The Security Development Lifecycle

Similar documents
The Security Development Lifecycle. Steven B. Lipner, CISSP Senior Director Security Engineering Strategy Microsoft Corp.

MICROSOFT SECURITY DEVELOPMENT LIFECYCLE (SDL)

Software Development: The Next Security Frontier

Software Application Control and SDLC

The Security Development Lifecycle. OWASP 24 June The OWASP Foundation

PI Server Security Best Practice Guide Bryan Owen Cyber Security Manager OSIsoft

ensuring security the way how we do it

Agile and Secure: Can We Be Both?

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Software Assurance: An Overview of Current Industry Best Practices

Course: Information Security Management in e-governance. Day 1. Session 5: Securing Data and Operating systems

Transparency. Privacy. Compliance. Security. What does privacy at Microsoft mean? Are you using my data to build advertising products?

SAFECode Security Development Lifecycle (SDL)

Microsoft SDL: Agile Development

Juniper Networks Secure

-.% . /(.0/ ) 53%/( (01 (%((. * 7071 (%%2 $,( . 8 / 9!0/!1 . # (3(0 31.%::((. ;.!0.!1 %2% . ".(0.1 $) (%+"",(%$.(6

ISA Security Compliance Institute ISASecure IACS Certification Programs

Secure Development LifeCycles (SDLC)

SA Tool Kit release life cycle

05.0 Application Development

Web application security Executive brief Managing a growing threat: an executive s guide to Web application security.

112 BSIMM Activities at a Glance

Threat Modelling for Web Application Deployment. Ivan Ristic (Thinking Stone)

ISSECO Syllabus Public Version v1.0

Remote Services. Managing Open Systems with Remote Services

External Supplier Control Requirements

Protect Your Organization With the Certification That Maps to a Master s-level Education in Software Assurance

Operational security for online services overview

Stepping Through the Info Security Program. Jennifer Bayuk, CISA, CISM

Information Technology Engineers Examination. Information Security Specialist Examination. (Level 4) Syllabus

Revision History Revision Date Changes Initial version published to

Secure Development Lifecycle. Eoin Keary & Jim Manico

Developing secure software A practical approach

Vulnerability management lifecycle: defining vulnerability management

Measuring the Attack Surfaces of SAP Business Applications

Cisco Advanced Services for Network Security

Ivan Medvedev Principal Security Development Lead Microsoft Corporation

Effective Software Security Management

Security Touchpoints When Acquiring Software. Dr Carsten Huth Nadim Barsoum Dawid Sroka

Securing the Microsoft Cloud

Security Vulnerability Management. Mark J Cox

Cisco Security Optimization Service

Agile and Secure Can We Be Both? Chicago OWASP. June 20 th, 2007

Secure Software Development Lifecycle. Security... Not getting better

Cutting Edge Practices for Secure Software Engineering

The Security Development Lifecycle at SAP How SAP Builds Security into Software Products

IT-Risk-Management. Secure Software Design Secure Development Lifecycle

Agile and Secure: OWASP AppSec Seattle Oct The OWASP Foundation

SAST, DAST and Vulnerability Assessments, = 4

Microsoft Security Development Lifecycle for IT. Rob Labbé Application Consulting and Engineering Services

Fuzzing in Microsoft and FuzzGuru framework

Practitioner Certificate in Information Assurance Architecture (PCiIAA)

Christchurch Polytechnic Institute of Technology Information Systems Acquisition, Development and Maintenance Security Standard

Security aspects of e-tailing. Chapter 7

Information Technology Security Review April 16, 2012

Columbia University Web Security Standards and Practices. Objective and Scope

Build (develop) and document Acceptance Transition to production (installation) Operations and maintenance support (postinstallation)

Securing the Microsoft Cloud

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

90% of data breaches are caused by software vulnerabilities.

Application Security Testing

Seven Practical Steps to Delivering More Secure Software. January 2011

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

The Education Fellowship Finance Centralisation IT Security Strategy

Medical Device Security Health Group Digital Output

CompTIA Security+ (Exam SY0-410)

DEVELOPING SECURE SOFTWARE

Building Security into the Software Life Cycle

U.S. Office of Personnel Management. Actions to Strengthen Cybersecurity and Protect Critical IT Systems

BUDGET LETTER PEER-TO-PEER FILE SHARING , , EXECUTIVE ORDER S-16-04

CS 356 Lecture 25 and 26 Operating System Security. Spring 2013

Security in Space: Intelsat Information Assurance

Step-by-Step Guide to Securing Windows XP Professional with Service Pack 2 in Small and Medium Businesses

CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL

Certification Report

G- Cloud Specialist Cloud Services. Security and Penetration Testing. Overview

SAP Product and Cloud Security Strategy

INTRODUCTION: PENETRATION TEST A BUSINESS PERSPECTIVE:

Change Management. Why Change Management? CHAPTER

How to start a software security initiative within your organization: a maturity based and metrics driven approach OWASP

IBM Rational AppScan: Application security and risk management

Insecurity in Security Software

Windows Server Virtualization & The Windows Hypervisor

The self-defending network a resilient network. By Steen Pedersen Ementor, Denmark

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

Transcription:

The Security Development Lifecycle Steven B. Lipner Director of Security Engineering Strategy Security Business and Technology Unit Microsoft Corporation

Context and History 1960s penetrate and patch 1970s theories and research security kernels 1980s the Orange Book and high assurance product efforts Late 1980s - viruses Early 1990s the Internet, firewalls, and C2 as commodity Late 1990s security features, vulnerability discovery, worms 2000s the quest for real world assurance

