Conception Release Microsoft Security Development Lifecycle SDL Senior
![Пример: XSS /location=<script>document. images[4]. src= "http: //www. badsite. com/news. jpg"</script>](https://slidetodoc.com/presentation_image_h/1c2cda917cbf3587c469936951766801/image-6.jpg "Пример: XSS /location=<script>document. images[4]. src= \"http: //www. badsite. com/news. jpg\"</script>")
- Slides: 36
Conception Release Microsoft Security Development Lifecycle (SDL) Что, Как и Почему Иван Медведев Senior Development Lead Microsoft
Сентябрь 2003 года: червь «Бластер» Две строчки кода в RPCSS: while (*pwsz. Temp != L'\') *pwsz. Server. Name++ = *pwsz. Temp++; Привели к >1, 500, 000 инфицированных компьютеров 3, 370, 000 звонков в службу поддержки in Sep 03 (как правило вирус генерирует около 350, 000) Множество негативных комментариев в прессе: “This [is] going to raise the level of frustration to the point where a lot of organizations will seriously contemplate alternatives to Microsoft” Gartner "There's definitely caution warranted here. [Microsoft's security] efforts were sincere, but I am not sure if they were sincere enough. " Forrester Der Spiegel
Пример: XSS /location=<script>document. images[4]. src= "http: //www. badsite. com/news. jpg"</script>
Результаты Microsoft SDL
Видимые улучшения в Microsoft Доля Microsoft в опубликованных уязвимостях 4. 2% 3. 7% #1 H 107 #1 2007 2. 5% H 108 Источник: IBM X-Force 2007, 2008 Security Report “Why try to chase a difficult overflow out of Vista when you have Acrobat Reader installed, some antivirus software with shoddy file parsing, and the latest i. Tunes? ” Halvar Flake Security Researcher Microsoft Blue. Hat Conference September 2007
Microsoft SDL и SQL Server Количество уязвимостей в первые 36 месяцев До SDL 91% меньше уязвимостей Source: Analysis by Jeff Jones (Microsoft technet security blog) После SDL
Microsoft SDL и Windows Количество уязвимостей, 1 год после выпуска До SDL После SDL 45% меньше уязвимостей Source: Windows Vista One Year Vulnerability Report, Microsoft Security Blog 23 Jan 2008
Security Development Lifecycle результаты “Microsoft has significantly improved the security of its shipping products since the adoption of its security development life cycle. The first OS product to ship since Microsoft adopted its SDL was Windows Server 2003 (with IIS 6). Windows 2003 has had sufficient operational testing to be suitable for security-critical applications” Neil Mc. Donald Group Vice President and Research Director Gartner, Inc (From Gartner Symposium May 2005)
Эволюция SDL v. 3, v. 4 SDL @ Microsoft • Privacy requirements • Online services requirements SDL v. 2 SDL mandatory for all packaged SW with meaningful risk SDL v. 1 • SDL Optimization model • SDL Pro network • SDL threat modeling tool Security push for major products SDL process guidance Tw. C memo Privacy guidelines SDL book SDL for the ecosystem SDL whitepaper 2002 2003 2004 2005 2006 2007 2008 2009
© 2008 Microsoft Corporation. All rights reserved. Microsoft, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U. S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.