owasp sdl it
TRANSCRIPT
8/10/2019 Owasp Sdl It
http://slidepdf.com/reader/full/owasp-sdl-it 1/23
Microsoft Security DevelopmentLifecycle for IT
Rob Labbé
Application Consulting and Engineering [email protected]
8/10/2019 Owasp Sdl It
http://slidepdf.com/reader/full/owasp-sdl-it 2/23
The Reasons for Secure Software
• Data can be stolen by attackers
• Data can be corrupted by viruses• Data can be lost or corrupted by
employees
• IT Systems can be used by attackers
• To send Spam, viruses, or launch
other attacks from• IT Systems can be crashed by attackers
There are
manythreats to
data andsystems
8/10/2019 Owasp Sdl It
http://slidepdf.com/reader/full/owasp-sdl-it 3/23
Application Layer = Weak Point
• Attackers target the weakest point. The OSLayer and Network layer are too hard now
• On Average over 70% of IT security budget is
spent on Infrastructure, yet over 75% of attackshappen at the Application level
• According to Microsoft research, only 1/3 ofdevelopers are confident that they write secure
code• The focus must be on hardening the
application layer
8/10/2019 Owasp Sdl It
http://slidepdf.com/reader/full/owasp-sdl-it 4/23
Reasons for IT Security• Card Services - A Real World Example
• $10 Million a month in revenue
• Processed credit cards for American Express, MasterCard, and VISA
• They Lost 40 Million records to hacking• Government imposed heavy fines
• Subject to audits every 6 months for 20 years
• Amex, Master Card and Visa dropped them• A $10 Million a month company destroyed
8/10/2019 Owasp Sdl It
http://slidepdf.com/reader/full/owasp-sdl-it 8/23
Purpose of the SDL• Inventory and assess applications• Identify and ensure resolution of
security/privacy vulnerabilities found in those
applications• Enable Application Risk Management:
• Strategic
• Tactical
• Operational
• Legal
8/10/2019 Owasp Sdl It
http://slidepdf.com/reader/full/owasp-sdl-it 9/23
The SDL is NOT Optional
• At Microsoft all line-of-businessapplication teams must go through SDL-IT,All shrink-wrapped products must go
through the SDL• If they fail to do so, they cannot go into
production
• Enforcement of the SDL-IT processattributes to it’s success
8/10/2019 Owasp Sdl It
http://slidepdf.com/reader/full/owasp-sdl-it 10/23
Visibly Measure the Process
• Have internally visible score cards
• Have contests to see if you can find bugs
and offer prizes• Offer incentives to teams with the best
security records (no cheating!)
8/10/2019 Owasp Sdl It
http://slidepdf.com/reader/full/owasp-sdl-it 11/23
SDL aligns with SDLC
SDLC
SDL-IT
Envision
Application
Entry / Risk
Assessment
Threat
Model /
Design
Review
Design
Internal
Review
Develop /
Purchase
Pre-Production
Assessment
Test Release /
Sustainment
Post-
Production
Assessment
8/10/2019 Owasp Sdl It
http://slidepdf.com/reader/full/owasp-sdl-it 12/23
Application Entry / Risk Assessment
• Objective:• Application Inventory
• Determine Application Risk Categorization• High Risk Security/Privacy Release
• Medium Risk Security/Privacy Release
• Low Risk Security/Privacy Release
Threat Model /Design Review
Internal Review
Pre-Production
Assessment
Post-Product ion
Assessment App Entry
8/10/2019 Owasp Sdl It
http://slidepdf.com/reader/full/owasp-sdl-it 13/23
Threat Model / Design Review
• Objective:• Threat modeling provides a consistent methodology for objectively evaluating threats to
applications.
