Security for Modern Engineering Information Security & Risk Management



Download 132.18 Kb.
Page1/7
Date31.07.2017
Size132.18 Kb.
#25172
  1   2   3   4   5   6   7






Security for Modern Engineering


Information Security & Risk Management

Microsoft IT

Published: 2016

Copyright Information


The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication.
Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft
cannot guarantee the accuracy of any information presented after the date of publication.
This white paper is for informational purposes only. Microsoft makes no warranties, express or implied, in this document.
© 2016 Microsoft Corporation. All rights reserved.

Contents


1Acknowledgements 4

2Forward 5

2.1Bret Arsenault 5

2.2Sue Barsamian 6

3Introduction  6

3.1Setting the scope 6

3.2The SDL is our foundation 7

3.3The challenge of modern engineering 7

3.3.1The modern engineer 7

3.3.2The Microsoft IT model 7

3.4Our journey 8

4A closer look at the challenges 8

4.1DevOps culture 8

4.2DevOps and security 9

4.3Additional requirements 10

4.3.1Continuous assurance 10

4.3.2Intelligent automation 10



5Our approach 11

5.1Knowledge management 11

5.1.1CALM board 11

5.1.2Technical Control Procedures 12

5.1.3Guidance factory 14

5.2Automation 15

5.2.1Static security analysis 15

5.2.2Dynamic security analysis 16

5.2.3Runtime detection and prevention 16

5.3Implementation 17

5.3.1Static analysis 17

5.3.2Fortify SCA and intelligent automation 18

5.3.3Fortify SCA implementation process 18

5.3.4Fortify SCA deployment architecture 19

5.3.5Shortfalls and opportunities 19

5.3.6VSTS integration 20

5.3.7Dynamic analysis 21

5.3.8WebInspect deployment architecture 22

5.3.9Runtime detection and protection 23

5.3.10 Automation factory 25

5.4Metrics focused on driving the right behavior 26

5.5User experience 30

5.5.2Taking security to engineers 31

6Future of application security 33

7Lessons learned 33

7.1Partner with engineers 33

7.2Focus on the willing 33

7.3Be thoughtful about selecting technology 33

7.4Build your process first, then focus on tools 34

7.5Integrate your tools into the engineers’ world 34

7.6Build a relationship with your vendor 34

7.7Be mindful of business impact 34

7.8Keep up with changing technology 35

8Conclusion 35

9Appendix A: Resources 36

9.1.1SDL 36

9.1.2Modern engineering and DevOps 36



1Acknowledgements


Authors

Anmol Malhotra


Talhah Mir

Contributors

Aaron Clark

Glenn Leifheit

Jonathan Griggs

Manish Prabhu

Shoham Dasgupta



Reviewers

Andrew Marshall

Brijesh Desai

Bruce Jenkins

Dave Christiansen

Karen Luecking

Michael Howard

Ralph Hood

Rob Polly

2Forward

2.1Bret Arsenault


Corporate Vice President and

Chief Information Security Officer

Microsoft

The pace at which business is moving today requires that technology be more agile, to keep up with the rapidly evolving needs of companies and organizations around the world. Technology companies need to ensure that security is keeping pace with the speed of software, and address the security gaps created by moving to agile workflows. While security has always been a primary focus for us at Microsoft, today’s threat landscape demands that we adapt the way we address security as a business. We work constantly to ensure that security is top-of-mind for everyone at the company. It’s clear that to build a strong security posture, we must engage everyone from our engineering teams all the way through to our senior leadership.

Facing new pressures, modern engineering teams are leading the transformation to agile development and are delivering what customers need, as they need it. With an agile methodology, Microsoft IT provides the flexibility and speed with which solutions are released in as short a time as operationally feasible. To properly land the value of these accelerated development cycles, companies need to ensure that they have the right security processes and automated tools in-place to address new risk exposure that is created by a high-speed development environment. Importantly, leadership must also make sure we are creating a security culture and driving the right behavior with engineers - enabling them to succeed, while delivering the best possible products to our customers.

Microsoft’s Information Security and Risk Management team (ISRM) has been fortunate to partner closely with Hewlett Packard Enterprise (HPE) to accelerate some of our emerging modern engineering security plans. Using HPE Fortify SCA to conduct static security analysis of our applications, and HPE WebInspect for dynamic web application security testing, we are taking the right steps to protect our development environment effectively and efficiently, as we stay agile for business success.



Download 132.18 Kb.

Share with your friends:
  1   2   3   4   5   6   7




The database is protected by copyright ©ininet.org 2024
send message

    Main page