MS ACE Team Seguridad en el Código (SDL-IT) Simon Roses Femerling ACE Team - Microsoft Security Technologist

Slides:

Advertisements

Presentaciones similares

PLT EXPERIENCES IN SPAIN

Advertisements

Learning Achievement in Creativity and Design Subjects according to Professional Profiles (2006) European Transfer Credit System (ECTS) Methodology in.

Diagnóstico climático del Golfo de California

Software Expo 2005 INTRODUCCION A ITIL Mayo 2005 Title slide.

Meta: be able to write with no errors on infinitive triggers and agreement Entrada: Escribir-reflecion Escribir de la casa Para salir: use an infinitve.

SECRETARÍA DE ESTADO DE CAMBIO CLIMÁTICO DIRECCION GENERAL DE CALIDAD Y EVALUACION AMBIENTAL PRESENTATION BY SPAIN TO THE EXECUTIVE BODY FOR THE CLRTAP:

MEXICAN CUSTOMS UPDATE

POLICY MAKING ON MIGRATION THE COSTA RICAN EXPERIENCE Luis Alonso Serrano Echeverría Head of the Planning Department General Direction of Migration & Alien.

RENAISSANCE es un proyecto del programa CONCERTO co-financiado por la Comisión Europea dentro del Sexto Programa Marco RENAISSANCE - ZARAGOZA - SPAIN 1.

RENAISSANCE es un proyecto del programa CONCERTO co-financiado por la Comisión Europea dentro del Sexto Programa Marco RENAISSANCE - ZARAGOZA - SPAIN 1.

RENAISSANCE es un proyecto del programa CONCERTO co-financiado por la Comisión Europea dentro del Sexto Programa Marco 1 WP 1.5 Description of work (month.

Fundación Comunidad Valenciana – Región Europea FCVRE Fundación Comunidad Valenciana – Región Europea Project Forum Corner Which kind of.

WB XBRL VIDEO CONFERENCE Nelson Carvalho – XBRL I. I. Board Member XBRL: A TOOL FOR WHAT? BUSINESSES NEED FUNDING RISKS CONTAMINATE PRICES - MAKE FUNDING.

© 2006 XBRL International, All Rights Reservedwww.xbrl.org/Legal Ignacio Hernández-Ros Technology development XBRL International Using XQuery to process.

MSF & Visual Studio Team System 2005 Beta I Cristian Rene Rivas MSF Trainer – MCT – MCSD Beyond IT.

Acelere el Ciclo de Vida de sus Aplicaciones

PLEASE READ (hidden slide) This template uses Microsofts corporate font, Segoe Segoe is not a standard font included with Windows, so if you have not.

Productividad personal Estar al día Colaboración Limitada.

Grupos de Trabajo 6 - Informe Working Group 6 – Report Transparency.

Grupos de Trabajo # 7 - Informe Working Group # 7 – Report General Business and Operational Risks.

Empresa y Sociedad Tema 1. Teoría de la Empresa y de la Sociedad Dr. Antonio Lloret 17 de Enero de 2011.

Use of Analogy Fundamental Comprehension by means of metaphoric Communications.

UN VIAJE A ESPAñA WEBQUEST POR SRA. SMITH IntroductionIntroduction|Task|Process|Evaluation|ConclusionTaskProcessEvaluationConclusion.

Description Digital school is an educational movement that use technology to learn and transform the educational practice to promote the students integral.

Los Verbos Capítulo 1 Parte 2.

Departamento Administrativo de Ciencia, Tecnología e innovación Colciencias República de Colombia VII Ordinary Meeting of the COMCYT Working Group Technological.

CAPACITADOR: Oscar Marino ALUMNA: Elisabet Marcone E- PORTFOLIO.

ExpoForo 2008 "Políticas Públicas em la era digital" Camillo Speroni VP & GM Novell Latin America

MSF: Microsoft Solutions Framework

Introducción al Framework FWK 2.0- FWK Partner & Practices Marcelo Oviedo [razon social] Córdoba Argentina.

Antonio Gámir TSP – Windows Client Microsoft Ibérica.

Su Negocio Conectado. VisibilidadVisibilidad ColaboraciónColaboración PlanificaciónPlanificación EjecuciónEjecución Build Connections.

