logging in or signing up esw06 cushman Goldye Download Post to : URL : Related Presentations : Share Add to Flag Embed Email Send to Blogs and Networks Add to Channel Uploaded from authorPOINT Insert YouTube videos in PowerPont slides with aS Desktop Copy embed code: (To copy code, click on the text box) Embed: URL: Thumbnail: WordPress Embed Customize Embed The presentation is successfully added In Your Favorites. Views: 141 Category: Product Traini.. License: All Rights Reserved Like it (0) Dislike it (0) Added: June 16, 2007 This Presentation is Public Favorites: 0 Presentation Description No description available. Comments Posting comment... Premium member Presentation Transcript Microsoft Security Fundamentals: Microsoft Security Fundamentals Andrew Cushman EUSecWest - London February 20, 2006 Intro – Who am I?: Intro – Who am I? Director of Security Community Outreach to Community Community Advocate w/in Microsoft 16 year MS veteran Enabled for Code Red and Nimda Rejected MSADC vdir defaults change for IIS5 Responsible for IIS 6 security Engineering Group manager for IIS6 Hired @stake for Pen Test engagement Agenda – Why am I here?: Agenda – Why am I here? To show our work: the MS security fundamentals Brief review – how we got here Describe the holistic approach – the security lifecycle Specifics – customer requirements andamp; our solutions 3 things I want you to take away MS understands the industry wide security problem And that Security requires industry wide solutions MS delivering excellent results Maybe not perfect, but reasonable and industry leading MS committed to the long term security investments Security is a journey - it’s not a destination Brief History: Brief History MSRC creation and early years SWI (Secure Windows Initiative) 2 guys in their spare time TwC memo from Chairman Bill Code Red, Nimda, Blaster, Slammer… Security Community Outreach (’03 party at Black Hat) XPsp2 Today’s Changed Ecosystem : Today’s Changed Ecosystem Security Industry Matures Expanding number of tools andamp; experts andamp; researchers low barrier to entry attracts new entrants More researchers andamp; more areas = lots more bugs Criminal element fueling new actions andamp; patterns AdWare and SpyWare The rise of botnets and botherders Attacks are constant and targeted Move toward targeted attacks News reports of corporate and government espionage Still on the upswing unlimited researcher creativity andamp; new attack surface new class of attacks and new vectors The Changing Ecosystem : The Changing Ecosystem 'Indictments were filed by an Israeli prosecutor against nine men in the industrial espionage case that involved planting Trojan horses on rival companies' computers to spy out their secrets.' InformationWeek July 8, 2005 'Foreign governments are the primary threat to the U.K.'s critical national infrastructure because of their hunger for information, a British government agency said.' Roger Cummins NISCC Director in ZDNet November 22, 2005 'Security experts have revealed details about a group of Chinese hackers who are suspected of launching intelligence-gathering attacks against the U.S. government.' Alan Paller, SANS Institute in ZDNet November 23, 2005 Top Security Challenges: Top Security Challenges Security Researchers andamp; ISVs at odds Customers safety is a common goal, but Disagreement on tactics Security Researchers distrust Software ISVs No consensus on Responsible Disclosure Differing views of benefit of Exploit code and PoC Changed economic landscape Attribution in Bulletins losing value in new economy Vulns have value in an above ground economy Changed Threat Landscape Shrinking delta btw publish and exploitation Vuln Full Disclosure increases customer risk Security Focus: Microsoft Corporation: Security Focus: Microsoft Corporation A secure platform strengthened by security products, services and guidance to help keep customers safe Vision: Excellence in fundamentals Security innovations Scenario-based content and tools Authoritative incident response Awareness and education Collaboration and partnership Technology Investments: Technology Investments Security Engineering & Communications: The Security Fundamentals Group at Microsoft One team responsible for Microsoft’s Security Development Lifecycle Security Engineering (Eng. Standards) Penetration Testing (Stds. Enforcement) Security Response andamp; Updates Emergency Incident Response Community Outreach Security Engineering andamp; Communications Security Focus: Sec Fundamentals Group: Security