Security for Modern Engineering Information Security & Risk Management
Download 132.18 Kb.
|
- Navigate this page:
- 3Introduction
- 3.2The SDL is our foundation
- 3.3The challenge of modern engineering
- 3.3.1The modern engineer
- 3.3.2The Microsoft IT model
2.2Sue BarsamianSenior Vice President and General Manager, Security Products Hewlett Packard Enterprise The rapid growth of the app economy and the increasing pressure to innovate has put the software developer in the driver’s seat in modern IT. Developers are now deeply involved in every part of the software development lifecycle as the boundaries between software and hardware continue to blur and infrastructure moves to the cloud. Developers are now responsible for driving innovation and keeping up with the increasing need for a faster time-to-market. This notion has challenged the traditional development lifecycle, pushing for more agile processes and greater collaboration across development, QA, security, and operations. Securing the software development process has never been easy, but in the midst of such seismic shifts in software development, application security is more challenging than ever. 
In this faster-paced new development lifecycle, security organizations must adapt to becoming a natural part of the development process or they risk getting in the way. Even worse, they could be left behind as applications become more complex and more vulnerable than ever. The Microsoft ISRM team has taken a unique and aggressive approach to this challenge by partnering with development organizations to build security into the process while staying true to the discipline of the acclaimed Microsoft Security Development Lifecycle (SDL). By teaming with us in HPE Security Fortify, Microsoft has enabled effective, unobtrusive application security automation at scale that provably secures their applications and saves time and money during development. We are excited to share the experience and lessons learned by bringing together the world’s largest software company and the leading application security solution. Together we have built a world class Application Security program that could provide a model for helping you secure the applications that run your business. 3Introduction3.1Setting the scopeMicrosoft’s ISRM organization, which is part of Microsoft IT, has a mission to ensure that all of the company's information and services are protected, secured, and available for appropriate use through innovation and a robust risk management framework. Microsoft is committed to building and implementing best-in-class security programs and processes and is constantly working to reduce exposure to cybersecurity risks. ISRM supports Microsoft’s overall security mission by providing key security services that help to protect Microsoft’s corporate systems, services, data, and users. The service lines through which we deliver these services include risk management, threat and vulnerability management, identity and access management, security and incident management, and security monitoring. Across Microsoft IT and throughout the company, the ISRM team is continuously evolving the security strategy and taking actions to protect key assets and the data for our organization. One primary focus for the team is to protect line-of-business (LOB) applications for Microsoft IT. ISRM drives the SDL for IT applications.
For more detailed resources related to the SDL model, including books and websites, see Appendix A. The SDL defines the standards and best practices for providing security and privacy for new and existing LOB applications currently under development or being planned for development. IT LOB applications are a set of applications that are vital to running an enterprise organization including accounting, legal, finance, human resources, payroll, supply chain management, and resource planning applications, among others.
Just as the SDL is agnostic to any specific development methodology, practice, or tool, the concepts in this showcase whitepaper apply to this modern engineering world, broadly speaking. Our goal is to empower modern engineers with a set of tools, guidance, and processes to empower them to write, deliver, and maintain more secure applications and services. 3.3.2The Microsoft IT modelMicrosoft IT has been on a journey to adopt a modern engineering model. Because business customers are demanding faster and faster turnaround on solutions and feature requests, gone are the days when a business waited for a quarter or longer for new features, solutions, or bugs fixed in their applications. To respond to this growing need for efficiency and quicker delivery, Microsoft IT has been transitioning to a modern engineering model. This transition includes merging development and operations roles (DevOps) and using agile development principles, practices, and tools to shorten release cycles. With an agile methodology, Microsoft IT provides the flexibility and speed with which solutions are released in as short a time as operationally feasible. Agile teams are receiving faster customer feedback though an iterative design and feature approach, and mature agile teams often release every day or even multiple times a day. While this is great for business enablement, this poses a huge challenge for security in terms of how to effectively and efficiently drive security and privacy in these CI/CD scenarios. For example, consider a security process that takes two weeks to complete sign off on a release. This model plainly fails when applied to an agile application which may take, for example, a single week to ideate, create, and be ready for release. Additionally, the more traditional security approach – to review every application release – worked well when release cycles spanned months, but this approach is highly inefficient against modern engineering practices where schedules are much more condensed. Given the ubiquity of customer data and critical data, security and privacy are of utmost importance to consumers. For example, would you feel comfortable using a banking application on your mobile phone if security and privacy aspects were overlooked by the engineers? Security can be friction, but it can’t be completely ignored either. So, this is our challenge: “How can we make security low friction (efficient) while maintaining its effectiveness in this new world of modern engineering?” This challenge demands that the security culture and approach are modernized and adapted for shorter release cycles and sprints. Security teams must support decentralized security processes, but they must also drive greater automation and move beyond point-in-time assessment practices. Under these modern engineering challenges, they need to adopt a solution that can scale and that can provide continuous assurance. Directory: download download -> Performance Tuning Guidelines for Windows Server 2008 May 20, 2009 Abstract download -> Northern England’s set-jetting locations download -> Bbc archives: Beyond the programme download download -> Occupational health and safety download -> Dynatest 3031 lwd light Weight Deflectometer download -> Forth coming competitive exams download -> English Olympiad Tasks: 10 th form Аудіювання, 10 клас. Текст download -> Brush High School Morning Announcements Friday, September 05, 2014 all school download -> Year 9 The Arts — Music download -> Years 7 and 8 standard elaborations — Australian Curriculum: Music draft Download 132.18 Kb. Share with your friends:
|