slide1 l.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
MS ACE Team Seguridad en el Código (SDL-IT) PowerPoint Presentation
Download Presentation
MS ACE Team Seguridad en el Código (SDL-IT)

Loading in 2 Seconds...

play fullscreen
1 / 16

MS ACE Team Seguridad en el Código (SDL-IT) - PowerPoint PPT Presentation


  • 208 Views
  • Uploaded on

MS ACE Team Seguridad en el Código (SDL-IT). Simon Roses Femerling. ACE Team - Microsoft Security Technologist simonros@microsoft.com. Quien soy yo?. Security Technologist en el ACE Team Ex : PwC , @ Stake entre otras…

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'MS ACE Team Seguridad en el Código (SDL-IT)' - Faraday


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
slide1

MS ACE Team

Seguridad en el Código (SDL-IT)

Simon Roses Femerling

ACE Team - Microsoft

Security Technologist

simonros@microsoft.com

quien soy yo
Quien soy yo?
  • Security Technologist en el ACE Team
  • Ex : PwC, @Stake entre otras…
  • Licenciado Superior en Informática y Postgrado en Tecnología por Harvard University.
  • Años participando activamente en la industria de seguridad, Jefe de Proyecto OWASP, etc.
indice
Indice
  • SDL-IT (Security Development Lifecycle)
  • ACE Team
  • Conclusiones del SDL-IT
fundamentos del sdl it
Fundamentos del SDL-IT

Vision:

A secure platform strengthened by security products, services and guidance to help keep customers safe

Excellence in fundamentals

Security innovations

Scenario-based content and tools

Authoritative incident response

Awareness and education

Collaboration and partnership

microsoft sdl it i
Microsoft SDL-IT (I)

Requirements

Design

Implementation

Verification

Release

Response

Guidelines

&

Best Practices

Coding Standards

Final Security Review

(

FSR

)

Security

Testing based on threat

Review threat models

Response

models

Feedback loop

Penetration Testing

Tool usage

-

Tools

/

Archiving of Compliance Info

Product Inception

Processes

Threat Modeling

Assign resource

-

Postmortems

Models created

Security Docs

&

Security plan

-

SRLs

Mitigations in design

Security Push

Tools

and functional specs

Security push training

Customer deliverables

Design

Review threat models

for secure deployment

Design guidelines applied

RTM

&

Review code

Security architecture

Deployment

Attack testing

Security design review

Signoff

Review against new threats

Ship criteria agreed upon

Meet signoff criteria

microsoft sdl it ii
Microsoft SDL-IT (II)

Process

Education

Accountability

  • Defines security requirements and milestones
  • MANDATORY if exposed to meaningful security risks
  • Requires response and service planning
  • Includes Final Security Review (FSR) and Sign-off
  • Mandatory annual training – internal trainers
  • BlueHat – external speakers on current trends
  • Publish guidance on writing secure code, threat modeling and SDL; as well as courses
  • In-process metrics to provide early warning
  • Post-release metrics assess final payoff (# of vulns)
  • Training compliance for team and individuals

Microsoft Product Development Lifecycle

Microsoft Security Development Lifecycle

7

introducci n al ace team
Introducción al ACE Team
  • ACE = Application Consulting & Engineering (ACE)
  • Misión: Proveedor de servicios en Seguridad y Rendimiento internamente y externamente en Microsoft.
  • En los últimos 5 años ha realizado:
    • 3000+ auditorías en seguridad y rendimiento
    • > 50,000 vulnerabilidades en seguridad y rendimiento documentadas y solucionadas
    • Potente grupo de I+D en continua evolución.
servicios del ace team
Servicios del ACE Team
  • Application Security
    • Threat Modeling & Design Reviews
    • Security Code Reviews
    • Security Process Integration
    • Security Guidance & Prototype Development
  • Infrastructure Security
    • Technical Compliance Management
  • Application Performance Tuning
    • Performance assessments
  • Training: Security & Performance
symantec
Symantec
  • “With the advent of Vista and the continued use of the Security Development Lifecycle, it is likely that Microsoft-authored code will become more difficult to exploit. As a result, attackers may turn their focus to common third-party applications that are authored by companies that have not employed the Security Development Lifecycle or other secure development practices, and, therefore, may be less secure.“

http://www.symantec.com/enterprise/security_response/weblog/2007/03/future_watch_predicting_the_co.html

slide14

Chema Alonso

Informática 64

MVP Seguridad

chema@informatica64.com

Simon Roses Femerling

ACE Team - Microsoft

Security Technologist

simonros@microsoft.com

referencias
Referencias
  • MS SDL-IT
    • http://www.microsoft.com/technet/itshowcase/content/mssecbp.mspx
  • Application Threat Modeling
    • http://msdn2.microsoft.com/en-us/security/aa570413.aspx
  • MS ACE Team Blog
    • http://blogs.msdn.com/ace_team/