security development lifecycle: changing the software development process to build in security from...
TRANSCRIPT
Security Development Security Development Lifecycle:Lifecycle:Changing the Software Development Changing the Software Development Process to build in Security from the startProcess to build in Security from the start
Security Development Security Development Lifecycle:Lifecycle:Changing the Software Development Changing the Software Development Process to build in Security from the startProcess to build in Security from the start
Eric BidstrupEric BidstrupEllen Cram KowalczykEllen Cram KowalczykSecurity Business and Technology UnitSecurity Business and Technology UnitMicrosoft CorporationMicrosoft Corporation
Microsoft’s Security FocusMicrosoft’s Security Focus
Origin Of Microsoft Origin Of Microsoft Security EffortsSecurity Efforts
Through Windows 2000 releaseThrough Windows 2000 releaseSecure Windows Initiative (SWI)Secure Windows Initiative (SWI)
Expert resource for consulting and code reviewsExpert resource for consulting and code reviews
Through Windows XP releaseThrough Windows XP releaseSWI as company wide resourceSWI as company wide resource
Security trainingSecurity trainingCommon toolsCommon toolsTeam-wide “security days”Team-wide “security days”
Introduction of Trustworthy ComputingIntroduction of Trustworthy ComputingWindows (and other) security pushesWindows (and other) security pushesFocused reviews of designs, code, penetration Focused reviews of designs, code, penetration resistanceresistance
Threat modelingThreat modelingCode inspectionCode inspectionPenetration testingPenetration testing
Unused features off by defaultUnused features off by defaultReduce attack surface areaReduce attack surface areaLeast PrivilegeLeast Privilege
Prescriptive guidancePrescriptive guidanceSecurity tools Security tools Training and educationTraining and education
Community engagementCommunity engagementTransparencyTransparencyClear policyClear policy
Framework for Better Framework for Better SecuritySecurity
Security Development Lifecycle addresses Security Development Lifecycle addresses Secure by Design, Secure by DefaultSecure by Design, Secure by Default
Engineering ExcellenceEngineering ExcellenceThe Security Development Lifecycle The Security Development Lifecycle (SDL)(SDL)A PROCESS by which Microsoft develops software, A PROCESS by which Microsoft develops software, that defines security requirements and milestonesthat defines security requirements and milestones
MANDATORY for products that are exposed to meaningful MANDATORY for products that are exposed to meaningful security risksecurity riskEVOLVING and new factors, such as privacy, are being addedEVOLVING and new factors, such as privacy, are being addedCOMPATIBLE with COTS product development processesCOMPATIBLE with COTS product development processesEFFECTIVE at addressing security issues; designed to EFFECTIVE at addressing security issues; designed to produce produce DEMONSTRATABLE RESULTS DEMONSTRATABLE RESULTS (not all methodologies (not all methodologies do this)do this)It has shown itself to be highly effective at reducing It has shown itself to be highly effective at reducing vulnerabilities in commercial softwarevulnerabilities in commercial software
In sum, the SDL puts Microsoft on path toward more In sum, the SDL puts Microsoft on path toward more secure softwaresecure software
Traditional Baseline Traditional Baseline ProcessProcess
Integrating SDL into the development processIntegrating SDL into the development process
Requirements Design Implementation Verification ReleaseSupport & Servicing
Functional Specifications
Design Specifications
Testing and Verification
Development of New Code
Bug fixes
Virus Scanning,
Code Signing,
and release processes
RTM
Alpha & Beta Pre releases
Feature Lists,Quality
Guidelines,Architecture Docs, andSchedules
Product SupportService Packs/
QFEsSecurity Updates
FinalSecurityReview
SecurityServicing
&ResponseExecution
PrepareSecurity
ResponsePlan
SecurityPushSecurity Kickoff
&Security
Requirements
Use SecurityDevelopment Tools
&Security Best
Dev & Test PracticesThreatModeling
SecurityDesign
BestPractices
CreateSecurity
DocumentationAnd Tools
For Product
