La descarga está en progreso. Por favor, espere

La descarga está en progreso. Por favor, espere

MS ACE Team Seguridad en el Código (SDL-IT) Simon Roses Femerling ACE Team - Microsoft Security Technologist

Publicada porJuanito Devera Modificado hace 10 años

Presentaciones similares

Presentación del tema: "MS ACE Team Seguridad en el Código (SDL-IT) Simon Roses Femerling ACE Team - Microsoft Security Technologist"— Transcripción de la presentación:

1 MS ACE Team Seguridad en el Código (SDL-IT) Simon Roses Femerling ACE Team - Microsoft Security Technologist simonros@microsoft.com

2 Security Technologist en el ACE TeamSecurity Technologist en el ACE Team Ex : PwC, @Stake entre otras…Ex : PwC, @Stake entre otras… Licenciado Superior en Informática y Postgrado en Tecnología por Harvard University.Licenciado Superior en Informática y Postgrado en Tecnología por Harvard University. Años participando activamente en la industria de seguridad, Jefe de Proyecto OWASP, etc.Años participando activamente en la industria de seguridad, Jefe de Proyecto OWASP, etc.

3 SDL-IT (Security Development Lifecycle)SDL-IT (Security Development Lifecycle) ACE TeamACE Team Conclusiones del SDL-ITConclusiones del SDL-IT

4 SDL-IT ( SDL-IT (Security Development Lifecycle )

5 Fundamentos del SDL-IT A secure platform strengthened by security products, services and guidance to help keep customers safe Vision: Excellence in fundamentals Security innovations Scenario-based content and tools Authoritative incident response Awareness and education Collaboration and partnership

6 Microsoft SDL-IT (I) Product Inception Assign resource Security plan Design Design guidelines applied Security architecture Security design review Ship criteria agreed upon Guidelines&Best Practices Coding Standards Testing based on threat models Tool usage Security Push Security push training Review threat models Review code Attack testing Review against new threats Meet signoff criteria Final Security Review(FSR) Review threat models Penetration Testing Archiving of Compliance Info Security Response Feedback loop -Tools/ Processes -Postmortems -SRLs RTM& Deployment Signoff DesignResponse Threat Modeling Models created Mitigations in design and functional specs Security Docs& Tools Customer deliverables for secure deployment RequirementsImplementationVerificationRelease

7 Microsoft SDL-IT (II) 7 Process Education Accountability Defines security requirements and milestones MANDATORY if exposed to meaningful security risks Requires response and service planning Includes Final Security Review (FSR) and Sign-off Mandatory annual training – internal trainers BlueHat – external speakers on current trends Publish guidance on writing secure code, threat modeling and SDL; as well as courses In-process metrics to provide early warning Post-release metrics assess final payoff (# of vulns) Training compliance for team and individuals Microsoft Product Development Lifecycle Microsoft Security Development Lifecycle

8 ACE Team

9 Introducción al ACE Team ACE = Application Consulting & Engineering (ACE) Misión: Proveedor de servicios en Seguridad y Rendimiento internamente y externamente en Microsoft. En los últimos 5 años ha realizado: –3000+ auditorías en seguridad y rendimiento –> 50,000 vulnerabilidades en seguridad y rendimiento documentadas y solucionadas –Potente grupo de I+D en continua evolución.

10 Servicios del ACE Team Application SecurityApplication Security –Threat Modeling & Design Reviews –Security Code Reviews –Security Process Integration –Security Guidance & Prototype Development Infrastructure SecurityInfrastructure Security –Technical Compliance Management Application Performance TuningApplication Performance Tuning –Performance assessments Training: Security & PerformanceTraining: Security & Performance

11 Threat Analysis & Modeling (TAM)

12 Conclusiones del SDL-IT

13 Symantec With the advent of Vista and the continued use of the Security Development Lifecycle, it is likely that Microsoft-authored code will become more difficult to exploit. As a result, attackers may turn their focus to common third-party applications that are authored by companies that have not employed the Security Development Lifecycle or other secure development practices, and, therefore, may be less secure. http://www.symantec.com/enterprise/security_response/weblog/2007/03 /future_watch_predicting_the_co.html

14 Simon Roses Femerling ACE Team - Microsoft Security Technologist simonros@microsoft.com Chema Alonso Informática 64 MVP Seguridad chema@informatica64.com

15 MS SDL-ITMS SDL-IT –http://www.microsoft.com/technet/itshowcase/content/ mssecbp.mspx http://www.microsoft.com/technet/itshowcase/content/ mssecbp.mspxhttp://www.microsoft.com/technet/itshowcase/content/ mssecbp.mspx Application Threat ModelingApplication Threat Modeling –http://msdn2.microsoft.com/en- us/security/aa570413.aspx http://msdn2.microsoft.com/en- us/security/aa570413.aspxhttp://msdn2.microsoft.com/en- us/security/aa570413.aspx MS ACE Team BlogMS ACE Team Blog –http://blogs.msdn.com/ace_team/ http://blogs.msdn.com/ace_team/

16

Descargar ppt "MS ACE Team Seguridad en el Código (SDL-IT) Simon Roses Femerling ACE Team - Microsoft Security Technologist"

Presentaciones similares

PLT EXPERIENCES IN SPAIN

PLT EXPERIENCES IN SPAIN
Learning Achievement in Creativity and Design Subjects according to Professional Profiles (2006) European Transfer Credit System (ECTS) Methodology in.

