La descarga está en progreso. Por favor, espere

La descarga está en progreso. Por favor, espere

MS ACE Team Seguridad en el Código (SDL-IT) Simon Roses Femerling ACE Team - Microsoft Security Technologist

Presentaciones similares


Presentación del tema: "MS ACE Team Seguridad en el Código (SDL-IT) Simon Roses Femerling ACE Team - Microsoft Security Technologist"— Transcripción de la presentación:

1 MS ACE Team Seguridad en el Código (SDL-IT) Simon Roses Femerling ACE Team - Microsoft Security Technologist

2 Security Technologist en el ACE TeamSecurity Technologist en el ACE Team Ex : entre otras…Ex : entre otras… Licenciado Superior en Informática y Postgrado en Tecnología por Harvard University.Licenciado Superior en Informática y Postgrado en Tecnología por Harvard University. Años participando activamente en la industria de seguridad, Jefe de Proyecto OWASP, etc.Años participando activamente en la industria de seguridad, Jefe de Proyecto OWASP, etc.

3 SDL-IT (Security Development Lifecycle)SDL-IT (Security Development Lifecycle) ACE TeamACE Team Conclusiones del SDL-ITConclusiones del SDL-IT

4 SDL-IT ( SDL-IT (Security Development Lifecycle )

5 Fundamentos del SDL-IT A secure platform strengthened by security products, services and guidance to help keep customers safe Vision: Excellence in fundamentals Security innovations Scenario-based content and tools Authoritative incident response Awareness and education Collaboration and partnership

6 Microsoft SDL-IT (I) Product Inception Assign resource Security plan Design Design guidelines applied Security architecture Security design review Ship criteria agreed upon Guidelines&Best Practices Coding Standards Testing based on threat models Tool usage Security Push Security push training Review threat models Review code Attack testing Review against new threats Meet signoff criteria Final Security Review(FSR) Review threat models Penetration Testing Archiving of Compliance Info Security Response Feedback loop -Tools/ Processes -Postmortems -SRLs RTM& Deployment Signoff DesignResponse Threat Modeling Models created Mitigations in design and functional specs Security Docs& Tools Customer deliverables for secure deployment RequirementsImplementationVerificationRelease

7 Microsoft SDL-IT (II) 7 Process Education Accountability Defines security requirements and milestones MANDATORY if exposed to meaningful security risks Requires response and service planning Includes Final Security Review (FSR) and Sign-off Mandatory annual training – internal trainers BlueHat – external speakers on current trends Publish guidance on writing secure code, threat modeling and SDL; as well as courses In-process metrics to provide early warning Post-release metrics assess final payoff (# of vulns) Training compliance for team and individuals Microsoft Product Development Lifecycle Microsoft Security Development Lifecycle

8 ACE Team

9 Introducción al ACE Team ACE = Application Consulting & Engineering (ACE) Misión: Proveedor de servicios en Seguridad y Rendimiento internamente y externamente en Microsoft. En los últimos 5 años ha realizado: –3000+ auditorías en seguridad y rendimiento –> 50,000 vulnerabilidades en seguridad y rendimiento documentadas y solucionadas –Potente grupo de I+D en continua evolución.

10 Servicios del ACE Team Application SecurityApplication Security –Threat Modeling & Design Reviews –Security Code Reviews –Security Process Integration –Security Guidance & Prototype Development Infrastructure SecurityInfrastructure Security –Technical Compliance Management Application Performance TuningApplication Performance Tuning –Performance assessments Training: Security & PerformanceTraining: Security & Performance

11 Threat Analysis & Modeling (TAM)

12 Conclusiones del SDL-IT

13 Symantec With the advent of Vista and the continued use of the Security Development Lifecycle, it is likely that Microsoft-authored code will become more difficult to exploit. As a result, attackers may turn their focus to common third-party applications that are authored by companies that have not employed the Security Development Lifecycle or other secure development practices, and, therefore, may be less secure. /future_watch_predicting_the_co.html

14 Simon Roses Femerling ACE Team - Microsoft Security Technologist Chema Alonso Informática 64 MVP Seguridad

15 MS SDL-ITMS SDL-IT –http://www.microsoft.com/technet/itshowcase/content/ mssecbp.mspx mssecbp.mspxhttp://www.microsoft.com/technet/itshowcase/content/ mssecbp.mspx Application Threat ModelingApplication Threat Modeling –http://msdn2.microsoft.com/en- us/security/aa aspx us/security/aa aspxhttp://msdn2.microsoft.com/en- us/security/aa aspx MS ACE Team BlogMS ACE Team Blog –http://blogs.msdn.com/ace_team/

16


Descargar ppt "MS ACE Team Seguridad en el Código (SDL-IT) Simon Roses Femerling ACE Team - Microsoft Security Technologist"

Presentaciones similares


Anuncios Google