions, and how to maintain site security

Vulnerability Management in Software: Before Patch Tuesday KYMBERLEE PRICE BUGCROWD

Developing Microsoft Azure Solutions 20532B; 5 Days, Instructor-led

HP Fortify application security

EMET 4.0 PKI MITIGATION. Neil Sikka DefCon 21

Copyrighted , Address :- EH1-Infotech, SCF 69, Top Floor, Phase 3B-2, Sector 60, Mohali (Chandigarh),

Transcription:

Ivan Medvedev Principal Security Development Lead Microsoft Corporation

Session Objectives and Takeaways Session Objective(s): Give an overview of the Security Development Lifecycle Discuss the externally available tools that support the SDL Provide guidance on using the tools to build more secure software Key takeaways: Microsoft is investing into supporting the SDL Customers should use the tools to build more secure software

Security Timeline at Microsoft Now 2005-2007 Optimize the process through feedback, analysis and automation 2002-2003 Bill Gates writes Trustworthy Computing memo early 2002 Windows security push for Windows Server 2003 Security push and FSR extended to other products 2004 Microsoft Senior Leadership Team agrees to require SDL for all products that: Are exposed to meaningful risk and/or Process sensitive data SDL is enhanced Fuzz testing Code analysis Crypto design requirements Privacy Banned APIs and more Windows Vista is the first OS to go through full SDL cycle Evangelize the SDL to the software development community: SDL Process Guidance SDL Optimization Model SDL Pro Network SDL Threat Modeling Tool SDL Process Templates

SDL Continual Improvement Microsoft s secure development processes have come a long way since the SDL was first introduced the SDL is constantly evolving

SDL for Spiral/Waterfall Development Education Process Accountability Ongoing Process Improvements

SDL for Agile Development Major differentiators of Agile: No distinct phases Short release cycles Simple: Comprehensive: Customizable:

What About the Cloud? Native code requirements address implementation of cloud services SDL has applied to web properties since v3.2 Requirements address issues such as cross site scripting and SQL injection Cloud services and web properties often use agile development models Product cycle might be 2 weeks, not three years Multiple iterations of SDL for agile development since 2006

Motivation for Action The application space is under attack things are bad, and getting worse Users now expect security *without* having to pay for it Software security and holistic development practices are becoming a competitive differentiator Procurement Showing up in government regulations DISA STIG NIST Smart Grid Requirements Failure to show forward momentum will lead to unintended consequences and loss of consumer trust

Tools for SDL: Requirements and Release SDL Process Template MSF-Agile + SDL Process Template

SDL Template for VSTS (Spiral) Incorporates SDL requirements as work items SDL-based check-in policies Generates Final Security Review report Third-party security tools Security bugs and custom queries A library of SDL how-to guidance The SDL Process Template integrates SDL 4.1 directly into the VSTS software development environment. Integrates with previously released free SDL tools SDL Threat Modeling Tool Binscope Binary Analyzer Minifuzz File Fuzzer

MSF Agile + SDL Template for VSTS Automatically creates new security workflow items for SDL requirements whenever users check in code or create new sprints Ensures important security processes are not accidentally skipped or forgotten Incorporates SDL-Agile secure development practices directly into the Visual Studio IDE - now available as beta (planned release at the end of Q2CY10) Integrates with previously released free SDL tools SDL Threat Modeling Tool Binscope Binary Analyzer Minifuzz File Fuzzer Will be updated for VS2010

Tools for SDL: Design SDL Threat Modeling Tool

SDL Threat Modeling Tool Transforms threat modeling from an expert-led process into a process that any software architect can perform effectively Provides: Guidance in drawing threat diagrams Guided analysis of threats and mitigations Integration with bug tracking systems Robust reporting capabilities

Tools for SDL: Implementation Banned.h Code Analysis for C/C++ Visual Studio Premium and Ultimate Microsoft Code Analysis Tool.NET (CAT.NET) 1.0 CTP Detects common web app vulnerabilities, like XSS FxCop 10.0 Standalone or integrated into VS Premium and Ultimate Anti-Cross Site Scripting (Anti-XSS) Library 4.0 SiteLock ATL Template

Tools for SDL: Verification BinScope Binary Analyzer Ensures the build process followed the SDL MiniFuzz File Fuzzer!exploitable RegexFuzer Attack Surface Analyzer Beta Snapshot based analysis AppVerifier Dynamic analysis

