Addressing Security Satisfaction

Cliff EvansSecurity and Privacy LeadTrustworthy Computing GroupMicrosoft UK

AgendaThe Fundamentals

Satisfaction – How are we doing?

The ApproachTrustworthy ComputingSecurity Development Lifecycle (SDL)Vulnerability Analysis

Helping you Secure your IT Environment (free tools and information)SDL the next stepsMicrosoft Security Assessment ToolMicrosoft UK Security Newsletter

Satisfaction – How are we doing?Consumers

Very High Overall SatisfactionHigh Security SatisfactionHigh Privacy Satisfaction

IT Professionals / Business Decision Makers

Moderate Overall SatisfactionModerate Security SatisfactionModerate Privacy Satisfaction

Trustworthy Computing

SQL Server 2005

Visual Studio 2005

Windows Server 2003 SP1

Malicious SW Removal Tool

Windows XP SP2

DSI Launched

TWC AnnouncedSDL begins

Windows Server 2003

Windows DefenderWindows

Live OneCare

2002

Windows VistaOffice 2007

Forefront

2003 2004 2005 2006 20082007

Windows Server 2008SQL Server

2008

The Microsoft Security Development Lifecycle

GoalsProtect Microsoft customers by

Reducing the number of vulnerabilitiesReducing the severity of vulnerabilities

Key PrinciplesPrescriptive yet practical approachProactive – not just “looking for bugs”Eliminate security problems earlySecure by design

Conception

Release

Q4

Q1

Q2

Q3

Q4

Q1

Q2

Q3

Q4

Q1

Q2

Q3

Q4

Q1

Q2

Q3

Q4

Q1

Q2

Q3

Q4

Q1

Q2

Q3

Q4

2000

20012002

20032004

20052006

0

2

4

6

8

10

12

14

16

18

20

Microsoft SQL Server

Windows XPWindows Vista

0

20

40

60

80

100

120

65

36

54

30

Fixed Unfixed

Windows XP SP2Windows Vista

0

10

20

30

40

50

60

35

17

15

19

4

7

2

2

Ciritcal Important Moderate Low

IE 6IE 7

0

5

10

15

20

25

30

18

14

8

3

Medium High

First Year of Vulnerabilities* 2007*

Vulnerabilities Fixed One Year After Release* Vulnerabilities disclosed and fixedQuarterly totals, 2000-2006**

SDL Results

**Source: Which database is more secure? Oracle vs. Microsoft, David Litchfield, NGS Software, 21-November-2006

*Source: http://blogs.csoonline.com/blog/jeff_jones

SDL Results

Source: http://blogs.csoonline.com/blog/jeff_jones

1H03

2H03

1H04

2H04

1H05

2H05

1H06

2H06

1H07

2H07

1H08

0

500

1000

1500

2000

2500

3000

3500

4000

44 66 64 88 75 87 98 168 146 90 80

708 63111381391

19542573

317932683296

28152712

MSFT vulns non-MSFT vulns

1H03

2H03

1H04

2H04

1H05

2H05

1H06

2H06

1H07

2H07

1H08

0.0%

1.0%

2.0%

3.0%

4.0%

5.0%

6.0%

7.0%

8.0%

9.0%

10.0%

5.9%

9.5%

5.3%5.9%

3.7%3.3%3.0%

4.9%4.2%

3.1%2.9%

MSFT % of All Disclosures

Windows Server @ 90 Days

Windows Server 2003-all Windows Server 2003-

gui Windows Server 2008-all Windows Server 2008-

gui Windows Server 2008-core

0

2

4

6

8

10

99

6

43

Vulnerabilities in First 90 Days

Source: internal study by Jeff Jones

Windows Vista – First 12 Months

http://blogs.csoonline.com/blog/jeff_jones

MetricWindows

Vista (year 1)

Windows XP (year 1)

Red Hat rhel4ws reduced (year

1)

Ubuntu 6.06 LTS reduced (year 1)

Mac OS X 10.4 (year 1)

Vulnerabilities fixed 36 65 360 224 116Security Updates 17 30 125 80 17

Patch Events 9 26 64 65 17

Weeks with at least 1 Patch Event

9 25 44 39 15

Windows XPWindows Vista

RHEL4 reducedUbuntuLTS

reduced Mac OS X 10.4

0

50

100

150

200

250

300

350

400

First Year of Vulnerabilities

UnfixedFixed

TWC

SDL

SystemsManagement

Operations Manager 2007

Configuration Manager 2007

Data Protection Manager

Mobile Device Manager 2008

Active Directory Federation

Services (ADFS)

Identity & AccessManagement

Certificate Lifecycle

Management

Services

Information Protection

Encrypting File System (EFS)

BitLocker™

Client and Server OS

Server Applications

Edge

Network Access Protection (NAP)

Client and

Server OS

Server

Applications

Edge

Forefront Stirling Management

Microsoft Security: Defense In Depth

Comprehensive line of business security products that helps you gain greater protection and secure access

through deep integration and simplified management

Next Generation Microsoft Forefront

Microsoft Forefront Product RoadmapH2 2008

Client andServer OS

ServerApplications

Network Edge

IntegratedSecurity System

NEW

NEW

NEX

TN

EX

T

NEW

NEX

T

Codename “Stirling”

NEWBETA

H1 2008 H1 2009

BETA

SDL Pro Network

www.microsoft.com/sdl

Security service providers that specialize in application security and have been trained by Microsoft in the tools and guidance associated with its Security Development Lifecycle. These service providers will guide and support organizations - both large and small - in implementing the SDL in their environments.

SDL Optimization Model

www.microsoft.com/sdl

Created to facilitate gradual, consistent and cost-effective implementation of the SDL in development organizations outside of Microsoft. The model, which will be freely available for download in November, is based on the Microsoft IT Infrastructure and Application Platform Optimization models, which focus on leveraging IT as a driver of business value

Microsoft SDL Threat Modelling

www.microsoft.com/sdl

Allows for early, structured analysis and proactive mitigation and tracking of potential security and privacy issues in new and existing applications. Due for release in November, this new, freely available tool will offer a threat modelling methodology that any software architect can lead effectively.

Microsoft Security Assessment Tool (MSAT)

www.microsoft.com/security/msat

The Microsoft Security Assessment Tool (MSAT) is a free tool designed to help organizations assess weaknesses in your current IT security environment, reveal a prioritized list of issues, and help provide specific guidance to minimize those risks.

www.microsoft.com/security/msat

Microsoft Security Assessment Tool (MSAT)

UK Security Newsletter

www.microsoft.com/uk/security

cliff.evans@microsoft.com

Microsoft’s Security Strategy

© 2008 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.

The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the

date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.