Security Training
Pen Testing
Final Release Candidate
Product Code Complete
SecurityArchitecture
& Attack Surface Review
Threat Modeling
Complete and MitigationsReflected in
Specifications
Security Development Lifecycle Tasks and Processes
Traditional Microsoft Software Product Development Lifecycle Tasks and Process
Sign off onSecurity
Requirements&
Final Security Review
Requirements PhaseRequirements Phase
Opportunity to consider security at the Opportunity to consider security at the outsetoutsetSecure Windows Initiative (SWI) team Secure Windows Initiative (SWI) team assigns SWI Buddyassigns SWI BuddyDevelopment team identifies security Development team identifies security requirementsrequirementsSWI Buddy reviews product plan, makes SWI Buddy reviews product plan, makes recommendations, ensures resources recommendations, ensures resources allocated by managementallocated by managementSWI Buddy assesses security milestones SWI Buddy assesses security milestones and and exit criteriaexit criteria(NOTE: This SWI Buddy will stay with the (NOTE: This SWI Buddy will stay with the project through the Final Security Review)project through the Final Security Review)
DesignDesign
Design stageDesign stageDefine and document security architectureDefine and document security architecture
Identify security critical components (“trusted base”) Identify security critical components (“trusted base”)
Identify design techniques (e.g., layering, managed code, Identify design techniques (e.g., layering, managed code, least privilege, attack surface minimization)least privilege, attack surface minimization)
Document attack surface and limit through default Document attack surface and limit through default settingssettings
Create threat models (e.g., identify assets, interfaces, Create threat models (e.g., identify assets, interfaces, threats, risk) and mitigate threats through threats, risk) and mitigate threats through countermeasurescountermeasures
Identify specialized test toolsIdentify specialized test tools
Define supplemental ship criteria due to unique product Define supplemental ship criteria due to unique product issues (e.g., cross-site scripting tests)issues (e.g., cross-site scripting tests)
Confer with SWI Buddy on questionsConfer with SWI Buddy on questions
Exit criteria: Design review complete and signed Exit criteria: Design review complete and signed off by development team off by development team and and SWI BuddySWI Buddy
DevelopmentDevelopment
Apply coding and testing standards Apply coding and testing standards (e.g., safe string handling)(e.g., safe string handling)
Apply fuzz testing tools (structured Apply fuzz testing tools (structured invalid inputs to network protocol and invalid inputs to network protocol and file parsers)file parsers)
Apply static code analysis tools (to Apply static code analysis tools (to find, e.g., buffer overruns, integer find, e.g., buffer overruns, integer overruns, uninitialized variables)overruns, uninitialized variables)
Conduct code reviewsConduct code reviews
VerificationVerification
Software functionality complete Software functionality complete and enters Betaand enters BetaBecause code complete, testing both new Because code complete, testing both new and legacy codeand legacy codeSecurity PushSecurity Push
Security push is not a substitute for security Security push is not a substitute for security work during developmentwork during developmentSecurity push does provide an opportunity to Security push does provide an opportunity to focus on securityfocus on security
Code reviews Code reviews (especially legacy/unchanged code)(especially legacy/unchanged code)Penetration and other security testingPenetration and other security testingReview design, architecture, threat models in light of Review design, architecture, threat models in light of new threatsnew threats
Final Security Review Final Security Review (FSR)(FSR)
““From a security viewpoint, is this software From a security viewpoint, is this software ready to deliver to customers?” ready to deliver to customers?”
Two to six months prior to software completion, Two to six months prior to software completion, depending on the scope of the software.depending on the scope of the software.
