![Page 1: Cliff Evans Security and Privacy Lead Trustworthy Computing Group Microsoft UK](https://reader036.vdocuments.us/reader036/viewer/2022062715/56649db45503460f94aa53ec/html5/thumbnails/1.jpg)
Addressing Security Satisfaction
Cliff EvansSecurity and Privacy LeadTrustworthy Computing GroupMicrosoft UK
![Page 2: Cliff Evans Security and Privacy Lead Trustworthy Computing Group Microsoft UK](https://reader036.vdocuments.us/reader036/viewer/2022062715/56649db45503460f94aa53ec/html5/thumbnails/2.jpg)
AgendaThe Fundamentals
Satisfaction – How are we doing?
The ApproachTrustworthy ComputingSecurity Development Lifecycle (SDL)Vulnerability Analysis
Helping you Secure your IT Environment (free tools and information)SDL the next stepsMicrosoft Security Assessment ToolMicrosoft UK Security Newsletter
![Page 3: Cliff Evans Security and Privacy Lead Trustworthy Computing Group Microsoft UK](https://reader036.vdocuments.us/reader036/viewer/2022062715/56649db45503460f94aa53ec/html5/thumbnails/3.jpg)
Satisfaction – How are we doing?Consumers
Very High Overall SatisfactionHigh Security SatisfactionHigh Privacy Satisfaction
IT Professionals / Business Decision Makers
Moderate Overall SatisfactionModerate Security SatisfactionModerate Privacy Satisfaction
![Page 4: Cliff Evans Security and Privacy Lead Trustworthy Computing Group Microsoft UK](https://reader036.vdocuments.us/reader036/viewer/2022062715/56649db45503460f94aa53ec/html5/thumbnails/4.jpg)
Trustworthy Computing
SQL Server 2005
Visual Studio 2005
Windows Server 2003 SP1
Malicious SW Removal Tool
Windows XP SP2
DSI Launched
TWC AnnouncedSDL begins
Windows Server 2003
Windows DefenderWindows
Live OneCare
2002
Windows VistaOffice 2007
Forefront
2003 2004 2005 2006 20082007
Windows Server 2008SQL Server
2008
![Page 5: Cliff Evans Security and Privacy Lead Trustworthy Computing Group Microsoft UK](https://reader036.vdocuments.us/reader036/viewer/2022062715/56649db45503460f94aa53ec/html5/thumbnails/5.jpg)
The Microsoft Security Development Lifecycle
GoalsProtect Microsoft customers by
Reducing the number of vulnerabilitiesReducing the severity of vulnerabilities
Key PrinciplesPrescriptive yet practical approachProactive – not just “looking for bugs”Eliminate security problems earlySecure by design
Conception
Release
![Page 6: Cliff Evans Security and Privacy Lead Trustworthy Computing Group Microsoft UK](https://reader036.vdocuments.us/reader036/viewer/2022062715/56649db45503460f94aa53ec/html5/thumbnails/6.jpg)
Q4
Q1
Q2
Q3
Q4
Q1
Q2
Q3
Q4
Q1
Q2
Q3
Q4
Q1
Q2
Q3
Q4
Q1
Q2
Q3
Q4
Q1
Q2
Q3
Q4
2000
20012002
20032004
20052006
0
2
4
6
8
10
12
14
16
18
20
Microsoft SQL Server
Windows XPWindows Vista
0
20
40
60
80
100
120
65
36
54
30
Fixed Unfixed
Windows XP SP2Windows Vista
0
10
20
30
40
50
60
35
17
15
19
4
7
2
2
Ciritcal Important Moderate Low
IE 6IE 7
0
5
10
15
20
25
30
18
14
8
3
Medium High
First Year of Vulnerabilities* 2007*
Vulnerabilities Fixed One Year After Release* Vulnerabilities disclosed and fixedQuarterly totals, 2000-2006**
SDL Results
**Source: Which database is more secure? Oracle vs. Microsoft, David Litchfield, NGS Software, 21-November-2006
*Source: http://blogs.csoonline.com/blog/jeff_jones
![Page 7: Cliff Evans Security and Privacy Lead Trustworthy Computing Group Microsoft UK](https://reader036.vdocuments.us/reader036/viewer/2022062715/56649db45503460f94aa53ec/html5/thumbnails/7.jpg)
SDL Results
Source: http://blogs.csoonline.com/blog/jeff_jones
1H03
2H03
1H04
2H04
1H05
2H05
1H06
2H06
1H07
2H07
1H08
0
500
1000
1500
2000
2500
3000
3500
4000
44 66 64 88 75 87 98 168 146 90 80
708 63111381391
19542573
317932683296
28152712
MSFT vulns non-MSFT vulns
1H03
2H03
1H04
2H04
1H05
2H05
1H06
2H06
1H07
2H07
1H08
0.0%
1.0%
2.0%
3.0%
4.0%
5.0%
6.0%
7.0%
8.0%
9.0%
10.0%
5.9%
9.5%
5.3%5.9%
3.7%3.3%3.0%
4.9%4.2%
3.1%2.9%
MSFT % of All Disclosures
![Page 8: Cliff Evans Security and Privacy Lead Trustworthy Computing Group Microsoft UK](https://reader036.vdocuments.us/reader036/viewer/2022062715/56649db45503460f94aa53ec/html5/thumbnails/8.jpg)
Windows Server @ 90 Days
Windows Server 2003-all Windows Server 2003-
gui Windows Server 2008-all Windows Server 2008-
gui Windows Server 2008-core
0
2
4
6
8
10
99
6
43
Vulnerabilities in First 90 Days
Source: internal study by Jeff Jones
![Page 9: Cliff Evans Security and Privacy Lead Trustworthy Computing Group Microsoft UK](https://reader036.vdocuments.us/reader036/viewer/2022062715/56649db45503460f94aa53ec/html5/thumbnails/9.jpg)
Windows Vista – First 12 Months
http://blogs.csoonline.com/blog/jeff_jones
MetricWindows
Vista (year 1)
Windows XP (year 1)
Red Hat rhel4ws reduced (year
1)
Ubuntu 6.06 LTS reduced (year 1)
Mac OS X 10.4 (year 1)
Vulnerabilities fixed 36 65 360 224 116Security Updates 17 30 125 80 17
Patch Events 9 26 64 65 17
Weeks with at least 1 Patch Event
9 25 44 39 15