Focus: Sec Fundamentals Group Cutting edge Research - /GS Heap mitigations Fuzzing Analysis Tools Patchguard Internal Training SWI KB SDL article on MSDN MSRC Bulletins Security Advisories Conf. Presentations Conf. sponsorship CERT collaboration GIAIS (ISPs) VIA (Virus ISVs) BlueHat Embed Industry leading Security in the Microsoft development culture and in every MS product and service Vision: Security Development Lifecycle: Security Development Lifecycle Product Inception Assign resource Security plan Design Design guidelines applied Security architecture Security design review Ship criteria agreed upon Guidelines andamp; Best Practices Coding Standards Testing based on threat models Tool usage Security Push Security push training Review threat models Review code Attack testing Review against new threats Meet signoff criteria Final Security Review ( FSR ) Review threat models Penetration Testing Archiving of Compliance Info Security Response Feedback loop - Tools / Processes - Postmortems - SRLs RTM andamp; Deployment Signoff Design Response Threat Modeling Models created Mitigations in design and functional specs Security Docs andamp; Tools Customer deliverables for secure deployment Requirements Implementation Verification Release Security Development Lifecycle: Security Development Lifecycle Defines security requirements and milestones MANDATORY if exposed to meaningful security risks Requires response and service planning Includes Final Security Review (FSR) and Sign-off Mandatory annual training – internal trainers BlueHat – external speakers on current trends Publish guidance on writing secure code, threat modeling and SDL; as well as courses In-process metrics to provide early warning Post-release metrics assess final payoff (# of vulns) Training compliance for team and individuals SDL and Microsoft Products : SDL and Microsoft Products SDL applies across Divisions and Businesses Defines Incident Response andamp; Patch Requirements and Guidelines Defines Engineering Requirements and Guidelines Validation to ensure standards are met Final product security profile combines Customer requirements Deployment and Usage requirements and Security Requirements SDL in practice takes on the personality of the Product IE looks different than Windows Defender Products must pass Final Security Review to ship We’re paying attention to the what the community tells us… Feedback from the Community…: Feedback from the Community… You might have a wee problem w/ file parsers… MS04-011: EMF, WMF MS04-025: GIF, BMP MS04-041: WordPad DOC Converters MS05-002: 3 ANI MS05-005: DOC MS05-009: PNG MS05-012: OLE/COM MS05-014: CDF MS05-018: Fonts MS05-020: MSRatings .RAT MS05-023: DOC MS05-025: PNG MS05-025: PNG MS05-026: .ITS MS05-036: 9 ICM (JPG,PNG,BMP) Windows Vista Security Approach : Windows Vista Security Approach Stop playing catch up - find andamp; fix before ship Automate proven techniques parser fuzzing, banned api removal tools Methodically Apply Security expertise on whole product Attack Surface Reduction, Service Hardening Feature reviews Penetration testing Defense in Depth Mitigations new GS, heap improvements, etc Security Engineering in Windows Vista : Security Engineering in Windows Vista Central PREfix (etc) runs Vista Security Review Overall Approach: Vista Security Review Overall Approach Feature Reviews Penetration Testing Special Projects Microsoft Security Training Courses : Microsoft Security Training Courses 2003 - Security Basics was the only class 2006 – Expanded General andamp; discipline specific offerings Introduction to the SDL and FSR Process Basics of Secure Software Design, Development, and Test Threat Modeling Security for Management Classes of Security Defects Defect Estimation and Management Developers Secure Coding Practices Security Code Reviews Testers andamp; Program Managers Introduction to Fuzzing Implementing Threat Mitigations Time-tested Security Design Principles Attack Surface Reduction and Analysis 2007 and beyond – Continual and Ongoing effort Slide20: Education resources BlueHat Conference Training: BlueHat Conference Training March 05 Dino Dai Zovi andamp; Shane McAuley Matt Conover HD andamp; Spoonm Dug Song Dan Kaminsky October 05 Skape Vinnie Liu Dave Maynor Brett Moore Toolcrypt Training for Execs and Engineers Windows Vista Quality Gates: Windows Vista Quality Gates Many SDL recommended best practices become required engineering tasks in Vista Banned API removal Over 250,000 removed No incoming code uses these APIs SAL for ALL