Security Development Security Development Lifecycle:Lifecycle:Changing the Software Development Changing the Software Development Process to build in Security from the startProcess to build in Security from the start

Security Development Security Development Lifecycle:Lifecycle:Changing the Software Development Changing the Software Development Process to build in Security from the startProcess to build in Security from the start

Eric BidstrupEric BidstrupEllen Cram KowalczykEllen Cram KowalczykSecurity Business and Technology UnitSecurity Business and Technology UnitMicrosoft CorporationMicrosoft Corporation

Microsoft’s Security FocusMicrosoft’s Security Focus

Origin Of Microsoft Origin Of Microsoft Security EffortsSecurity Efforts

Through Windows 2000 releaseThrough Windows 2000 releaseSecure Windows Initiative (SWI)Secure Windows Initiative (SWI)

Expert resource for consulting and code reviewsExpert resource for consulting and code reviews

Through Windows XP releaseThrough Windows XP releaseSWI as company wide resourceSWI as company wide resource

Security trainingSecurity trainingCommon toolsCommon toolsTeam-wide “security days”Team-wide “security days”

Introduction of Trustworthy ComputingIntroduction of Trustworthy ComputingWindows (and other) security pushesWindows (and other) security pushesFocused reviews of designs, code, penetration Focused reviews of designs, code, penetration resistanceresistance

Threat modelingThreat modelingCode inspectionCode inspectionPenetration testingPenetration testing

Unused features off by defaultUnused features off by defaultReduce attack surface areaReduce attack surface areaLeast PrivilegeLeast Privilege

Prescriptive guidancePrescriptive guidanceSecurity tools Security tools Training and educationTraining and education

Community engagementCommunity engagementTransparencyTransparencyClear policyClear policy

Framework for Better Framework for Better SecuritySecurity

Security Development Lifecycle addresses Security Development Lifecycle addresses Secure by Design, Secure by DefaultSecure by Design, Secure by Default

Engineering ExcellenceEngineering ExcellenceThe Security Development Lifecycle The Security Development Lifecycle (SDL)(SDL)A PROCESS by which Microsoft develops software, A PROCESS by which Microsoft develops software, that defines security requirements and milestonesthat defines security requirements and milestones

MANDATORY for products that are exposed to meaningful MANDATORY for products that are exposed to meaningful security risksecurity riskEVOLVING and new factors, such as privacy, are being addedEVOLVING and new factors, such as privacy, are being addedCOMPATIBLE with COTS product development processesCOMPATIBLE with COTS product development processesEFFECTIVE at addressing security issues; designed to EFFECTIVE at addressing security issues; designed to produce produce DEMONSTRATABLE RESULTS DEMONSTRATABLE RESULTS (not all methodologies (not all methodologies do this)do this)It has shown itself to be highly effective at reducing It has shown itself to be highly effective at reducing vulnerabilities in commercial softwarevulnerabilities in commercial software

In sum, the SDL puts Microsoft on path toward more In sum, the SDL puts Microsoft on path toward more secure softwaresecure software

Traditional Baseline Traditional Baseline ProcessProcess

Integrating SDL into the development processIntegrating SDL into the development process