Software must be in a stable state with only Software must be in a stable state with only minimal non-security changes expected minimal non-security changes expected prior to releaseprior to release
FSR results: If the FSR finds a pattern of FSR results: If the FSR finds a pattern of remaining vulnerabilities, the proper remaining vulnerabilities, the proper response is not just to fix the response is not just to fix the vulnerabilities found, but to revisit the vulnerabilities found, but to revisit the earlier phases and take pointed actions to earlier phases and take pointed actions to address root causes (e.g., improve address root causes (e.g., improve training, enhance tools)training, enhance tools)
Final Security Review Final Security Review (FSR)(FSR)
What is in the FSR? What is in the FSR? Completion of a questionnaire by Completion of a questionnaire by the product teamthe product team
Interview by a security team member assigned Interview by a security team member assigned to the FSRto the FSR
Review of bugs that were initially identified as Review of bugs that were initially identified as security bugs, but on further analysis were security bugs, but on further analysis were determined not to have impact on security, to determined not to have impact on security, to ensure that the analysis was done correctlyensure that the analysis was done correctly
Analysis of any newly reported vulnerabilities Analysis of any newly reported vulnerabilities affecting similar software to check for resiliencyaffecting similar software to check for resiliency
Additional penetration testing, possibly by Additional penetration testing, possibly by outside contractors to supplement security outside contractors to supplement security teamteam
Response PhaseResponse Phase
Microsoft Security Response CenterMicrosoft Security Response Center
Sustained Engineering TeamsSustained Engineering Teams
Patch ManagementPatch Management
Post Mortems and feedback to the Post Mortems and feedback to the SDLSDL
Education For The SDLEducation For The SDL
New employees do not arrive with ability to New employees do not arrive with ability to develop secure softwaredevelop secure software
Microsoft trains staff as a part of New Employee Microsoft trains staff as a part of New Employee OrientationOrientationMicrosoft trains staff as part of a security pushMicrosoft trains staff as part of a security pushMicrosoft trains developers, testers, program Microsoft trains developers, testers, program managers, user education staff and managers, user education staff and architects annuallyarchitects annuallyMicrosoft funds academic curriculum Microsoft funds academic curriculum development through Microsoft Researchdevelopment through Microsoft ResearchMicrosoft publishes material on writing secure Microsoft publishes material on writing secure code, threat modeling, and SDL (pending) and code, threat modeling, and SDL (pending) and offers courses (see offers courses (see http://www.microsoft.com/learninghttp://www.microsoft.com/learning) )
Education ResourcesEducation Resources
Source: Microsoft Security Bulletin Search
SDL Results: Windows SDL Results: Windows 20032003
Affecting Office 2003 Affecting Office 2003 All Office Bulletins since All Office Bulletins since ship 8/03ship 8/03
1212
44
Office Bulletins since Office 2003 shipped (Aug 2003)
Bulletins after August 2003:Bulletins after August 2003:
(* affected Office 2003)(* affected Office 2003)• September: MS03-035, MS03-
036, MS03-037, MS03-038• November: MS03-050November: MS03-050
20042004
•• October: MS04-033October: MS04-033
•• September: MS04-028* (GDI+ September: MS04-028* (GDI+ issue) … issue) …
•• September: MS04-027* September: MS04-027* (WordPerfect converter)(WordPerfect converter)
•• March: MS04-009March: MS04-009
20052005
•• February: MS05-005February: MS05-005• February: MS05-012*February: MS05-012*
(OLE issue) …(OLE issue) …
•• April: MS05-023*April: MS05-023*
(Word buffer overflow)(Word buffer overflow)
SDL Results: Office 2003SDL Results: Office 2003
SDL Results: SQL ServerSDL Results: SQL Server
SQL Server 2000 SQL Server 2000 2002-2005 (YTD)2002-2005 (YTD)
SDL Results: IIS 4.0, 5.0, 5.1, SDL Results: IIS 4.0, 5.0, 5.1, 6.06.0
IIS 4.0, 5.0, 5.1, 6.0 IIS 4.0, 5.0, 5.1, 6.0 2002-2005 (YTD)2002-2005 (YTD)
SDL Results: ExchangeSDL Results: Exchange
Exchange 5.0, 5.5, 2000, 2003 Exchange 5.0, 5.5, 2000, 2003 2002-2005 (YTD)2002-2005 (YTD)
DiscussionDiscussionDiscussionDiscussion
© 2005 Microsoft Corporation. All rights reserved.© 2005 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.