Keynote frank fischer manager technologieberater microsoft deutschland gmbh
Download
1 / 22

- PowerPoint PPT Presentation


  • 150 Views
  • Updated On :

Keynote Frank Fischer Manager Technologieberater Microsoft Deutschland GmbH. Keynote . Thomas Caspers Bundesamt für Sicherheit im der Informationstechnik. Frank Fischer Manager Technologieberater Microsoft Deutschland GmbH [email protected]

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about '' - caine


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Keynote frank fischer manager technologieberater microsoft deutschland gmbh l.jpg

Keynote Frank FischerManager TechnologieberaterMicrosoft Deutschland GmbH


Keynote l.jpg
Keynote

Thomas Caspers

Bundesamt für Sicherheit im der Informationstechnik

Frank Fischer

Manager Technologieberater

Microsoft Deutschland GmbH

[email protected]



Agenda l.jpg
Agenda

  • Sicherheit – Wo stehen wir heute?

    • Aus deutscher SichtThomas Caspers, Bundesamt für Sicherheit in der Informationstechnik

    • Aus Sicht MicrosoftHeute - Morgen


Um was geht es um alles l.jpg

  • Beispiele:

    • Phishing

    • SQL Injection

    • Buffer Overflow

    • Sniffing

    • „Ping of Death“

Um was geht es? Um Alles.

Kommunikation

Benutzer

Applikation

App.Plattf.

Hardware


Zwei zeilen code blaster l.jpg

Der Spiegel

Zwei Zeilen Code…(Blaster)

  • Zwei Zeilen C Code in RPCSS(Siehe Vortrag von Dirk Primbs)

  • Führten zu…

    • >1,500,000 infizierten Rechnern (AUA!!)

    • >3.300.000 Support-Anrufen im Sept. 2003 (Vergleich: Ein “normaler” Virus zu 350.000)

    • Viel negativer Presse

      • “This [is] going to raise the level of frustration to the point where a lot of organizations will seriously contemplate alternatives to Microsoft.” Gartner

      • "There's definitely caution warranted here. [Microsoft's security] efforts were sincere, but I am not sure if they were sincere enough." Forrester


Slide8 l.jpg

SANS NewsBites Vol3/19 (2001)

Steve Ballmer, Microsoft's CEO, walked into a meeting with a dozen customers a few days ago and said disgustedly, "You would think we could

figure out how to fix buffer overflows by now." …

Steve is right about buffer overflows. Enough is enough. It is time to bring accountability to the programming profession. We hope that

Microsoft will take the lead, guaranteeing all its internal programmers get basic secure programming skills training and that the company helps train developers outside of Microsoft.

Programmers have been taught simple tests to avoid buffer overflows at least since 1960.

Some of them have forgotten the basics. It's time to give them a reason

to remember.


Was sollte man von microsoft erwarten d rfen l.jpg
Was sollte man von Microsoft erwarten dürfen…

Eine Anleihe von Dr. Jürjens, TU München




Einige einfache grundregeln l.jpg
Einige einfache Grundregeln

SD3 + Communications

Secure by Design

Sichere Architektur

“Threat Modeling”

Verbessern der Code-Qualität

Secure by Default

Veringern der Angriffsoberfläche

Nicht verwendete Features ausschalten

Auf minimale Privilegien achten

Secure in Deployment

Schützen, entdecken, verteidigen, erholen, verwalten

Prozess: “How to’s”, Architekturleitlinien

Menschen: Training

Communications

Klare Aussage zu Security

Hervorragende Dokumentation

Microsoft Security Response Center


Fortschritte l.jpg
Fortschritte ??

42

13

365


Visual studio modeler l.jpg

Logical Infra. Modeling

Deployment Modeling

Application Modeling

Class Modeling

Code Profiler

Static Code Analyzer

Dynamic Code Analyzer

Integration Services

Project Management

Code Coverage

Project Site

Reporting

Work Item Tracking

Visio and UML Modeling

Unit Testing

Deployment Modeling

Visual Studio 2005 Professional

Class Modeling

Load Testing

Manual Testing

Test Case Management

Application Modeling

Logical Infra. Modeling

Team Foundation Client

Change Management

Process and Architecture Guidance

Visual Studio Industry Partners

Visual Studio Modeler…

Visual StudioTeam Architect

Visual StudioTeam Developer

Visual StudioTeam Test

Visual StudioTeam Foundation


In zukunft l.jpg
In Zukunft…

  • Richtung End-UserProject Strider (MS Research)http://research.microsoft.com/csm/

  • Richtung ToolsProject Gleipnirhttp://research.microsoft.com/research/sv/Gleipnir/

  • Richtung Malware-DefenseProject Shieldhttp://research.microsoft.com/research/shield/


Praxis beispiel sdl und msn l.jpg
Praxis-Beispiel: SDL und MSN

“Build it”

Deploy

“Run it”


Stage l.jpg
Stage

  • Einbindung des Op-Teams

  • Abarbeiten des dokumentierten Veröffentlichungsprozesses

  • Physisch und logisch getrennt vom Live-System

  • Keine Live-Daten

  • “Verbiete alles was nicht explizit erlaubt ist”

Stage

Deploy

Manage


Deploy l.jpg
Deploy

  • Integrität des Codes wird überwacht

  • Sicherheitsanforderungen der Plattform werden umgesetzt

  • Strenge Umsetzung der Prozessvorgaben

  • Inventarisierung komplett

Stage

Deploy

Manage


Manage l.jpg
Manage

  • Werkzeuge

  • Fernverwaltung

  • Überwachung der Systeme

  • Support

  • Incident Response Center

  • Patch-Management

  • Least privilege

Stage

Deploy

Manage





ad