Loading in 2 Seconds...
Loading in 2 Seconds...
Introduction to the Microsoft ® Security Development Lifecycle (SDL). Secure software made easier . Agenda. Applications under attack Origins of the Microsoft SDL What is Microsoft doing about the threat? Measurable improvements at Microsoft. Applications under attack….
Secure software made easier
Cost of U.S. cybercrime: About $70B
Source: U.S. Government Accountability Office (GAO), FBI
% of vulnerability disclosures:
Operating system vs browser and application vulnerabilities
From the Microsoft Security Intelligence Report V7
90% of vulnerabilities are remotely exploitable
Sources: IBM X-Force, 2008
Sources: IBM X-Force 2008 Security Report
Administer and track security training
Guide product teams to meet SDL requirements
Establish release criteria and sign-off as part of FSR
Ongoing Process Improvements
Assess organizational knowledge on security and privacy –establish training program as necessary
Opportunity to consider security at the outset of a project
Define and document security architecture, identify security critical components
Full spectrum review – used to determine processes, documentation and tools necessary to ensure secure deployment and operation
Started as early as possible – conducted after “code complete” stage
Creation of a clearly defined support policy – consistentwith MS corporate policies
Verify SDL requirements are met and there are no knownsecurity vulnerabilities
Security response plan complete
“Plan the work, work the plan…”
The Microsoft SDL includes online services and Line-of-Business application development guidance.
Total Vulnerabilities Disclosed One Year After Release
45% reduction in Vulnerabilities
Source: Windows Vista One Year Vulnerability Report, Microsoft Security Blog 23 Jan 2008
Total Vulnerabilities Disclosed 36 Months After Release
91% reduction in Vulnerabilities
Sources: Analysis by Jeff Jones (Microsoft technet security blog)
Attacks are moving to the application layer
SDL = embedding security into software and culture
Measurable results for Microsoft software
Microsoft is committed to making SDL widely available and accessible
© 2008 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.