Binscope Binary Analyzer Provides an extensive analysis of an application binary Checks done by Binscope /GS - to prevent buffer overflows /SafeSEH - to ensure safe exception handling /NXCOMPAT - to prevent data execution /DYNAMICBASE - to enable ASLR Strong-Named Assemblies - to ensure unique key pairs and strong integrity checks Known good ATL headers are being used Use either standalone or integrated with Visual Studio (VS) and Team Foundation Server (TFS)

MiniFuzz File Fuzzer MiniFuzz is a basic testing tool designed to help detect code flaws that may expose security vulnerabilities in file-handling code. Creates corrupted variations of valid input files Exercises the code in an attempt to expose unexpected application behaviors. Lightweight, for beginner or advanced security testing Use either standalone or integrated with Visual Studio (VS) and Team Foundation Server (TFS)

!exploitable Creates hashes to determine the uniqueness of a crash Assigns an exploitability rating to the crash: Exploitable, Probably Exploitable, Probably Not Exploitable, or Unknown. An extension of Microsoft debuggers windbg badapp.exe \users\mike\desktop\minifuzz\crashes\foobar8776.bad!load winext\msec.dll Run the process and have it parse the file: g Finally, run!exploitable to take a first pass analysis of the failure:!exploitable Open source http://msecdbg.codeplex.com/

Attack Surface Analyzer Takes system attack surface snapshots One before and one after installing the product Compares the snapshots and generates a report

SDL Tools: Response EMET

EMET: Simplifying mitigation deployment GUI and command line interface Configure system-wide mitigations Enable mitigations for specific applications Verify mitigation settings

EMET: Protecting applications Protect at-risk or known vulnerable applications Protect against active 0day attacks in the wild Granular control over which mitigations are enabled

Important Resources Microsoft SDL Portal http://microsoft.com/sdl SDL Tools (with download links and training/videos) http://www.microsoft.com/security/sdl/adopt/tools.aspx Visual Studio 2010 http://msdn.microsoft.com/en-us/vstudio/aa718325 FxCop documentation http://msdn.microsoft.com/en-us/library/dd264939(v=vs.100).aspx!exploitable http://msecdbg.codeplex.com/ MSEC http://www.microsoft.com/security/msec.aspx

First BlueHat Prize Challenge: BlueHat Prize Announcement Design a novel runtime mitigation technology that is capable of preventing the exploitation of memory safety vulnerabilities Entry Period: Aug 3, 2011 Apr 1, 2012 Winners announced: BlackHat USA August 2012 IP remains the property of the inventor, with a license for Microsoft to use the technology Grand Prize: Second Prize: Third Prize: $200,000 in cash $50,000 in cash MSDN subscription ($10,000 value)

Data Execution Prevention (DEP) Examples of Mitigation Technology Sets non executable memory pages Address Space Layout Randomization (ASLR) Randomizes memory in which apps load Structured Exception Handler Overwrite Protection (SEHOP) Verifies exception handler lists have not been corrupted Mitigation tools from Microsoft: Download EMET

Practicality 30% BlueHat Prize Judging Criteria Can the solution be implemented and deployed at a large scale on Windows? Overhead must be low (e.g. CPU and memory cost no more than 5%). No application compatibility regressions should occur. No usability regressions should occur. Reasonable to develop, test, and deploy. Robustness 30% How easy would it be to bypass the proposed solution? Impact 40% Does the solution strongly address key open problems or significantly refine an existing approach? Would the solution strongly mitigate modern exploits above and beyond our current arsenal?

For More Information BlueHat Prize Web site: www.bluehatprize.com Questions? bluehatprize.@microsoft.com MSRC Blog: http://blogs.technet.com/msrc EcoStrat Blog: http://blogs.technet.com/ecostrat/ Help Defend the Planet: http://careers.microsoft.com Follow us on Twitter: @k8em0 and @MSFTSecResponse

In Review: Session Objectives and Takeaways Session Objective(s): Give an overview of the Secure Development lifecycle Discuss the externally available tools that support the SDL Provide guidance on using the tools to build more secure software Key takeaways: Microsoft is investing into supporting the SDL Our customers should use the tools to build more secure software

We are hiring

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information