Learning Achievement in Creativity and Design Subjects according to Professional Profiles (2006) European Transfer Credit System (ECTS) Methodology in.
Diagnóstico climático del Golfo de California

Diagnóstico climático del Golfo de California
Software Expo 2005 INTRODUCCION A ITIL Mayo 2005 Title slide.

Software Expo 2005 INTRODUCCION A ITIL Mayo 2005 Title slide.
Meta: be able to write with no errors on infinitive triggers and agreement Entrada: Escribir-reflecion Escribir de la casa Para salir: use an infinitve.

Meta: be able to write with no errors on infinitive triggers and agreement Entrada: Escribir-reflecion Escribir de la casa Para salir: use an infinitve.
SECRETARÍA DE ESTADO DE CAMBIO CLIMÁTICO DIRECCION GENERAL DE CALIDAD Y EVALUACION AMBIENTAL PRESENTATION BY SPAIN TO THE EXECUTIVE BODY FOR THE CLRTAP:

SECRETARÍA DE ESTADO DE CAMBIO CLIMÁTICO DIRECCION GENERAL DE CALIDAD Y EVALUACION AMBIENTAL PRESENTATION BY SPAIN TO THE EXECUTIVE BODY FOR THE CLRTAP:
MEXICAN CUSTOMS UPDATE

MEXICAN CUSTOMS UPDATE
POLICY MAKING ON MIGRATION THE COSTA RICAN EXPERIENCE Luis Alonso Serrano Echeverría Head of the Planning Department General Direction of Migration & Alien.

POLICY MAKING ON MIGRATION THE COSTA RICAN EXPERIENCE Luis Alonso Serrano Echeverría Head of the Planning Department General Direction of Migration & Alien.
RENAISSANCE es un proyecto del programa CONCERTO co-financiado por la Comisión Europea dentro del Sexto Programa Marco RENAISSANCE - ZARAGOZA - SPAIN 1.

RENAISSANCE es un proyecto del programa CONCERTO co-financiado por la Comisión Europea dentro del Sexto Programa Marco RENAISSANCE - ZARAGOZA - SPAIN 1.
RENAISSANCE es un proyecto del programa CONCERTO co-financiado por la Comisión Europea dentro del Sexto Programa Marco RENAISSANCE - ZARAGOZA - SPAIN 1.

RENAISSANCE es un proyecto del programa CONCERTO co-financiado por la Comisión Europea dentro del Sexto Programa Marco RENAISSANCE - ZARAGOZA - SPAIN 1.
RENAISSANCE es un proyecto del programa CONCERTO co-financiado por la Comisión Europea dentro del Sexto Programa Marco 1 WP 1.5 Description of work (month.

RENAISSANCE es un proyecto del programa CONCERTO co-financiado por la Comisión Europea dentro del Sexto Programa Marco 1 WP 1.5 Description of work (month.
Fundación Comunidad Valenciana – Región Europea FCVRE Fundación Comunidad Valenciana – Región Europea www.uegva.info Project Forum Corner Which kind of.

Fundación Comunidad Valenciana – Región Europea FCVRE Fundación Comunidad Valenciana – Región Europea Project Forum Corner Which kind of.
WB XBRL VIDEO CONFERENCE Nelson Carvalho – XBRL I. I. Board Member XBRL: A TOOL FOR WHAT? BUSINESSES NEED FUNDING RISKS CONTAMINATE PRICES - MAKE FUNDING.

WB XBRL VIDEO CONFERENCE Nelson Carvalho – XBRL I. I. Board Member XBRL: A TOOL FOR WHAT? BUSINESSES NEED FUNDING RISKS CONTAMINATE PRICES - MAKE FUNDING.
© 2006 XBRL International, All Rights Reservedwww.xbrl.org/Legal Ignacio Hernández-Ros Technology development XBRL International Using XQuery to process.

© 2006 XBRL International, All Rights Reservedwww.xbrl.org/Legal Ignacio Hernández-Ros Technology development XBRL International Using XQuery to process.
MSF & Visual Studio Team System 2005 Beta I Cristian Rene Rivas MSF Trainer – MCT – MCSD Beyond IT.

MSF & Visual Studio Team System 2005 Beta I Cristian Rene Rivas MSF Trainer – MCT – MCSD Beyond IT.
Acelere el Ciclo de Vida de sus Aplicaciones

Acelere el Ciclo de Vida de sus Aplicaciones
PLEASE READ (hidden slide) This template uses Microsofts corporate font, Segoe Segoe is not a standard font included with Windows, so if you have not.

PLEASE READ (hidden slide) This template uses Microsofts corporate font, Segoe Segoe is not a standard font included with Windows, so if you have not.
Productividad personal Estar al día Colaboración Limitada.

Productividad personal Estar al día Colaboración Limitada.
Grupos de Trabajo 6 - Informe Working Group 6 – Report Transparency.

Grupos de Trabajo 6 - Informe Working Group 6 – Report Transparency.
Grupos de Trabajo # 7 - Informe Working Group # 7 – Report General Business and Operational Risks.

Grupos de Trabajo # 7 - Informe Working Group # 7 – Report General Business and Operational Risks.

Presentaciones similares

Anuncios Google