Microsoft Security Newsletter – February 2012

	NOTE FROM THE EDITOR Welcome to February's Security Newsletter! Application security is the theme of this month's newsletter, and no conversation on application security would be complete without discussing the Microsoft Security Development Lifecycle (SDL). The SDL has come a long way since 2004. I recount some of the milestones in an article I recently wrote called "Security Development Lifecycle: A Living Process" and you can view a quick visual recap in the figure below. We also published a video where some of the key folks that worked on the SDL in 2004 discuss the challenges of instituting the SDL at Microsoft. You can get more information on the process improvements and security science mitigations that can help you develop more secure applications in the SDL Progress Report and accompanying video. If you work in the financial services industry you'll be interested to know that the Financial Services Roundtable, an organization chartered with finding collaborative solutions to challenges in cybersecurity, fraud reduction, and critical infrastructure protection for its member companies, announced that they have successfully incorporated many of the key elements contained within the Microsoft SDL into the guidance they provide to their member institutions; they have published the BITS Software Assurance Framework. Lastly, I want to invite you to our first annual Security Development Conference. The Security Development Conference 2012 will be held in Washington D.C., May 15 – 16, 2012. This event will bring together experts from a variety of industries to discuss, share and learn about key aspects of secure development. Microsoft's Corporate Vice President for Trustworthy Computing, Scott Charney will kick off the conference with a keynote on Tuesday, May 15th. Early bird pricing is available to those who register before March 15, 2012. I hope to see you at the event! Best regards, Tim Rains, Director, Microsoft Trustworthy Computing February 2012 Edition IN THIS ISSUE • Top Stories • Security Guidance • Community/MVP Update • Cloud Security Corner • This Month's Security Bulletins • Microsoft Product Lifecycle Information • Security Events and Training • Upcoming Security Webcasts SECURITY BLOGS • Trustworthy Computing Security/Privacy Blogs • Microsoft Security Blog • MSRC Blog • ACE Team • Windows Security • Forefront Team • Solution Accelerators - Security & Compliance • Security Vulnerability Research & Defense • Security Development Lifecycle (SDL)