TRUCOS Y PISTAS PARA CONFIGURAR KCD CON ISA 2006

Clustered Hard Disk Drives Cold data.

para desarrolladores Minimizar el cambio Concentrarse en estabilidad, confiabilidad y rendimiento. Ayudar a mejorar la productividad Reducir la curva.

Technical Track Analytics. Analytics in PPS Alejandro Leguizamo SQL Server MVP, Mentor Solid Quality Mentors

Bienvenido a Technet Summit Forefront Client Security.

Avenida de Mayo 869 (C1084AAD) - Ciudad Autónoma de Buenos Aires - Argentina - Tel: / Experiences on harmonization and.

LA SOCIEDAD CONECTADA EL lugar de trabajo del futuro.

Animals of the Sea (Animales del Mar) Lauren Blow.

Cancela, JM. Ayán C. University Of Vigo. Throughout history the definition of learning has been conceptualized in many different ways depending on the.

1 USMP PhD in Information Systems Engineering INFRASTRUCTURE MANAGEMENT - IM The Information and Communications Technology Infrastructure Management (ICT-IM)

1 USMP PhD in Information Systems Engineering INFRASTRUCTURE MANAGEMENT - IM The Information and Communications Technology Infrastructure Management (ICT-IM)

 Making complete sentences How to make complete sentences in Spanish. The following presentation is designed to help you learn how to do the following:

Dr. Ana Isabel Nieto Gómez Ministry of Health El Salvador Seoul, October 7, 2013.

ASIG M METODOLOGÍA DE LA INVESTIGACIÓN CONTABLE SEM DOCENTE: ING./C.P. LUIS EDUARDO MALAGÓN VÉLEZ TITULO MONOGRAFÍA Autores Monografía.

Derechos de Autor©2008.SUAGM.Derechos Reservados Sistema Universitario Ana G. Méndez División de Capacitación Basic Quality Tools CQIA Primer Section VII.

Social Networks and Parent Teacher Meetings: A Question that can´t Wait Molina, M.D., Rodríguez, J., Collado, J.A. y Pérez, E. University of Jaén (SPAIN)

Appollon 1 Disclaimer The terms and conditions are indicative and may change with market fluctuations. Société Générale assumes no fiduciary responsibility.

Lunes, 13 de octubre, El secreto al éxito RECUERDA Calentamiento: Una laptop por grupo = Debes completar tu PPT en la clase  La cultura del éxito.

Santiago de Chile January 2012 Roundtable 6: Lobby regulation János Bertók Head of Public Sector Integrity Division Organización para la cooperación.

Health Products Beauty Products Diet/Weight loss Financial Freedom.

The Subjunctive with Conjunctions Subjunctive with conjunctions When stipulating a condition, you will need to use the subjunctive. Cojunctions.

Metodología de Desarrollo de Sistemas Aland Bravo Vecorena Universidad De Huánuco 2009.

IHR Risk Communication Capacity Building Workshop Bryna Brennan, Senior Advisor, Risk and Outbreak Communication PAHO/WHO Lima, Peru – March 2010.

1 Teaching the Human Liver with Learning Design Luis A. Álvarez González. Sergio Triviños. Sandra Bucarey Arriagada.

Témoignage et réflexions autour de l'EAD

Un juego de adivinanzas: ¿Dónde está el tesoro? A1B1C1D1E1F1 A4B4C4D4E4F4 A2B2C2D2E2F2 A5B5C5D5E5F5 A3B3C3D3E3F3 A6B6C6D6E6F6 Inténtalo de nuevo Inténtalo.

Licenciatura en Contaduría

JUGAR to play a sport or a game

PROFESSIONALPOWERPOINT.COM FREE PPT TEMPLATES DOWNLOAD MORE POWERPOINT TEMPLATES FROM PROFESSIONALPOWERPOINT.COM.

THE VERB IR ©2016 Sra. Cruz.

Prepárate para la prueba

PRESENTATION ADRIANA LUCIA CORREA CHILITO JAIME MARINO.