headers ISVs will get benefit in Platform SDK Over 119,000 functions annotated by the time we ship No incoming code missing SAL Banned crypto removal ALL new features required threat model along with Design, Spec, and Test Plan up front Thousands of threat models Central Privacy team and Privacy Quality Gate Windows Vista Quality Gates cont…: Windows Vista Quality Gates cont… 120 functions banned Use StrSafe or SafeCRT Mandatory use of IntOverflow PREfast extension Prohibit executable pages Writable/Shared PE segments banned Newer versions of FxCop and AppVerif required Firewall policy created The bar to open a port is very high Over John Lambert’s dead body Prohibit use of APTCA without deep security review Banned DES, RC2, SHA1, MD4 and MD5 for new code Crypto Board created A Note on SAL: A Note on SAL The most important quality tool we have No-one else uses this kind of technology Helps source code anaylsis tools find bugs char * fgets(__out_ecount_z(_MaxCount) char * _Buf, __in int _MaxCount, __inout FILE * _File); __checkReturn errno_t tmpfile_s(__deref_opt_out FILE ** _File); __checkReturn Must check return value __out_ecount_z(n) Outbound null-term string of len ‘n’ __in Readonly inbound argument __inout RW arg, by reference __deref_opt_out Must deref OK, optional, not null-term Service Hardening: Service Hardening Write restrictions Restrict which resources are write-able Define privs you need SCM grants ONLY those privs regardless of account Per-service SID ACL object so only your service can access them Network restrictions You describe andamp; Vista enforces network access policy Eg: foo.exe can only open port TCP/123 inbound |Action=Allow|Dir=In|LPORT=123|Protocol=17|App=%SystemRoot%\foo.exe If foo.exe has a bug, the rogue code cannot make outbound connections Vista and LH Server Defenses: Vista and LH Server Defenses UAC – User Account Control Standard User – Lower Privileged Account Elevate via UI prompt or control via policy Mitigates threats but not absolute security Process Isolation Challenges UI Tampering – Secure desktop design change just approved Registered Window Message MIC Patch Guard and Malware defenses Numerous heap defenses Metadata encoding andamp; integrity checks, randomized, encoded internal ptrs, LowFrag heap used more, algorithm changes based on usage, A Note on Vista Fuzzing: A Note on Vista Fuzzing Using numerous internally-built fuzzers Filefuzzer, FCL, MiddleMan, Rogue, RPCFuzz andamp; instrumented apps To date: Central team focus only on Fuzzing Fuzzed 90 parsers with over 61 million malformed files By the time we ship Fuzz over 200 parsers with over 1 billion malformed files Feature Reviews & Pen Testing: Feature Reviews andamp; Pen Testing Validation in 3 different ways Features prioritized using multiple risk factors Internet facing, capable of generating Critical vuln, etc Feature Reviewer meets w/ product team analyzes threat models, design, andamp; attack surface output is bugs, design changes andamp; mitigations Weak areas referred for deeper inspection A Deeper Look Targeted review of implementation Full Blown Pen Test Feature requires in depth multi-week engagement Security Response Process: Security Response Process Slide30: Security Response Monthly Response Process SSIRP Incident Response Observe the environment Watch for triggers Know when something needs response Evaluate severity, mobilize Engineering and analysis Industry Relationship partners Communications Legal and Law Enforcement Deep analysis including malware teardown Workarounds, solns and tools Law Enforcement Communications Communications Lessons learned Case Study: WMF Background: First noticed on newsgroup December 27. Immediate escalation to SSIRP Operations Leads and first responders. Immediate escalation to Orange SSIRP Attack analysis and projection Coded fix and started testing Intervention andamp; partner outreach – esp. AV, CERT; PSS andamp; customers Multiple Advisories published including effective workaround Site research and aggressive takedown activity Extensive field outreach; Extensive press and PR response Test Pass completed early andamp; Released ahead of published schedule Post Mortem Completed Improvements to internal communication process flow Early and Aggressive engagement of all product teams Watch (Dec 27) Alert andamp; Mobilize (Dec 27) Resolve (Jan 5 - present) Assess andamp; Stabilize (Dec 27-Jan 5) Case Study: WMF Background Teams assembled Immediately began monitoring for customer impact Immediate outreach to security partners