security & scaling at microsoft

Report

Tags:

Post on 28-Jan-2015

108 Views

Category:

Technology

0 Downloads

Preview:

Click to see full reader

DESCRIPTION

Eric Mittelette and Stanisloas Quastano share stories of Microsoft Security and Scalability lessons learned at FailCon France 2012.

TRANSCRIPT

Security & SoftwareDisasters & changing perception

Eric Mittelette & Stanislas Quastana | Microsoft

Do you remember those dark days ?

May 4th 2000July 13th 2001

September 28th 2001January 25th 2003August 13th 2003

As Microsoft employees we do

15 minutes before SQL Slammer infection

SQL Slammer (aka Sapphire) infection

Blaster (aka LOVE YOU SAN)

Why we fail ?

Reason 1 : features, features, features….

Reason 2 : Security was not in Developer’s DNA

Reason 3 : Everything was installed and started by default

Ex: IIS Web Server

Which response ?

“Computing is already an important part of many people’s lives. Within ten years, it will be an integral and indispensable part of almost everything we do. Microsoft and the computer industry will only succeed in that world if CIOs, consumers and everyone else sees that Microsoft has created a platform for Trustworthy Computing”

“We have done a great job of having teams work around the clock to deliver security fixes for any problems that arise.

Our responsiveness has been unmatched – but as an industry leader we can and must do better”

“Flaws in a single Microsoft product, service or policy not only affect the quality of our platform and services overall, but also our customers’ view of us as a company”

“So now, when we face a choice between adding features and resolving security issues, we need to choose security”

So what we did ?

Stop all developmentThe 1st time in our history

Every Microsoft developer : back to school !!!Mandatory annual security training

« One book to protect them all »

http://ecx.images-amazon.com/images/I/51EnG5Gj6yL.jpg
http://ecx.images-amazon.com/images/I/51EnG5Gj6yL.jpg

Dear developers

Few security bugs in your code = more money in your pocket

SDLC is the Microsoft security audit & expertise substance published as a methodology

http://www.egbsystems.com/images/process-methodology.jpg

Security Team created

Final Security Review mandatory

Did it work ?

First results

Helping IT customers in their job

As you see, we did a lot of things

But…

“Security is a journey, not a destination”

10 years later

Is it better ?

“Security is a journey, not a destination”

Sometimes it’s better to be the first…

Security is an industry problem not a single company issue

Really ?

same feature but 10 years later

“Security is a journey, not a destination”

“Security is a journey, not a destination”

Thanks you

@EricMitt & @SQuastana

top related

scaling soil profile publication images2 › internet ›...
Documents
scaling security at atlassian - ashley blackmore
Software
microsoft sql azure - scaling out with sql azure whitepaper
Technology
coins, clubs, and crowds: scaling and decentralization in...
Documents
lessons from scaling up adaptation in food security and...
Technology
confidence 2014: kiss, zagon, sseller: scaling security
Technology
scaling wordpress on microsoft
Technology
scaling patient engagement with microsoft healthvault
Documents
microsoft windows security · microsoft windows security...
Documents
microsoft network security
Documents
scaling mobile network security for lte patrick donegan...
Documents
microsoft security essential
Education
scaling proof-carrying code to production compilers and...
Documents
scaling-up stackelberg security games applications using
Documents
scaling mongodb in the cloud with microsoft azure
Software
microsoft security essentials
Documents
kamailio for rtc stability, scaling, and security
Documents
scaling ab initio predictions of 3d protein structures in...
Documents
auto scaling infrastructure security for aws cloud - · pdf...
Documents
windows azure storage scaling cloud storage azure storage...
Documents