Security Compliance Manager 2.5 Beta Now Available for Download Quickly configure and manage desktops and your private cloud using Group Policy and System Center Configuration Manager. SCM 2.5 offers long-awaited new product baselines for Exchange Server as well as updated baselines for Windows 7 Service Pack 1 (SP1), Windows Vista Service Pack 2 (SP2), Windows XP Service Pack 3 (SP3), Microsoft Office 2010 SP1, and Internet Explorer 8. Phishing Financial Institutions and Social Networks Learn how Microsoft tracks phishing sites and phishing impressions, who phishers are targeting, the global distribution of phishing sites, and how to defend against phishing attacks. Financial Services Industry Publishes Software Assurance Framework As noted in Tim's introduction to this month's newsletter, BITS, the technology policy division of The Financial Services Roundtable, has announced the release of its Software Assurance Framework. The framework documents the importance of secure development and provides guidelines that financial services organizations can use to implement these practices more fully. The framework is rooted in education, integration of security in design using standards and threat modeling, best practices for coding, focused and comprehensive testing and followed with important implementation and response practices. Security Tip of the Month: Threat Modeling and Agile Development Practices By Dan Griffin, Microsoft MVP - Enterprise Security and Tom Jones, Software Architect, JW Secure Just because an application needs to be developed rapidly, doesn't mean that you can't develop that application with privacy and security in mind. This article examines how to effectively perform threat modeling for projects that demand rapid development processes. Simplified Implementation of the Microsoft SDL Get started with the SDL by downloading this guide, which illustrates the core concepts of the Microsoft SDL and discusses the individual security activities that should be performed in order to follow the SDL process. Web App Security with the Microsoft Simplified SDL Get a brief overview of common threat considerations for Web application development and deployment then find out how you can leverage the Microsoft Simplified SDL to help mitigate those threats while achieving the speed and efficiency of cloud computing. SDL Quick Security References Better understand and learn how to address common attacks that may be affecting your software, websites, and users. How to Conduct a Code Review A properly conducted code review can do more for the security of your application than nearly any other step. Get step-by-step guidance to help you identify the type of bugs that are important for your code and generate a list of bugs found in the code that should be prioritized for eradication. Securing Your Application Platform What's the most secure way to store a secret? Read this Microsoft Security Development Lifecycle (SDL) blog post for the answer. "How Do I" Security Videos for Developers Find videos that explore a variety of security questions for developers, including encryption, handling attacks, security best practices, and a lot more. New videos are added regularly, so check back often. Configuration and Utilization of AppLocker Learn how to specify exactly what is allowed to run on desktops with the AppLocker feature in Windows 7. AppLocker provides the flexibility to allow users to run the applications, installation programs, and scripts they need to be productive. Learn how you can realize the security, operational, and compliance benefits of application standardization by using AppLocker with this short video tutorial. AppLocker: Frequently Asked Questions Find answers to common questions about deploying and managing AppLocker. For more details, see the AppLocker Policies Design Guide, AppLocker Policies Deployment Guide, and AppLocker Operations Guide. Application Security Tip of the Week: How to Prevent SQL Injection in ASP.NET Explore a number of ways to help protect your ASP.NET application from SQL injection attacks. SQL injection can occur when an application uses input to construct dynamic SQL statements or when it uses stored procedures to connect to the database. Looking for more tips like this? Check out previous Application Security Tips of the Week on MSDN. New Videos from the Cloud Fundamentals Series Learn about industry collaborations, cloud-based security frameworks, cloud standards programs, and more with the latest videos from the Trustworthy Computing Cloud Fundamentals Series: Cloud Security Alliance with Jim Reavis – Explore the scope and impact of industry collaboration on security and privacy topics with Jim Reavis, Founder and Executive Director of the Cloud Security Alliance. Security Standards Evaluation – Learn why cloud-based security frameworks such as the Cloud Security Alliance's Cloud Control Matrix (CCM) and Consensus Assessments Initiative (CAI) may be good first steps. Security, Trust and Assurance Registry (STAR) Participation – Find out more about the benefits of participating in cloud standards programs such as the Cloud Security Alliance's STAR program. A Look at E-Discovery – Watch as Kevin Allison, General Manager of Microsoft Office 356, takes a look at an effective way to conduct e-discovery, and considerations that should be addressed. Critical: MS12-008: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Remote Code Execution (2660465) MS12-010: Cumulative Security Update for Internet Explorer (2647516) MS12-013: Vulnerability in C Run-Time Library Could Allow Remote Code Execution (2654428) MS12-016: Vulnerabilities in .NET Framework and Microsoft Silverlight Could Allow Remote Code Execution (2651026) Important: MS12-009: Vulnerabilities in Ancillary Function Driver Could Allow Elevation of Privilege (2645640) MS12-011: Vulnerabilities in Microsoft SharePoint Could Allow Elevation of Privilege (2663841) MS12-012: Vulnerability in Windows Client/Server Run-time Subsystem Could Allow Elevation of Privilege (2646524) MS12-014: Vulnerability in Indeo Codec Could Allow Remote Code Execution (2661637) MS12-015: Vulnerabilities in Microsoft Visio Viewer 2010 Could Allow Remote Code Execution (2663510) Security Bulletin Overview for February 2012 Microsoft Security Response Center (MSRC) Blog Post Monthly Security Bulletin Webcast Q&A Windows Media Video (WMV) iPod Video (MP4) SECURITY PROGRAM GUIDE • Microsoft SDL - Developer Starter Kit • Security Awareness Materials ADDITIONAL SECURITY RESOURCES • Security Help and Support for IT Professionals • TechNet Troubleshooting and Support Page • Microsoft Security Glossary • TechNet Security Center • MSDN Security Developer Center • Sign-Up for the Microsoft Security Notification Service • Security Bulletin Search Page • Microsoft Security Center • Home Users: Protect Your PC • MCSE/MCSA: Security Certifications • Subscribe to TechNet • Register for TechNet Flash IT Newsletter