to assess initial impact WMF case study – from fix to release: WMF case study – from fix to release Coding the Fix The team isolated the bug quickly Built update, Smoke tested and then deliver to test team Functional / Regression testing: More than 450,000 individual GDI/User test cases Approximately 22,000 hours of stress Over 125 malicious WMF’s verified to be fixed by the update Over 2,000 WMFs from our image library analyzed Approximately 15,000 Printing specific variations run andamp; 2,800 pages verified Application Compatibility Testing: Over 400 Applications tested Across all 6 supported Windows platforms Security Update Validation Program For broad coverage of LOB application compatibility and deployment International coverage Deployment tools: MBSA 1.2, MBSA 2.0, Microsoft Update/Windows Update, AutoUpdate, Software Update Service (SUS/WSUS), SMS Security Community Outreach : Security Community Outreach Listen, Learn andamp; Contribute to Security Community Engage the community Personalize the engagement w/ a faceless company Technical Innovation Conference Attendance for cutting edge research Industry Partnership Conference co-sponsorship Participate in the Community Guidance Connect experts in Product teams andamp; Security Community Promote Responsible Disclosure e.g., Encourage dialog btw researchers andamp; Vendors Our Goal: Coordinated release of vuln details andamp; the update Security Community Outreach : Security Community Outreach Internal Education andamp; Act as Community Advocate Educate the Microsoft community Put a face on 'hacker threat' for execs andamp; engineers Technical Innovation Facilitate knowledge transfer to product groups Ensure execs andamp; engineers understand the state of the art Exploit Frameworks Binary Analysis Industry Partnership Security Audits and Feature reviews Guidance Voice of the customer – listen to a difficult audience Promote Dialog and Highlight the Shared Goals Conclusion: Conclusion We’ve come a long way We are in it for the long haul It’s a lifestyle commitment – not a partial new year’s resolution We’d like your help See me if you want to sign up for Vista beta Give us feedback – we’re listening! Slide36: secure@microsoft.com You do not have the permission to view this presentation. In order to view it, please contact the author of the presentation.
esw06 cushman Goldye Download Post to : URL : Related Presentations : Share Add to Flag Embed Email Send to Blogs and Networks Add to Channel Uploaded from authorPOINT Insert YouTube videos in PowerPont slides with aS Desktop Copy embed code: (To copy code, click on the text box) Embed: URL: Thumbnail: WordPress Embed Customize Embed The presentation is successfully added In Your Favorites. Views: 141 Category: Product Traini.. License: All Rights Reserved Like it (0) Dislike it (0) Added: June 16, 2007 This Presentation is Public Favorites: 0 Presentation Description No description available. Comments Posting comment... Premium member Presentation Transcript Microsoft Security Fundamentals: Microsoft Security Fundamentals Andrew Cushman EUSecWest - London February 20, 2006 Intro – Who am I?: Intro – Who am I? Director of Security Community Outreach to Community Community Advocate w/in Microsoft 16 year MS veteran Enabled for Code Red and Nimda Rejected MSADC vdir defaults change for IIS5 Responsible for IIS 6 security Engineering Group manager for IIS6 Hired @stake for Pen Test engagement Agenda – Why am I here?: Agenda – Why am I here? To show our work: the MS security fundamentals Brief review – how we got here Describe the holistic approach – the security lifecycle Specifics – customer requirements andamp; our solutions 3 things I want you to take away MS understands the industry wide security problem And that Security requires industry wide solutions MS delivering excellent results Maybe not perfect, but reasonable and industry leading MS committed to the long term security investments Security is a journey - it’s not a destination Brief History: Brief History MSRC creation and early years SWI (Secure Windows Initiative) 2 guys in their spare time TwC memo from Chairman Bill Code Red, Nimda, Blaster, Slammer… Security Community Outreach (’03 party at Black Hat) XPsp2 Today’s Changed Ecosystem : Today’s Changed Ecosystem Security Industry Matures Expanding number of tools andamp; experts andamp; researchers low barrier to entry attracts new entrants More researchers andamp; more areas = lots more bugs Criminal element fueling new actions andamp; patterns