cliff evans security and privacy lead trustworthy computing group microsoft uk
TRANSCRIPT
Addressing Security Satisfaction
Cliff EvansSecurity and Privacy LeadTrustworthy Computing GroupMicrosoft UK
AgendaThe Fundamentals
Satisfaction – How are we doing?
The ApproachTrustworthy ComputingSecurity Development Lifecycle (SDL)Vulnerability Analysis
Helping you Secure your IT Environment (free tools and information)SDL the next stepsMicrosoft Security Assessment ToolMicrosoft UK Security Newsletter
Satisfaction – How are we doing?Consumers
Very High Overall SatisfactionHigh Security SatisfactionHigh Privacy Satisfaction
IT Professionals / Business Decision Makers
Moderate Overall SatisfactionModerate Security SatisfactionModerate Privacy Satisfaction
Trustworthy Computing
SQL Server 2005
Visual Studio 2005
Windows Server 2003 SP1
Malicious SW Removal Tool
Windows XP SP2
DSI Launched
TWC AnnouncedSDL begins
Windows Server 2003
Windows DefenderWindows
Live OneCare
2002
Windows VistaOffice 2007
Forefront
2003 2004 2005 2006 20082007
Windows Server 2008SQL Server
2008
The Microsoft Security Development Lifecycle
GoalsProtect Microsoft customers by
Reducing the number of vulnerabilitiesReducing the severity of vulnerabilities
Key PrinciplesPrescriptive yet practical approachProactive – not just “looking for bugs”Eliminate security problems earlySecure by design
Conception
Release
Q4
Q1
Q2
Q3
Q4
Q1
Q2
Q3
Q4
Q1
Q2
Q3
Q4
Q1
Q2
Q3
Q4
Q1
Q2
Q3
Q4
Q1
Q2
Q3
Q4
2000
20012002
20032004
20052006
0
2
4
6
8
10
12
14
16
18
20
Microsoft SQL Server
Windows XPWindows Vista
0
20
40
60
80
100
120
65
36
54
30
Fixed Unfixed
Windows XP SP2Windows Vista
0
10
20
30
40
50
60
35
17
15
19
4
7
2
2
Ciritcal Important Moderate Low
IE 6IE 7
0
5
10
15
20
25
30
18
14
8
3
Medium High
First Year of Vulnerabilities* 2007*
Vulnerabilities Fixed One Year After Release* Vulnerabilities disclosed and fixedQuarterly totals, 2000-2006**
SDL Results
**Source: Which database is more secure? Oracle vs. Microsoft, David Litchfield, NGS Software, 21-November-2006
*Source: http://blogs.csoonline.com/blog/jeff_jones
SDL Results
Source: http://blogs.csoonline.com/blog/jeff_jones
1H03
2H03
1H04
2H04
1H05
2H05
1H06
2H06
1H07
2H07
1H08
0
500
1000
1500
2000
2500
3000
3500
4000
44 66 64 88 75 87 98 168 146 90 80
708 63111381391
19542573
317932683296
28152712
MSFT vulns non-MSFT vulns
1H03
2H03
1H04
2H04
1H05
2H05
1H06
2H06
1H07
2H07
1H08
0.0%
1.0%
2.0%
3.0%
4.0%
5.0%
6.0%
7.0%
8.0%
9.0%
10.0%
5.9%
9.5%
5.3%5.9%
3.7%3.3%3.0%
4.9%4.2%
3.1%2.9%
MSFT % of All Disclosures
Windows Server @ 90 Days
Windows Server 2003-all Windows Server 2003-
gui Windows Server 2008-all Windows Server 2008-
gui Windows Server 2008-core
0
2
4
6
8
10
99
6
43
Vulnerabilities in First 90 Days
Source: internal study by Jeff Jones
Windows Vista – First 12 Months
http://blogs.csoonline.com/blog/jeff_jones
MetricWindows
Vista (year 1)
Windows XP (year 1)
Red Hat rhel4ws reduced (year
1)
Ubuntu 6.06 LTS reduced (year 1)
Mac OS X 10.4 (year 1)
Vulnerabilities fixed 36 65 360 224 116Security Updates 17 30 125 80 17
Patch Events 9 26 64 65 17
Weeks with at least 1 Patch Event
9 25 44 39 15
Windows XPWindows Vista
RHEL4 reducedUbuntuLTS
reduced Mac OS X 10.4
0
50
100
150
200
250
300
350
400
First Year of Vulnerabilities
UnfixedFixed
TWC
SDL
SystemsManagement
Operations Manager 2007
Configuration Manager 2007
Data Protection Manager
Mobile Device Manager 2008
Active Directory Federation
Services (ADFS)
Identity & AccessManagement
Certificate Lifecycle
Management
Services
Information Protection
Encrypting File System (EFS)
BitLocker™
Client and Server OS
Server Applications
Edge
Network Access Protection (NAP)
Client and
Server OS
Server
Applications
Edge
Forefront Stirling Management
Microsoft Security: Defense In Depth
Comprehensive line of business security products that helps you gain greater protection and secure access
through deep integration and simplified management
Next Generation Microsoft Forefront
Microsoft Forefront Product RoadmapH2 2008
Client andServer OS
ServerApplications
Network Edge
IntegratedSecurity System
NEW
NEW
NEX
TN
EX
T
NEW
NEX
T
Codename “Stirling”
NEWBETA
H1 2008 H1 2009
BETA
SDL Pro Network
www.microsoft.com/sdl
Security service providers that specialize in application security and have been trained by Microsoft in the tools and guidance associated with its Security Development Lifecycle. These service providers will guide and support organizations - both large and small - in implementing the SDL in their environments.
SDL Optimization Model
www.microsoft.com/sdl
Created to facilitate gradual, consistent and cost-effective implementation of the SDL in development organizations outside of Microsoft. The model, which will be freely available for download in November, is based on the Microsoft IT Infrastructure and Application Platform Optimization models, which focus on leveraging IT as a driver of business value
Microsoft SDL Threat Modelling
www.microsoft.com/sdl
Allows for early, structured analysis and proactive mitigation and tracking of potential security and privacy issues in new and existing applications. Due for release in November, this new, freely available tool will offer a threat modelling methodology that any software architect can lead effectively.
Microsoft Security Assessment Tool (MSAT)
www.microsoft.com/security/msat
The Microsoft Security Assessment Tool (MSAT) is a free tool designed to help organizations assess weaknesses in your current IT security environment, reveal a prioritized list of issues, and help provide specific guidance to minimize those risks.
www.microsoft.com/security/msat
Microsoft Security Assessment Tool (MSAT)
© 2008 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the
date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.