Resilient to attack Individual control of personal data Engineering Excellence Protects confidentiality, integrity, availability of data and systems Adhere to fair information principles Dependable, performs at expected levels Protects individual s right to be left alone Available when needed Open, transparent interaction with customers Address issues with products and services Help customers find appropriate solutions

What is the Security Development Lifecycle? A PROCESS by which Microsoft develops software, that defines security requirements and milestones MANDATORY for products that are exposed to meaningful security risk EVOLVING and new factors, such as privacy, are being added COMPATIBLE with COTS product development processes EFFECTIVE at addressing security issues; designed to produce DEMONSTRATABLE RESULTS (not all methodologies do this) It has shown itself to highly effective at reducing vulnerabilities ies in commercial software The SDL puts Microsoft on a path toward real world assurance and more secure software

Traditional Baseline Process M0 M1 M2 M3 M4 M5 Requirements Design Implementation Verification Release Main Deliverables Vision Memo Main Deliverables Design (spec) Main Deliverables Feature and platform code Main Deliverables Beta Main Deliverables Final Code Complete Release Candidate RTM/RTW

Integrating the SDL into the Process

Training for the SDL New employees do not arrive with ability to develop secure software Microsoft trains staff as part of New Employee Orientation Microsoft trains staff as part of a security push Microsoft trains developers, testers, program managers, user education staff and architects annually Microsoft funds curriculum development through Microsoft Research Microsoft publishes training on writing secure code, threat modeling and SDL (pending) and offers courses (see http://www.microsoft.com/learning/)

Stages of the SDL Requirements Consider security up front Design Architecture, TCB, least privilege, threat models Development Code reviews, fuzz testing, static analysis tools Verification Security push for new and legacy code Release Final Security Review (FSR) Response Closing the feedback loop

Requirements Phase Opportunity to consider security at the outset Central Security Team assigns Security Advisor (SA) Development team identifies security requirements SA reviews product plan, makes recommendations, ensures resources allocated by management SA assess security milestones and exit criteria (NOTE: This SA will stay with the project through the Final Security Review)

Design Design Stage Define and document security architecture Identify security critical components ( trusted base ) Identify design techniques (e.g., layering, managed code, least privilege, attack surface minimization) Document attack surface and limit through default settings Create threat models (e.g., identify assets, interfaces, threats, risk) and mitigate threats through countermeasures Identify specialized test tools Define supplemental ship criteria due to unique product issues (e.g., cross-site site scripting tests) Confer with SA on questions Exit Criteria: Design review complete and signed off by development team and security advisor

Development Apply coding and testing standards (e.g., safe string handling) Apply fuzz testing tools (structured invalid inputs to network protocol and file parsers) Apply static code analysis tools (to find, e.g., buffer overruns, integer overruns, uninitialized variables) Conduct code reviews

Verification Software functionally complete and enters Beta Because code complete, testing both new and legacy code Security Push Code reviews focus on legacy code Penetration and other security testing Review design, architecture, threat models in light of new threats

Final Security Review (FSR) From a security viewpoint, is this software ready to deliver to customers? Two to six months prior to software completion, depending on the scope of the software Software must be in a stable state with only minimal non-security changes expected prior to release FSR Results: If the FSR finds a pattern of remaining vulnerabilities, the proper response is not just to fix the vulnerabilities found, but to revisit the earlier phases and take pointed actions to address root causes (e.g., improve training, enhance tools)

Final Security Review (FSR) What is in the FSR Completion of a questionnaire by the product team Interview by a security team member assigned to the FSR Review of bugs that were initially identified as security bugs, but on further analysis were determined not to have impact on security, to ensure that the analysis was done correctly Analysis of any newly reported vulnerabilities affecting similar software to check for resiliency Additional penetration testing, possibly by outside contractors to supplement the security team Penetrate and patch? Penetration test is only one component of FSR Overall assessment of fitness is the primary output Individual findings support these findings

Response Phase Microsoft Security Response Center Sustained Engineering Teams Patch Management Post mortems and feedback to the SDL

Evolving the SDL The SDL is documented Updates are released twice a year New objectives New techniques New threats We reserve the right to change the rules at the drop of a hat if the threat environment changes

Measuring Results of the SDL 55 17 455

Measuring Results of the SDL 14 7 Service Pack 3 1 3 Service Pack 3 Bulletins in prior period Bulletins since TwC release Bulletins in prior period Bulletins since TwC release Shipped July 2002, 24 months ago Shipped Jan. 2003, 18 months ago

Measuring Results of the SDL Measured results to date based on early implementation of the SDL Process has evolved from January 2002 Results to date demonstrate that incremental application of process yields incremental benefits Improved security in place when software is released Evidence of SDL is software and development artifacts (e.g. threat models) not primarily documentation Process is not all or nothing Process is expensive, but benefits justify investment

The SDL and the Common Criteria Common Criteria has been successful in many ways Mutual recognition Flexibility to evaluate new classes of products and configurations Vendor commitment to process But there are still some hard questions Common Criteria focuses on security features Attackers don t At commercially viable assurance levels, Common Criteria does not reduce vulnerability rates Common Criteria evaluation is often after-the the-fact Common Criteria evaluation is relatively expensive (though much cheaper than implementation of the SDL

Closing Thoughts and Recommendations To the academic community Teach secure features, not security features Help us evolve techniques to make the SDL even more effective To NSA and other Common Criteria partners Consider evolution of the Common Criteria to recognize processes such as (based on) the SDL Combination of commercial viability and reduced vulnerability will ensure relevance and market acceptance

2004 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information