AdWare and SpyWare The rise of botnets and botherders Attacks are constant and targeted Move toward targeted attacks News reports of corporate and government espionage Still on the upswing unlimited researcher creativity andamp; new attack surface new class of attacks and new vectors The Changing Ecosystem : The Changing Ecosystem 'Indictments were filed by an Israeli prosecutor against nine men in the industrial espionage case that involved planting Trojan horses on rival companies' computers to spy out their secrets.' InformationWeek July 8, 2005 'Foreign governments are the primary threat to the U.K.'s critical national infrastructure because of their hunger for information, a British government agency said.' Roger Cummins NISCC Director in ZDNet November 22, 2005 'Security experts have revealed details about a group of Chinese hackers who are suspected of launching intelligence-gathering attacks against the U.S. government.' Alan Paller, SANS Institute in ZDNet November 23, 2005 Top Security Challenges: Top Security Challenges Security Researchers andamp; ISVs at odds Customers safety is a common goal, but Disagreement on tactics Security Researchers distrust Software ISVs No consensus on Responsible Disclosure Differing views of benefit of Exploit code and PoC Changed economic landscape Attribution in Bulletins losing value in new economy Vulns have value in an above ground economy Changed Threat Landscape Shrinking delta btw publish and exploitation Vuln Full Disclosure increases customer risk Security Focus: Microsoft Corporation: Security Focus: Microsoft Corporation A secure platform strengthened by security products, services and guidance to help keep customers safe Vision: Excellence in fundamentals Security innovations Scenario-based content and tools Authoritative incident response Awareness and education Collaboration and partnership Technology Investments: Technology Investments Security Engineering & Communications: The Security Fundamentals Group at Microsoft One team responsible for Microsoft’s Security Development Lifecycle Security Engineering (Eng. Standards) Penetration Testing (Stds. Enforcement) Security Response andamp; Updates Emergency Incident Response Community Outreach Security Engineering andamp; Communications Security Focus: Sec Fundamentals Group: Security Focus: Sec Fundamentals Group Cutting edge Research - /GS Heap mitigations Fuzzing Analysis Tools Patchguard Internal Training SWI KB SDL article on MSDN MSRC Bulletins Security Advisories Conf. Presentations Conf. sponsorship CERT collaboration GIAIS (ISPs) VIA (Virus ISVs) BlueHat Embed Industry leading Security in the Microsoft development culture and in every MS product and service Vision: Security Development Lifecycle: Security Development Lifecycle Product Inception Assign resource Security plan Design Design guidelines applied Security architecture Security design review Ship criteria agreed upon Guidelines andamp; Best Practices Coding Standards Testing based on threat models Tool usage Security Push Security push training Review threat models Review code Attack testing Review against new threats Meet signoff criteria Final Security Review ( FSR ) Review threat models Penetration Testing Archiving of Compliance Info Security Response Feedback loop - Tools / Processes - Postmortems - SRLs RTM andamp; Deployment Signoff Design Response Threat Modeling Models created Mitigations in design and functional specs Security Docs andamp; Tools Customer deliverables for secure deployment Requirements Implementation Verification Release Security Development Lifecycle: Security Development Lifecycle Defines security requirements and milestones MANDATORY if exposed to meaningful security risks Requires response and service planning Includes Final Security Review (FSR) and Sign-off Mandatory annual training – internal trainers BlueHat – external speakers on current trends Publish guidance on writing secure code, threat modeling and SDL; as well as courses In-process metrics to provide early warning Post-release metrics assess final payoff (# of vulns) Training compliance for team and individuals SDL and Microsoft Products : SDL and Microsoft Products SDL applies across Divisions and Businesses Defines Incident Response andamp; Patch Requirements and Guidelines Defines Engineering Requirements and Guidelines Validation to ensure standards are met Final product security profile combines Customer requirements Deployment and Usage requirements and Security Requirements SDL in practice takes on