Copyright Information
The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication.
Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment
on the part of Microsoft, and Microsoft
cannot guarantee the accuracy of any information presented after the date of publication.
This white paper is for informational purposes only. Microsoft makes no warranties, express or implied, in this document.
© 2016 Microsoft Corporation. All rights reserved.
Contents
1Acknowledgements 4
2Forward 5
2.1Bret Arsenault 5
2.2Sue Barsamian 6
3Introduction 6
3.1Setting the scope 6
3.2The SDL is our foundation 7
3.3The challenge of modern engineering 7
3.3.1The modern engineer 7
3.3.2The Microsoft IT model 7
3.4Our journey 8
4A closer look at the challenges 8
4.1DevOps culture 8
4.2DevOps and security 9
4.3Additional requirements 10
4.3.1Continuous assurance 10
4.3.2Intelligent automation 10
5Our approach 11
5.1Knowledge management 11
5.1.1CALM board 11
5.1.2Technical Control Procedures 12
5.1.3Guidance factory 14
5.2Automation 15
5.2.1Static security analysis 15
5.2.2Dynamic security analysis 16
5.2.3Runtime detection and prevention 16
5.3Implementation 17
5.3.1Static analysis 17
5.3.2Fortify SCA and intelligent automation 18
5.3.3Fortify SCA implementation process 18
5.3.4Fortify SCA deployment architecture 19
5.3.5Shortfalls and opportunities 19
5.3.6VSTS integration 20
5.3.7Dynamic analysis 21
5.3.8WebInspect deployment architecture 22
5.3.9Runtime detection and protection 23
5.3.10 Automation factory 25
5.4Metrics focused on driving the right behavior 26
5.5User experience 30
5.5.2Taking security to engineers 31
6Future of application security 33
7Lessons learned 33
7.1Partner with engineers 33
7.2Focus on the willing 33
7.3Be thoughtful about selecting technology 33
7.4Build your process first, then focus on tools 34
7.5Integrate your tools into the engineers’ world 34
7.6Build a relationship with your vendor 34
7.7Be mindful of business impact 34
7.8Keep up with changing technology 35
8Conclusion 35
9Appendix A: Resources 36
9.1.1SDL 36
9.1.2Modern engineering and DevOps 36
1Acknowledgements
Authors
Anmol Malhotra
Talhah Mir
Contributors
Aaron Clark
Glenn Leifheit
Jonathan Griggs
Manish Prabhu
Shoham Dasgupta
Reviewers
Andrew Marshall
Brijesh Desai
Bruce Jenkins
Dave Christiansen
Karen Luecking
Michael Howard
Ralph Hood
Rob Polly
2Forward
2.1Bret Arsenault
Corporate Vice President and
Chief Information Security Officer
Microsoft
The pace at which business is moving today requires that technology be more agile, to keep up with the rapidly evolving needs of companies and organizations around the world. Technology companies need to ensure that security is keeping pace with the speed of software, and address the security gaps created by moving to agile workflows. While security has always been a primary focus for us at Microsoft, today’s threat landscape demands that we adapt the way we address security as a business. We work constantly to ensure that security is top-of-mind for everyone at the company. It’s clear that to build a strong security posture, we must engage everyone from our engineering teams all the way through to our senior leadership.
Facing new pressures, modern engineering teams are leading the transformation to agile development and are delivering what customers need, as they need it. With an agile methodology, Microsoft IT provides the flexibility and speed with which solutions are released in as short a time as operationally feasible. To properly land the value of these accelerated development cycles, companies need to ensure that they have the right security processes and automated tools in-place to address new risk exposure that is created by a high-speed development environment. Importantly, leadership must also make sure we are creating a security culture and driving the right behavior with engineers - enabling them to succeed, while delivering the best possible products to our customers.
Microsoft’s Information Security and Risk Management team (ISRM) has been fortunate to partner closely with Hewlett Packard Enterprise (HPE) to accelerate some of our emerging modern engineering security plans. Using HPE Fortify SCA to conduct static security analysis of our applications, and HPE WebInspect for dynamic web application security testing, we are taking the right steps to protect our development environment effectively and efficiently, as we stay agile for business success.