• Review application design to verify compliance with security standards and best practices
• Verify application meets application principles
• Confidentiality
• Integrity
• Authentication
• Authorization
• Availability
• Non-repudiation
Threat Model / Design Review
Internal Review
Pre-ProductionAssessment
Post-Product ion
Assessment
App Entry
8/10/2019 Owasp Sdl It
http://slidepdf.com/reader/full/owasp-sdl-it 14/23
Internal Review
• Review security checklist/policy site
• Team conducts ‘self’ code review and attack and
penetration testing
Threat Model /
Design Review
Internal Review
Pre-Production
Assessment
Post-Product ion
Assessment App Entry
8/10/2019 Owasp Sdl It
http://slidepdf.com/reader/full/owasp-sdl-it 15/23
Pre-Production Assessment
• Objective:• Low Risk Applications
•Host Level Scan• Windows• IIS• SQL
• High/Medium Risk Applications• Host Level Scan•
White Box Code Review
Threat Model /Design Review
Internal Review
Pre-Product ion
Assessment
Post-Product ion
Assessment App Entry
8/10/2019 Owasp Sdl It
http://slidepdf.com/reader/full/owasp-sdl-it 16/23
White Box Code Review
• Process• Application team provides source code
• Analysts review application code
uncovering security vulnerabilities
• Vulnerabilities logged in bug database
• Application team required to address allsev 1 bugs prior to going intoproduction
8/10/2019 Owasp Sdl It
http://slidepdf.com/reader/full/owasp-sdl-it 17/23
Some common attack patterns
white box review may reveal• Cross-Site Script Vulnerabilities
• SQL Injection
• Buffer Overflow• Poor Authorization Controls
• Secrets Stored In Clear Text
8/10/2019 Owasp Sdl It
http://slidepdf.com/reader/full/owasp-sdl-it 18/23
Post-Production Assessment
• Objective:
• High/Medium/Low Risk Applications
• Host Level Scan
• Windows
• IIS
•SQL
Threat Model /Design Review
Internal Review
Pre-Production
Assessment
Post-Product ion
Assessment
App Entry
8/10/2019 Owasp Sdl It
http://slidepdf.com/reader/full/owasp-sdl-it 19/23
Conclusion
• The need for security is obvious, we have toprotect the company and our customers
• To do that we need
• Management Support• Secure Development Life Cycles
• Developers trained in secure development
• A Security First attitude!
8/10/2019 Owasp Sdl It
http://slidepdf.com/reader/full/owasp-sdl-it 20/23
Conclusions
• Continuous improvement of the process• Invest time in upfront activities:
• Threat Modeling
• Design Reviews• A holistic view
• People
•Process
• Tools
• It may seem hard to get started – ask for help!
People: Providing gu idance on
secure appl icat ion development
Tools: Providing the
most inno vat ive tools
Process: Securi ty
cannot be an
af ter thought
8/10/2019 Owasp Sdl It
http://slidepdf.com/reader/full/owasp-sdl-it 21/23
Call To Action
• Implement a Secure Development Lifecycle• Create more secure and reliable software
• Build Trust!
8/10/2019 Owasp Sdl It
http://slidepdf.com/reader/full/owasp-sdl-it 22/23
Resources
• ACE Team Blog:• http://blogs.msdn.com/ace_team/default.aspx
• Threat Modeling Tool
• http://go.microsoft.com/fwlink?linkid=77002• Threat Modeling Blog:
• http://blogs.msdn.com/threatmodeling/
• Rob Labbé’s Blog:• http://blogs.msdn.com/roblabbe/default.aspx
8/10/2019 Owasp Sdl It
http://slidepdf.com/reader/full/owasp-sdl-it 23/23
© 2006 Microsoft Corporation. All rights reserved. Microsoft Windows Windows Vista and other product names are or may be regis tered
trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this
presentation. Because Microsoft must respond to changing market conditions i t should not be interpreted to be a commitment on the part
of Microsoft and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation.
MICROSOFT MAKES NO WARRANTIES EXPRESS IMPLIED OR STATUTORY AS TO THE INFORMATION IN THIS PRESENTATION.