the personality of the Product IE looks different than Windows Defender Products must pass Final Security Review to ship We’re paying attention to the what the community tells us… Feedback from the Community…: Feedback from the Community… You might have a wee problem w/ file parsers… MS04-011: EMF, WMF MS04-025: GIF, BMP MS04-041: WordPad DOC Converters MS05-002: 3 ANI MS05-005: DOC MS05-009: PNG MS05-012: OLE/COM MS05-014: CDF MS05-018: Fonts MS05-020: MSRatings .RAT MS05-023: DOC MS05-025: PNG MS05-025: PNG MS05-026: .ITS MS05-036: 9 ICM (JPG,PNG,BMP) Windows Vista Security Approach : Windows Vista Security Approach Stop playing catch up - find andamp; fix before ship Automate proven techniques parser fuzzing, banned api removal tools Methodically Apply Security expertise on whole product Attack Surface Reduction, Service Hardening Feature reviews Penetration testing Defense in Depth Mitigations new GS, heap improvements, etc Security Engineering in Windows Vista : Security Engineering in Windows Vista Central PREfix (etc) runs Vista Security Review Overall Approach: Vista Security Review Overall Approach Feature Reviews Penetration Testing Special Projects Microsoft Security Training Courses : Microsoft Security Training Courses 2003 - Security Basics was the only class 2006 – Expanded General andamp; discipline specific offerings Introduction to the SDL and FSR Process Basics of Secure Software Design, Development, and Test Threat Modeling Security for Management Classes of Security Defects Defect Estimation and Management Developers Secure Coding Practices Security Code Reviews Testers andamp; Program Managers Introduction to Fuzzing Implementing Threat Mitigations Time-tested Security Design Principles Attack Surface Reduction and Analysis 2007 and beyond – Continual and Ongoing effort Slide20: Education resources BlueHat Conference Training: BlueHat Conference Training March 05 Dino Dai Zovi andamp; Shane McAuley Matt Conover HD andamp; Spoonm Dug Song Dan Kaminsky October 05 Skape Vinnie Liu Dave Maynor Brett Moore Toolcrypt Training for Execs and Engineers Windows Vista Quality Gates: Windows Vista Quality Gates Many SDL recommended best practices become required engineering tasks in Vista Banned API removal Over 250,000 removed No incoming code uses these APIs SAL for ALL headers ISVs will get benefit in Platform SDK Over 119,000 functions annotated by the time we ship No incoming code missing SAL Banned crypto removal ALL new features required threat model along with Design, Spec, and Test Plan up front Thousands of threat models Central Privacy team and Privacy Quality Gate Windows Vista Quality Gates cont…: Windows Vista Quality Gates cont… 120 functions banned Use StrSafe or SafeCRT Mandatory use of IntOverflow PREfast extension Prohibit executable pages Writable/Shared PE segments banned Newer versions of FxCop and AppVerif required Firewall policy created The bar to open a port is very high Over John Lambert’s dead body Prohibit use of APTCA without deep security review Banned DES, RC2, SHA1, MD4 and MD5 for new code Crypto Board created A Note on SAL: A Note on SAL The most important quality tool we have No-one else uses this kind of technology Helps source code anaylsis tools find bugs char * fgets(__out_ecount_z(_MaxCount) char * _Buf, __in int _MaxCount, __inout FILE * _File); __checkReturn errno_t tmpfile_s(__deref_opt_out FILE ** _File); __checkReturn Must check return value __out_ecount_z(n) Outbound null-term string of len ‘n’ __in Readonly inbound argument __inout RW arg, by reference __deref_opt_out Must deref OK, optional, not null-term Service Hardening: Service Hardening Write restrictions Restrict which resources are write-able Define privs you need SCM grants ONLY those privs regardless of account Per-service SID ACL object so only your service can access them Network restrictions You describe andamp; Vista enforces network access policy Eg: foo.exe can only open port TCP/123 inbound |Action=Allow|Dir=In|LPORT=123|Protocol=17|App=%SystemRoot%\foo.exe If foo.exe has a bug, the rogue code cannot make outbound connections Vista and LH Server Defenses: Vista and LH Server Defenses UAC – User Account Control Standard User – Lower Privileged Account Elevate via UI prompt or control via policy Mitigates threats but not absolute security Process Isolation Challenges UI Tampering – Secure desktop design change just approved Registered Window Message MIC Patch Guard and Malware defenses Numerous heap defenses Metadata encoding andamp; integrity