Building Trustworthiness The Evolution of Secure Development. Glenn Pittaway and Alex Lucas Trustworthy Computing, Microsoft Corporation

Transcription

1 Building Trustworthiness The Evolution of Secure Development Glenn Pittaway and Alex Lucas Trustworthy Computing, Microsoft Corporation

2 Goals Provide an understanding of the Microsoft view of security trustworthiness Position Microsoft s secure development efforts against its software integrity work Set the scene for discussing implementing the Security Development Lifecycle Explain the evolution of Security in Microsoft How we are advancing security to get ahead

3 Trustworthiness Trustworthy, adj. Military Worthy of trust or confidence; reliable Oxford English Dictionary IT Financial Industrial Consumer The assurance measures priority given needed to different to establish address threats the trust predominant will depends also depend on threats the on perception that are wide perception of ranging threat

4 Supply Chain Complexity

5 Supply Chain Complexity

6 Security Development Lifecycle Sixteen core processes from Training through Release Integrates well with the existing Software Development Life Cycle (SDLC) Strong reliance on automation Includes activities for Architects, Program/Project Managers, Developers and QA/Testers Note: Response not generally considered part of the SDL but feeds into SDL Other non-development, post-release process requirements Root cause analysis of found vulnerabilities; failure of human, process, or automation Vulnerability analysis of similar applications Penetration Testing as appropriate

7 Security Software Development Integrity Lifecycle Software Integrity (Risk Based Approach) We evaluate threats within software development model and focus on areas of significant risk (e.g., people, process, technology) Resulting Control Categories Proof of Identity Access Management Development Process Controls Build Process Controls Malware Scanning Code Signing

8 Guiding Principles Establish multilateral models to address risks associated with unknown processes & safeguards

9 Trustworthy Computing Putting SDL and Science in context...

10 Protecting Microsoft customers across the lifecycle (in development, deployment & operations) Microsoft Security Response Center (MSRC) MSRC Ecosystem Product Life Cycle Conception Microsoft Security Engineering Center (MSEC) Security Science MSRC Operations Security Assurance MSRC Engineering SDL Microsoft Malware Protection Center (MMPC) Release Development Trustworthy Computing Security

11 History Formalized Security Response (MSRC) Security Culture embedded (SDL) Proactive Security Engineering & Testing Security Science & Engineering (MSEC)

12 Microsoft Security Engineering Center Draws together the proactive side of the TWC Security work. Covers guidance and policy Security Assessment (Penetration Testing, Security Design reviews etc). Science (Encompasses all teams, innovation and investment in products) Wide number of teams partnering to improve products by producing tools, guidance, generic improvements and surveying.

13 MSRC & MSRC Engineering Response External Security Issue management Finder communications Handle process from report to fix and follow-ups (blogs, webcasts etc) Incident Management Engineering Triage Vulnerabilities Variant Finding Guarantee Patch Quality Report Mitigations and Workarounds Share information with trusted parties (MAPP)

14 Threat Situation Today There are still vulnerabilities There are still security exploits There is still opportunity to use them It is still economically viable for criminals

15 Microsoft Today Shipping products have less bulletins They are harder to exploit Updating is more active Criminals increasingly attacking older versions and 3 rd Party applications.

16 The software vulnerability asymmetry problem Defender must fix all vulnerabilities in all software attacker wins by finding and exploiting just one vulnerability Threats change over time state-of-the-art in vulnerability finding and attack techniques changes over time Update deployment takes time vendor must offset risks to stability & compatibility, customer waits for servicing cycle Result: Attackers only have to find one vulnerability, and they get to use it for a really long time.

17 Exploit Economics We can decrease Attacker ROI if we are able to Increase attacker investment required to find usable vulnerabilities Remove entire classes of vulnerabilities where possible Focus on automation to scale human efforts Increase attacker investment required to write reliable exploits Build mitigations that add brittleness Make exploits impossible to write completely reliably Decrease attacker s opportunity to recover their investment Shrink window of vulnerability Fewer opportunities via artificial diversity Work on rapid detection & suppression of exploit usage Desired Result: Usable attacks will be rare and require significant engineering; working exploits will become scarce and valuable

18 Science and Innovation

19 Security Science 3 Key areas: Automated Vulnerability Finding Static Analysis, Fuzzing, etc. Mitigations Platform and Compiler Threat Landscape Observations and Improvements

20 Getting Ahead Science Investments address the asymmetry The SDL is updated to reflect new requirements Sharing knowledge and Tools advances others

21 More Information SDL Landing Page SAFECode Open Group OTTF

22 Спасибо за внимание! Thank you!