Windows XPWindows Vista
RHEL4 reducedUbuntuLTS
reduced Mac OS X 10.4
0
50
100
150
200
250
300
350
400
First Year of Vulnerabilities
UnfixedFixed
![Page 10: Cliff Evans Security and Privacy Lead Trustworthy Computing Group Microsoft UK](https://reader036.vdocuments.us/reader036/viewer/2022062715/56649db45503460f94aa53ec/html5/thumbnails/10.jpg)
TWC
SDL
SystemsManagement
Operations Manager 2007
Configuration Manager 2007
Data Protection Manager
Mobile Device Manager 2008
Active Directory Federation
Services (ADFS)
Identity & AccessManagement
Certificate Lifecycle
Management
Services
Information Protection
Encrypting File System (EFS)
BitLocker™
Client and Server OS
Server Applications
Edge
Network Access Protection (NAP)
Client and
Server OS
Server
Applications
Edge
Forefront Stirling Management
Microsoft Security: Defense In Depth
![Page 11: Cliff Evans Security and Privacy Lead Trustworthy Computing Group Microsoft UK](https://reader036.vdocuments.us/reader036/viewer/2022062715/56649db45503460f94aa53ec/html5/thumbnails/11.jpg)
Comprehensive line of business security products that helps you gain greater protection and secure access
through deep integration and simplified management
Next Generation Microsoft Forefront
![Page 12: Cliff Evans Security and Privacy Lead Trustworthy Computing Group Microsoft UK](https://reader036.vdocuments.us/reader036/viewer/2022062715/56649db45503460f94aa53ec/html5/thumbnails/12.jpg)
Microsoft Forefront Product RoadmapH2 2008
Client andServer OS
ServerApplications
Network Edge
IntegratedSecurity System
NEW
NEW
NEX
TN
EX
T
NEW
NEX
T
Codename “Stirling”
NEWBETA
H1 2008 H1 2009
BETA
![Page 13: Cliff Evans Security and Privacy Lead Trustworthy Computing Group Microsoft UK](https://reader036.vdocuments.us/reader036/viewer/2022062715/56649db45503460f94aa53ec/html5/thumbnails/13.jpg)
SDL Pro Network
www.microsoft.com/sdl
Security service providers that specialize in application security and have been trained by Microsoft in the tools and guidance associated with its Security Development Lifecycle. These service providers will guide and support organizations - both large and small - in implementing the SDL in their environments.
![Page 14: Cliff Evans Security and Privacy Lead Trustworthy Computing Group Microsoft UK](https://reader036.vdocuments.us/reader036/viewer/2022062715/56649db45503460f94aa53ec/html5/thumbnails/14.jpg)
SDL Optimization Model
www.microsoft.com/sdl
Created to facilitate gradual, consistent and cost-effective implementation of the SDL in development organizations outside of Microsoft. The model, which will be freely available for download in November, is based on the Microsoft IT Infrastructure and Application Platform Optimization models, which focus on leveraging IT as a driver of business value
![Page 15: Cliff Evans Security and Privacy Lead Trustworthy Computing Group Microsoft UK](https://reader036.vdocuments.us/reader036/viewer/2022062715/56649db45503460f94aa53ec/html5/thumbnails/15.jpg)
Microsoft SDL Threat Modelling
www.microsoft.com/sdl
Allows for early, structured analysis and proactive mitigation and tracking of potential security and privacy issues in new and existing applications. Due for release in November, this new, freely available tool will offer a threat modelling methodology that any software architect can lead effectively.
![Page 16: Cliff Evans Security and Privacy Lead Trustworthy Computing Group Microsoft UK](https://reader036.vdocuments.us/reader036/viewer/2022062715/56649db45503460f94aa53ec/html5/thumbnails/16.jpg)
Microsoft Security Assessment Tool (MSAT)
www.microsoft.com/security/msat
The Microsoft Security Assessment Tool (MSAT) is a free tool designed to help organizations assess weaknesses in your current IT security environment, reveal a prioritized list of issues, and help provide specific guidance to minimize those risks.
![Page 17: Cliff Evans Security and Privacy Lead Trustworthy Computing Group Microsoft UK](https://reader036.vdocuments.us/reader036/viewer/2022062715/56649db45503460f94aa53ec/html5/thumbnails/17.jpg)
![Page 18: Cliff Evans Security and Privacy Lead Trustworthy Computing Group Microsoft UK](https://reader036.vdocuments.us/reader036/viewer/2022062715/56649db45503460f94aa53ec/html5/thumbnails/18.jpg)
![Page 19: Cliff Evans Security and Privacy Lead Trustworthy Computing Group Microsoft UK](https://reader036.vdocuments.us/reader036/viewer/2022062715/56649db45503460f94aa53ec/html5/thumbnails/19.jpg)
www.microsoft.com/security/msat
Microsoft Security Assessment Tool (MSAT)
![Page 22: Cliff Evans Security and Privacy Lead Trustworthy Computing Group Microsoft UK](https://reader036.vdocuments.us/reader036/viewer/2022062715/56649db45503460f94aa53ec/html5/thumbnails/22.jpg)
© 2008 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the
date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.