1 / 22

Keynote Frank Fischer Manager Technologieberater Microsoft Deutschland GmbH

Keynote Frank Fischer Manager Technologieberater Microsoft Deutschland GmbH. Keynote . Thomas Caspers Bundesamt für Sicherheit im der Informationstechnik. Frank Fischer Manager Technologieberater Microsoft Deutschland GmbH Frank.Fischer@microsoft.com.

caine
Download Presentation

Keynote Frank Fischer Manager Technologieberater Microsoft Deutschland GmbH

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Keynote Frank FischerManager TechnologieberaterMicrosoft Deutschland GmbH

  2. Keynote Thomas Caspers Bundesamt für Sicherheit im der Informationstechnik Frank Fischer Manager Technologieberater Microsoft Deutschland GmbH Frank.Fischer@microsoft.com

  3. http://www.thedailywtf.com/forums/65974/ShowPost.aspx

  4. Agenda • Sicherheit – Wo stehen wir heute? • Aus deutscher SichtThomas Caspers, Bundesamt für Sicherheit in der Informationstechnik • Aus Sicht MicrosoftHeute - Morgen

  5. Beispiele: • Phishing • SQL Injection • Buffer Overflow • Sniffing • „Ping of Death“ • … Um was geht es? Um Alles. Kommunikation Benutzer Applikation App.Plattf. Hardware

  6. Der Spiegel Zwei Zeilen Code…(Blaster) • Zwei Zeilen C Code in RPCSS(Siehe Vortrag von Dirk Primbs) • Führten zu… • >1,500,000 infizierten Rechnern (AUA!!) • >3.300.000 Support-Anrufen im Sept. 2003 (Vergleich: Ein “normaler” Virus zu 350.000) • Viel negativer Presse • “This [is] going to raise the level of frustration to the point where a lot of organizations will seriously contemplate alternatives to Microsoft.” Gartner • "There's definitely caution warranted here. [Microsoft's security] efforts were sincere, but I am not sure if they were sincere enough." Forrester

  7. SANS NewsBites Vol3/19 (2001) Steve Ballmer, Microsoft's CEO, walked into a meeting with a dozen customers a few days ago and said disgustedly, "You would think we could figure out how to fix buffer overflows by now." … Steve is right about buffer overflows. Enough is enough. It is time to bring accountability to the programming profession. We hope that Microsoft will take the lead, guaranteeing all its internal programmers get basic secure programming skills training and that the company helps train developers outside of Microsoft. … Programmers have been taught simple tests to avoid buffer overflows at least since 1960. Some of them have forgotten the basics. It's time to give them a reason to remember.

  8. Was sollte man von Microsoft erwarten dürfen… Eine Anleihe von Dr. Jürjens, TU München

  9. Es war mal eine Mail…

  10. …die Idee…

  11. Einige einfache Grundregeln SD3 + Communications Secure by Design Sichere Architektur “Threat Modeling” Verbessern der Code-Qualität Secure by Default Veringern der Angriffsoberfläche Nicht verwendete Features ausschalten Auf minimale Privilegien achten Secure in Deployment Schützen, entdecken, verteidigen, erholen, verwalten Prozess: “How to’s”, Architekturleitlinien Menschen: Training Communications Klare Aussage zu Security Hervorragende Dokumentation Microsoft Security Response Center

  12. Fortschritte ?? 42 13 365

  13. Logical Infra. Modeling Deployment Modeling Application Modeling Class Modeling Code Profiler Static Code Analyzer Dynamic Code Analyzer Integration Services Project Management Code Coverage Project Site Reporting Work Item Tracking Visio and UML Modeling Unit Testing Deployment Modeling Visual Studio 2005 Professional Class Modeling Load Testing Manual Testing Test Case Management Application Modeling Logical Infra. Modeling Team Foundation Client Change Management Process and Architecture Guidance Visual Studio Industry Partners Visual Studio Modeler… Visual StudioTeam Architect Visual StudioTeam Developer Visual StudioTeam Test Visual StudioTeam Foundation

  14. In Zukunft… • Richtung End-UserProject Strider (MS Research)http://research.microsoft.com/csm/ • Richtung ToolsProject Gleipnirhttp://research.microsoft.com/research/sv/Gleipnir/ • Richtung Malware-DefenseProject Shieldhttp://research.microsoft.com/research/shield/ • …

  15. Praxis-Beispiel: SDL und MSN “Build it” Deploy “Run it”

  16. Stage • Einbindung des Op-Teams • Abarbeiten des dokumentierten Veröffentlichungsprozesses • Physisch und logisch getrennt vom Live-System • Keine Live-Daten • “Verbiete alles was nicht explizit erlaubt ist” Stage Deploy Manage

  17. Deploy • Integrität des Codes wird überwacht • Sicherheitsanforderungen der Plattform werden umgesetzt • Strenge Umsetzung der Prozessvorgaben • Inventarisierung komplett Stage Deploy Manage

  18. Manage • Werkzeuge • Fernverwaltung • Überwachung der Systeme • Support • Incident Response Center • Patch-Management • Least privilege Stage Deploy Manage

  19. Lesestoff

  20. Wie geht es weiter…

  21. Ihr Potenzial. Unser Antrieb.

More Related