checks, randomized, encoded internal ptrs, LowFrag heap used more, algorithm changes based on usage, A Note on Vista Fuzzing: A Note on Vista Fuzzing Using numerous internally-built fuzzers Filefuzzer, FCL, MiddleMan, Rogue, RPCFuzz andamp; instrumented apps To date: Central team focus only on Fuzzing Fuzzed 90 parsers with over 61 million malformed files By the time we ship Fuzz over 200 parsers with over 1 billion malformed files Feature Reviews & Pen Testing: Feature Reviews andamp; Pen Testing Validation in 3 different ways Features prioritized using multiple risk factors Internet facing, capable of generating Critical vuln, etc Feature Reviewer meets w/ product team analyzes threat models, design, andamp; attack surface output is bugs, design changes andamp; mitigations Weak areas referred for deeper inspection A Deeper Look Targeted review of implementation Full Blown Pen Test Feature requires in depth multi-week engagement Security Response Process: Security Response Process Slide30: Security Response Monthly Response Process SSIRP Incident Response Observe the environment Watch for triggers Know when something needs response Evaluate severity, mobilize Engineering and analysis Industry Relationship partners Communications Legal and Law Enforcement Deep analysis including malware teardown Workarounds, solns and tools Law Enforcement Communications Communications Lessons learned Case Study: WMF Background: First noticed on newsgroup December 27. Immediate escalation to SSIRP Operations Leads and first responders. Immediate escalation to Orange SSIRP Attack analysis and projection Coded fix and started testing Intervention andamp; partner outreach – esp. AV, CERT; PSS andamp; customers Multiple Advisories published including effective workaround Site research and aggressive takedown activity Extensive field outreach; Extensive press and PR response Test Pass completed early andamp; Released ahead of published schedule Post Mortem Completed Improvements to internal communication process flow Early and Aggressive engagement of all product teams Watch (Dec 27) Alert andamp; Mobilize (Dec 27) Resolve (Jan 5 - present) Assess andamp; Stabilize (Dec 27-Jan 5) Case Study: WMF Background Teams assembled Immediately began monitoring for customer impact Immediate outreach to security partners to assess initial impact WMF case study – from fix to release: WMF case study – from fix to release Coding the Fix The team isolated the bug quickly Built update, Smoke tested and then deliver to test team Functional / Regression testing: More than 450,000 individual GDI/User test cases Approximately 22,000 hours of stress Over 125 malicious WMF’s verified to be fixed by the update Over 2,000 WMFs from our image library analyzed Approximately 15,000 Printing specific variations run andamp; 2,800 pages verified Application Compatibility Testing: Over 400 Applications tested Across all 6 supported Windows platforms Security Update Validation Program For broad coverage of LOB application compatibility and deployment International coverage Deployment tools: MBSA 1.2, MBSA 2.0, Microsoft Update/Windows Update, AutoUpdate, Software Update Service (SUS/WSUS), SMS Security Community Outreach : Security Community Outreach Listen, Learn andamp; Contribute to Security Community Engage the community Personalize the engagement w/ a faceless company Technical Innovation Conference Attendance for cutting edge research Industry Partnership Conference co-sponsorship Participate in the Community Guidance Connect experts in Product teams andamp; Security Community Promote Responsible Disclosure e.g., Encourage dialog btw researchers andamp; Vendors Our Goal: Coordinated release of vuln details andamp; the update Security Community Outreach : Security Community Outreach Internal Education andamp; Act as Community Advocate Educate the Microsoft community Put a face on 'hacker threat' for execs andamp; engineers Technical Innovation Facilitate knowledge transfer to product groups Ensure execs andamp; engineers understand the state of the art Exploit Frameworks Binary Analysis Industry Partnership Security Audits and Feature reviews Guidance Voice of the customer – listen to a difficult audience Promote Dialog and Highlight the Shared Goals Conclusion: Conclusion We’ve come a long way We are in it for the long haul It’s a lifestyle commitment – not a partial new year’s resolution We’d like your help See me if you want to sign up for Vista beta Give us feedback – we’re listening! Slide36: secure@microsoft.com