Requirements Design Implementation Verification ReleaseSupport & Servicing

Functional Specifications

Design Specifications

Testing and Verification

Development of New Code

Bug fixes

Virus Scanning,

Code Signing,

and release processes

RTM

Alpha & Beta Pre releases

Feature Lists,Quality

Guidelines,Architecture Docs, andSchedules

Product SupportService Packs/

QFEsSecurity Updates

FinalSecurityReview

SecurityServicing

&ResponseExecution

PrepareSecurity

ResponsePlan

SecurityPushSecurity Kickoff

&Security

Requirements

Use SecurityDevelopment Tools

&Security Best

Dev & Test PracticesThreatModeling

SecurityDesign

BestPractices

CreateSecurity

DocumentationAnd Tools

For Product

Security Training

Pen Testing

Final Release Candidate

Product Code Complete

SecurityArchitecture

& Attack Surface Review

Threat Modeling

Complete and MitigationsReflected in

Specifications

Security Development Lifecycle Tasks and Processes

Traditional Microsoft Software Product Development Lifecycle Tasks and Process

Sign off onSecurity

Requirements&

Final Security Review

Requirements PhaseRequirements Phase

Opportunity to consider security at the Opportunity to consider security at the outsetoutsetSecure Windows Initiative (SWI) team Secure Windows Initiative (SWI) team assigns SWI Buddyassigns SWI BuddyDevelopment team identifies security Development team identifies security requirementsrequirementsSWI Buddy reviews product plan, makes SWI Buddy reviews product plan, makes recommendations, ensures resources recommendations, ensures resources allocated by managementallocated by managementSWI Buddy assesses security milestones SWI Buddy assesses security milestones and and exit criteriaexit criteria(NOTE: This SWI Buddy will stay with the (NOTE: This SWI Buddy will stay with the project through the Final Security Review)project through the Final Security Review)

DesignDesign

Design stageDesign stageDefine and document security architectureDefine and document security architecture

Identify security critical components (“trusted base”) Identify security critical components (“trusted base”)

Identify design techniques (e.g., layering, managed code, Identify design techniques (e.g., layering, managed code, least privilege, attack surface minimization)least privilege, attack surface minimization)

Document attack surface and limit through default Document attack surface and limit through default settingssettings

Create threat models (e.g., identify assets, interfaces, Create threat models (e.g., identify assets, interfaces, threats, risk) and mitigate threats through threats, risk) and mitigate threats through countermeasurescountermeasures

Identify specialized test toolsIdentify specialized test tools

Define supplemental ship criteria due to unique product Define supplemental ship criteria due to unique product issues (e.g., cross-site scripting tests)issues (e.g., cross-site scripting tests)

Confer with SWI Buddy on questionsConfer with SWI Buddy on questions

Exit criteria: Design review complete and signed Exit criteria: Design review complete and signed off by development team off by development team and and SWI BuddySWI Buddy

DevelopmentDevelopment

Apply coding and testing standards Apply coding and testing standards (e.g., safe string handling)(e.g., safe string handling)

Apply fuzz testing tools (structured Apply fuzz testing tools (structured invalid inputs to network protocol and invalid inputs to network protocol and file parsers)file parsers)

Apply static code analysis tools (to Apply static code analysis tools (to find, e.g., buffer overruns, integer find, e.g., buffer overruns, integer overruns, uninitialized variables)overruns, uninitialized variables)

Conduct code reviewsConduct code reviews

VerificationVerification

Software functionality complete Software functionality complete and enters Betaand enters BetaBecause code complete, testing both new Because code complete, testing both new and legacy codeand legacy codeSecurity PushSecurity Push

Security push is not a substitute for security Security push is not a substitute for security work during developmentwork during developmentSecurity push does provide an opportunity to Security push does provide an opportunity to focus on securityfocus on security

Code reviews Code reviews (especially legacy/unchanged code)(especially legacy/unchanged code)Penetration and other security testingPenetration and other security testingReview design, architecture, threat models in light of Review design, architecture, threat models in light of new threatsnew threats

Final Security Review Final Security Review (FSR)(FSR)

““From a security viewpoint, is this software From a security viewpoint, is this software ready to deliver to customers?” ready to deliver to customers?”

Two to six months prior to software completion, Two to six months prior to software completion, depending on the scope of the software.depending on the scope of the software.

