1 / 16

MS ACE Team Seguridad en el Código (SDL-IT)

MS ACE Team Seguridad en el Código (SDL-IT). Simon Roses Femerling. ACE Team - Microsoft Security Technologist simonros@microsoft.com. Quien soy yo?. Security Technologist en el ACE Team Ex : PwC , @ Stake entre otras…

Faraday
Télécharger la présentation

MS ACE Team Seguridad en el Código (SDL-IT)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. MS ACE Team Seguridad en el Código (SDL-IT) Simon Roses Femerling ACE Team - Microsoft Security Technologist simonros@microsoft.com

  2. Quien soy yo? • Security Technologist en el ACE Team • Ex : PwC, @Stake entre otras… • Licenciado Superior en Informática y Postgrado en Tecnología por Harvard University. • Años participando activamente en la industria de seguridad, Jefe de Proyecto OWASP, etc.

  3. Indice • SDL-IT (Security Development Lifecycle) • ACE Team • Conclusiones del SDL-IT

  4. SDL-IT (Security Development Lifecycle )

  5. Fundamentos del SDL-IT Vision: A secure platform strengthened by security products, services and guidance to help keep customers safe Excellence in fundamentals Security innovations Scenario-based content and tools Authoritative incident response Awareness and education Collaboration and partnership

  6. Microsoft SDL-IT (I) Requirements Design Implementation Verification Release Response Guidelines & Best Practices Coding Standards Final Security Review ( FSR ) Security Testing based on threat Review threat models Response models Feedback loop Penetration Testing Tool usage - Tools / Archiving of Compliance Info Product Inception Processes Threat Modeling Assign resource - Postmortems Models created Security Docs & Security plan - SRLs Mitigations in design Security Push Tools and functional specs Security push training Customer deliverables Design Review threat models for secure deployment Design guidelines applied RTM & Review code Security architecture Deployment Attack testing Security design review Signoff Review against new threats Ship criteria agreed upon Meet signoff criteria

  7. Microsoft SDL-IT (II) Process Education Accountability • Defines security requirements and milestones • MANDATORY if exposed to meaningful security risks • Requires response and service planning • Includes Final Security Review (FSR) and Sign-off • Mandatory annual training – internal trainers • BlueHat – external speakers on current trends • Publish guidance on writing secure code, threat modeling and SDL; as well as courses • In-process metrics to provide early warning • Post-release metrics assess final payoff (# of vulns) • Training compliance for team and individuals Microsoft Product Development Lifecycle Microsoft Security Development Lifecycle 7

  8. ACE Team

  9. Introducción al ACE Team • ACE = Application Consulting & Engineering (ACE) • Misión: Proveedor de servicios en Seguridad y Rendimiento internamente y externamente en Microsoft. • En los últimos 5 años ha realizado: • 3000+ auditorías en seguridad y rendimiento • > 50,000 vulnerabilidades en seguridad y rendimiento documentadas y solucionadas • Potente grupo de I+D en continua evolución.

  10. Servicios del ACE Team • Application Security • Threat Modeling & Design Reviews • Security Code Reviews • Security Process Integration • Security Guidance & Prototype Development • Infrastructure Security • Technical Compliance Management • Application Performance Tuning • Performance assessments • Training: Security & Performance

  11. Threat Analysis & Modeling (TAM)

  12. Conclusiones del SDL-IT

  13. Symantec • “With the advent of Vista and the continued use of the Security Development Lifecycle, it is likely that Microsoft-authored code will become more difficult to exploit. As a result, attackers may turn their focus to common third-party applications that are authored by companies that have not employed the Security Development Lifecycle or other secure development practices, and, therefore, may be less secure.“ http://www.symantec.com/enterprise/security_response/weblog/2007/03/future_watch_predicting_the_co.html

  14. Chema Alonso Informática 64 MVP Seguridad chema@informatica64.com Simon Roses Femerling ACE Team - Microsoft Security Technologist simonros@microsoft.com

  15. Referencias • MS SDL-IT • http://www.microsoft.com/technet/itshowcase/content/mssecbp.mspx • Application Threat Modeling • http://msdn2.microsoft.com/en-us/security/aa570413.aspx • MS ACE Team Blog • http://blogs.msdn.com/ace_team/

More Related