Security for Modern Engineering Information Security & Risk Management
Download 132.18 Kb.
|
- Navigate this page:
- 1Acknowledgements
- 2Forward
Copyright Information The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication. This white paper is for informational purposes only. Microsoft makes no warranties, express or implied, in this document. © 2016 Microsoft Corporation. All rights reserved. Contents
1Acknowledgements 4 2Forward 5 2.1Bret Arsenault 5 2.2Sue Barsamian 6
3.1Setting the scope 6 3.2The SDL is our foundation 7 3.3The challenge of modern engineering 7 3.3.1The modern engineer 7 3.3.2The Microsoft IT model 7 3.4Our journey 8
4.1DevOps culture 8 4.2DevOps and security 9 4.3Additional requirements 10 4.3.1Continuous assurance 10 4.3.2Intelligent automation 10 5Our approach 11 5.1Knowledge management 11 5.1.1CALM board 11 5.1.2Technical Control Procedures 12 5.1.3Guidance factory 14 5.2Automation 15 5.2.1Static security analysis 15 5.2.2Dynamic security analysis 16 5.2.3Runtime detection and prevention 16 5.3Implementation 17 5.3.1Static analysis 17 5.3.2Fortify SCA and intelligent automation 18 5.3.3Fortify SCA implementation process 18 5.3.4Fortify SCA deployment architecture 19 5.3.5Shortfalls and opportunities 19 5.3.6VSTS integration 20 5.3.7Dynamic analysis 21 5.3.8WebInspect deployment architecture 22 5.3.9Runtime detection and protection 23 5.3.10 Automation factory 25 5.4Metrics focused on driving the right behavior 26 5.5User experience 30 5.5.2Taking security to engineers 31
7.1Partner with engineers 33 7.2Focus on the willing 33 7.3Be thoughtful about selecting technology 33 7.4Build your process first, then focus on tools 34 7.5Integrate your tools into the engineers’ world 34 7.6Build a relationship with your vendor 34 7.7Be mindful of business impact 34 7.8Keep up with changing technology 35
9.1.1SDL 36 9.1.2Modern engineering and DevOps 36
1AcknowledgementsAuthors Anmol Malhotra Talhah Mir Contributors Aaron Clark Glenn Leifheit Jonathan Griggs Manish Prabhu Shoham Dasgupta Reviewers Andrew Marshall Brijesh Desai Bruce Jenkins Dave Christiansen Karen Luecking Michael Howard Ralph Hood Rob Polly
2.1Bret Arsenault Corporate Vice President and
Chief Information Security Officer Microsoft The pace at which business is moving today requires that technology be more agile, to keep up with the rapidly evolving needs of companies and organizations around the world. Technology companies need to ensure that security is keeping pace with the speed of software, and address the security gaps created by moving to agile workflows. While security has always been a primary focus for us at Microsoft, today’s threat landscape demands that we adapt the way we address security as a business. We work constantly to ensure that security is top-of-mind for everyone at the company. It’s clear that to build a strong security posture, we must engage everyone from our engineering teams all the way through to our senior leadership. Facing new pressures, modern engineering teams are leading the transformation to agile development and are delivering what customers need, as they need it. With an agile methodology, Microsoft IT provides the flexibility and speed with which solutions are released in as short a time as operationally feasible. To properly land the value of these accelerated development cycles, companies need to ensure that they have the right security processes and automated tools in-place to address new risk exposure that is created by a high-speed development environment. Importantly, leadership must also make sure we are creating a security culture and driving the right behavior with engineers - enabling them to succeed, while delivering the best possible products to our customers. Microsoft’s Information Security and Risk Management team (ISRM) has been fortunate to partner closely with Hewlett Packard Enterprise (HPE) to accelerate some of our emerging modern engineering security plans. Using HPE Fortify SCA to conduct static security analysis of our applications, and HPE WebInspect for dynamic web application security testing, we are taking the right steps to protect our development environment effectively and efficiently, as we stay agile for business success.
Directory: download download -> Performance Tuning Guidelines for Windows Server 2008 May 20, 2009 Abstract download -> Northern England’s set-jetting locations download -> Bbc archives: Beyond the programme download download -> Occupational health and safety download -> Dynatest 3031 lwd light Weight Deflectometer download -> Forth coming competitive exams download -> English Olympiad Tasks: 10 th form Аудіювання, 10 клас. Текст download -> Brush High School Morning Announcements Friday, September 05, 2014 all school download -> Year 9 The Arts — Music download -> Years 7 and 8 standard elaborations — Australian Curriculum: Music draft Download 132.18 Kb. Share with your friends:
|