Development of the concert programme

Antes de empezar contesta las preguntas sólo escribe las respuestas

Welcome to PowerPoint gdskcgdskfcbskjc. Designer helps you get your point across PowerPoint Designer suggests professional designs for your presentation,

Preposiciones y Pronombres

The causative is a common structure in English. It is used when one thing or person causes another thing or person to do something.

Integrated Management System

Transcripción de la presentación:

MS ACE Team Seguridad en el Código (SDL-IT) Simon Roses Femerling ACE Team - Microsoft Security Technologist

Security Technologist en el ACE TeamSecurity Technologist en el ACE Team Ex : entre otras…Ex : entre otras… Licenciado Superior en Informática y Postgrado en Tecnología por Harvard University.Licenciado Superior en Informática y Postgrado en Tecnología por Harvard University. Años participando activamente en la industria de seguridad, Jefe de Proyecto OWASP, etc.Años participando activamente en la industria de seguridad, Jefe de Proyecto OWASP, etc.

SDL-IT (Security Development Lifecycle)SDL-IT (Security Development Lifecycle) ACE TeamACE Team Conclusiones del SDL-ITConclusiones del SDL-IT

SDL-IT ( SDL-IT (Security Development Lifecycle )

Fundamentos del SDL-IT A secure platform strengthened by security products, services and guidance to help keep customers safe Vision: Excellence in fundamentals Security innovations Scenario-based content and tools Authoritative incident response Awareness and education Collaboration and partnership

Microsoft SDL-IT (I) Product Inception Assign resource Security plan Design Design guidelines applied Security architecture Security design review Ship criteria agreed upon Guidelines&Best Practices Coding Standards Testing based on threat models Tool usage Security Push Security push training Review threat models Review code Attack testing Review against new threats Meet signoff criteria Final Security Review(FSR) Review threat models Penetration Testing Archiving of Compliance Info Security Response Feedback loop -Tools/ Processes -Postmortems -SRLs RTM& Deployment Signoff DesignResponse Threat Modeling Models created Mitigations in design and functional specs Security Docs& Tools Customer deliverables for secure deployment RequirementsImplementationVerificationRelease

Microsoft SDL-IT (II) 7 Process Education Accountability Defines security requirements and milestones MANDATORY if exposed to meaningful security risks Requires response and service planning Includes Final Security Review (FSR) and Sign-off Mandatory annual training – internal trainers BlueHat – external speakers on current trends Publish guidance on writing secure code, threat modeling and SDL; as well as courses In-process metrics to provide early warning Post-release metrics assess final payoff (# of vulns) Training compliance for team and individuals Microsoft Product Development Lifecycle Microsoft Security Development Lifecycle

ACE Team

Introducción al ACE Team ACE = Application Consulting & Engineering (ACE) Misión: Proveedor de servicios en Seguridad y Rendimiento internamente y externamente en Microsoft. En los últimos 5 años ha realizado: –3000+ auditorías en seguridad y rendimiento –> 50,000 vulnerabilidades en seguridad y rendimiento documentadas y solucionadas –Potente grupo de I+D en continua evolución.

Servicios del ACE Team Application SecurityApplication Security –Threat Modeling & Design Reviews –Security Code Reviews –Security Process Integration –Security Guidance & Prototype Development Infrastructure SecurityInfrastructure Security –Technical Compliance Management Application Performance TuningApplication Performance Tuning –Performance assessments Training: Security & PerformanceTraining: Security & Performance

Threat Analysis & Modeling (TAM)

Conclusiones del SDL-IT

Symantec With the advent of Vista and the continued use of the Security Development Lifecycle, it is likely that Microsoft-authored code will become more difficult to exploit. As a result, attackers may turn their focus to common third-party applications that are authored by companies that have not employed the Security Development Lifecycle or other secure development practices, and, therefore, may be less secure. /future_watch_predicting_the_co.html

Simon Roses Femerling ACE Team - Microsoft Security Technologist Chema Alonso Informática 64 MVP Seguridad

MS SDL-ITMS SDL-IT – mssecbp.mspx mssecbp.mspxhttp:// mssecbp.mspx Application Threat ModelingApplication Threat Modeling – us/security/aa aspx us/security/aa aspxhttp://msdn2.microsoft.com/en- us/security/aa aspx MS ACE Team BlogMS ACE Team Blog –