Software must be in a stable state with only Software must be in a stable state with only minimal non-security changes expected minimal non-security changes expected prior to releaseprior to release

FSR results: If the FSR finds a pattern of FSR results: If the FSR finds a pattern of remaining vulnerabilities, the proper remaining vulnerabilities, the proper response is not just to fix the response is not just to fix the vulnerabilities found, but to revisit the vulnerabilities found, but to revisit the earlier phases and take pointed actions to earlier phases and take pointed actions to address root causes (e.g., improve address root causes (e.g., improve training, enhance tools)training, enhance tools)

Final Security Review Final Security Review (FSR)(FSR)

What is in the FSR? What is in the FSR? Completion of a questionnaire by Completion of a questionnaire by the product teamthe product team

Interview by a security team member assigned Interview by a security team member assigned to the FSRto the FSR

Review of bugs that were initially identified as Review of bugs that were initially identified as security bugs, but on further analysis were security bugs, but on further analysis were determined not to have impact on security, to determined not to have impact on security, to ensure that the analysis was done correctlyensure that the analysis was done correctly

Analysis of any newly reported vulnerabilities Analysis of any newly reported vulnerabilities affecting similar software to check for resiliencyaffecting similar software to check for resiliency

Additional penetration testing, possibly by Additional penetration testing, possibly by outside contractors to supplement security outside contractors to supplement security teamteam

Response PhaseResponse Phase

Microsoft Security Response CenterMicrosoft Security Response Center

Sustained Engineering TeamsSustained Engineering Teams

Patch ManagementPatch Management

Post Mortems and feedback to the Post Mortems and feedback to the SDLSDL

Education For The SDLEducation For The SDL

New employees do not arrive with ability to New employees do not arrive with ability to develop secure softwaredevelop secure software

Microsoft trains staff as a part of New Employee Microsoft trains staff as a part of New Employee OrientationOrientationMicrosoft trains staff as part of a security pushMicrosoft trains staff as part of a security pushMicrosoft trains developers, testers, program Microsoft trains developers, testers, program managers, user education staff and managers, user education staff and architects annuallyarchitects annuallyMicrosoft funds academic curriculum Microsoft funds academic curriculum development through Microsoft Researchdevelopment through Microsoft ResearchMicrosoft publishes material on writing secure Microsoft publishes material on writing secure code, threat modeling, and SDL (pending) and code, threat modeling, and SDL (pending) and offers courses (see offers courses (see http://www.microsoft.com/learninghttp://www.microsoft.com/learning) )

Education ResourcesEducation Resources

Source: Microsoft Security Bulletin Search

SDL Results: Windows SDL Results: Windows 20032003

Affecting Office 2003 Affecting Office 2003 All Office Bulletins since All Office Bulletins since ship 8/03ship 8/03

1212

44

Office Bulletins since Office 2003 shipped (Aug 2003)

Bulletins after August 2003:Bulletins after August 2003:

(* affected Office 2003)(* affected Office 2003)• September: MS03-035, MS03-

036, MS03-037, MS03-038• November: MS03-050November: MS03-050

20042004

•• October: MS04-033October: MS04-033

•• September: MS04-028* (GDI+ September: MS04-028* (GDI+ issue) … issue) …

•• September: MS04-027* September: MS04-027* (WordPerfect converter)(WordPerfect converter)

•• March: MS04-009March: MS04-009

20052005

•• February: MS05-005February: MS05-005• February: MS05-012*February: MS05-012*

(OLE issue) …(OLE issue) …

•• April: MS05-023*April: MS05-023*

(Word buffer overflow)(Word buffer overflow)

SDL Results: Office 2003SDL Results: Office 2003

SDL Results: SQL ServerSDL Results: SQL Server

SQL Server 2000 SQL Server 2000 2002-2005 (YTD)2002-2005 (YTD)

SDL Results: IIS 4.0, 5.0, 5.1, SDL Results: IIS 4.0, 5.0, 5.1, 6.06.0

IIS 4.0, 5.0, 5.1, 6.0 IIS 4.0, 5.0, 5.1, 6.0 2002-2005 (YTD)2002-2005 (YTD)

SDL Results: ExchangeSDL Results: Exchange

Exchange 5.0, 5.5, 2000, 2003 Exchange 5.0, 5.5, 2000, 2003 2002-2005 (YTD)2002-2005 (YTD)

DiscussionDiscussionDiscussionDiscussion

© 2005 Microsoft Corporation. All rights reserved.© 2005 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.