Windows XP End of Support: April 8, 2014 On April 8, 2014, security patches and hotfixes for all versions of Windows XP will no longer be available. This means that, after this date, PCs running Windows XP will be vulnerable to security threats. In addition, many third party software providers are not planning to extend support for their applications running on Windows XP, which translates to even more complexity, risk, and ultimately, added management cost for your IT department if you are still managing Windows XP environments. Explore your options with this blog post from the Springboard Series and download the Windows XP End Of Support Countdown Gadget to help remind you about this important milestone. Find information about your particular products on the Microsoft Product Lifecycle Web site. See a List of supported service packs: Microsoft provides free software updates for security and non-security issues for all supported service packs. Security Development Conference 2012 May 15-16, 2012 – Washington, D.C. Register today for the inaugural Security Development Conference 2012 (SDC 2012). Hosted by Microsoft, this event will bring together professionals from a variety of organizations to learn from security experts, build networks, and learn how to evolve their own SDL principles into practices. SDC 2012 will include information for leaders in security engineering, business decision makers, and management who are responsible for accelerating the adoption and effectiveness of SDL practices within their own organizations. Microsoft SDL Core Training Classes Download the content offered in Microsoft's four core SDL training classes, now available for public use: Introduction to the Microsoft SDL Introduction to Microsoft Threat Modeling Basics of Secure Design, Development, and Test Privacy for Software Development. SDL Lifecycle Developer Starter Kit The SDL Developer Starter Kit offers 14 content modules (with speaker notes, presenter guides, and sample comprehension questions) plus eight MSDN virtual labs with lab manuals—all created to help you build a customized SDL training program for your development teams. Writing Secure Code: Books for Developers There are many good security books available for developers on writing secure code. Check out this one-page guide to some of the best titles and essential books you should review in order to build truly secure applications. Microsoft Forefront Threat Management Gateway (TMG) Administrator's Companion Get your Web security, network perimeter security, and application layer security gateway up and running smoothly. This single-volume reference details the features and capabilities of Microsoft Forefront TMG and provides the real-world insights, implementation and configuration best practices, and management practices you need for on-the-job results. For IT Professionals TechNet Webcast: Live! IT Time: Private Cloud Chat (Episode 4) (Level 200) Wednesday, February 29, 2012 10:00 AM Pacific Time TechNet Webcast: Information about Microsoft Security Bulletins for March (Level 200) Wednesday, March 14, 2012 11:00 AM Pacific Time For Decision Makers Two-Factor Authentication Considerations for Office 365 Tuesday, February 28, 2012 10:00 AM Pacific Time Intelligent Systems for Healthcare: Developing Secure, Connected Devices for the Clinical Environment Wednesday, March 07, 2012 9:00 AM Pacific Time Identity Management Best Practices Using Microsoft Forefront Identity Manager 2010 Tuesday, March 13, 2012 7:00 AM Pacific Time Mail Management Best Practices: Compliance Considerations and Office 365 Tuesday, March 20, 2012 10:00AM Pacific Time Now on Demand TechNet Webcast: Forefront Online Protection for Exchange Routing Scenarios (Level 300) This webcast takes a deep dive into the new capabilities of the next release of Microsoft Forefront Online Protection for Exchange, which allows IT to configure secure cross-premises hybrid mail-flow scenarios that can help them seamlessly move mail infrastructure to the cloud while maintaining existing investments and configuration. Business Insights Webcast: How to Handle Data Security, User Authorization and Authentication in the Windows Azure (Level 200) Explore the options available for securing cloud-deployed solutions on the Windows Azure platform. This webcast will outline approaches, architectures, and strategies for federating authentication as well as integrating with existing directory structures.

This is a monthly newsletter for IT professionals and developers—bringing security news, guidance, updates, and community resources directly to your inbox. If you would like to receive less technical security news, guidance, and updates, please subscribe to the Microsoft Security for Home Computer Users Newsletter. © 2012 Microsoft Corporation. All rights reserved. Microsoft, MSDN, Windows, Windows NT, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners. Microsoft respects your privacy. To learn more please read our online Privacy Statement. If you would prefer to no longer receive this newsletter, please click here. To set your contact preferences for other Microsoft communications click here. Microsoft Corporation One Microsoft Way Redmond, WA 98052 USA

2012 Microsoft Corporation Sign up for this newsletter | Update your profile | Terms of Use | Trademarks