security & scaling at microsoft
DESCRIPTION
Eric Mittelette and Stanisloas Quastano share stories of Microsoft Security and Scalability lessons learned at FailCon France 2012.TRANSCRIPT
Security & SoftwareDisasters & changing perception
Eric Mittelette & Stanislas Quastana | Microsoft
Do you remember those dark days ?
May 4th 2000July 13th 2001
September 28th 2001January 25th 2003August 13th 2003
As Microsoft employees we do
15 minutes before SQL Slammer infection
SQL Slammer (aka Sapphire) infection
Blaster (aka LOVE YOU SAN)
Why we fail ?
Reason 1 : features, features, features….
Reason 2 : Security was not in Developer’s DNA
Reason 3 : Everything was installed and started by default
Ex: IIS Web Server
Which response ?
“Computing is already an important part of many people’s lives. Within ten years, it will be an integral and indispensable part of almost everything we do. Microsoft and the computer industry will only succeed in that world if CIOs, consumers and everyone else sees that Microsoft has created a platform for Trustworthy Computing”
“We have done a great job of having teams work around the clock to deliver security fixes for any problems that arise.
Our responsiveness has been unmatched – but as an industry leader we can and must do better”
“Flaws in a single Microsoft product, service or policy not only affect the quality of our platform and services overall, but also our customers’ view of us as a company”
“So now, when we face a choice between adding features and resolving security issues, we need to choose security”
So what we did ?
Stop all developmentThe 1st time in our history
Every Microsoft developer : back to school !!!Mandatory annual security training
« One book to protect them all »
Dear developers
Few security bugs in your code = more money in your pocket
SDLC is the Microsoft security audit & expertise substance published as a methodology
Security Team created
Final Security Review mandatory
Did it work ?
First results
Helping IT customers in their job
As you see, we did a lot of things
But…
“Security is a journey, not a destination”
10 years later
Is it better ?
“Security is a journey, not a destination”
Sometimes it’s better to be the first…
Security is an industry problem not a single company issue
Really ?
same feature but 10 years later
“Security is a journey, not a destination”
“Security is a journey, not a destination”
Thanks you
@EricMitt & @SQuastana