| | | | Trustworthy Computing | March 2014 |  | | Microsoft Security Newsletter | | | | | | | | | | Welcome to March’s Security Newsletter! | Our newsletter this month focuses on the importance of demanding secure software from your software or services providers. With the explosion of technology over the past decade, I frequently come across applications that are rushed to market with little thought given to security. Software providers are eager to make a quick return on their investment and may not recognize the long term consequences it can have to their reputation in the event that one of their customers is compromised by malware or cyber attacks. The potential impact can be even more significant if their software becomes widely adopted. Microsoft learned this lesson early on during the days of malware threats like Code Red. The Microsoft Security Development Lifecycle (SDL) was born from these lessons. The SDL is designed to reduce the number and severity of vulnerabilities in software and is a mandatory process through which all Microsoft products and services must pass. You can learn more about the evolution of the SDL in the never-before-told story, " Life in the Digital Crosshairs."
Because of its effectiveness, Microsoft has made the SDL process available for free to the public so that software developers both large and small can benefit from security development best practices. Whether you’re developing an application for a smartphone, tablet, PC, or other computing device, you can apply SDL principles to improve that application's state of security. Learn more about the benefits of incorporating the SDL into your development process in our SDL Chronicles.
In this fast moving technology market, providers are developing applications based on customer demand or priority which is why demanding secure software starts with you. Ask your software provider if they are using a security development process. If not, you should think twice about the security of that software. Don’t let security be an afterthought and potentially expose your organization to increased risks from malware and other threats.
 | | Best regards,
Tim Rains, Director
Microsoft Trustworthy Computing |
Have feedback on how we can improve this newsletter? Email us at secnlfb@microsoft.com and share your ideas. | | |  | | Top Stories |  |  | | | | Cyber Threats to Windows XP and Guidance for Small Businesses and Consumers
It’s been well publicized that on April 8th, 2014 Microsoft discontinues product support for Windows XP. While many organizations have recently finished, or are in the process of finishing, the migration to Windows 7 or Windows 8, others have no plans to update their Windows XP systems. Get insight on the specific threats to Windows XP-based systems that attackers may attempt after end of support to better understand the risks involved with remaining on Windows XP, and benefits of immediately upgrading to a more secure version of Windows, or accelerate existing plans to do so.
Threat Modeling a Retail Environment
In the wake of high profile attacks on organizations in the retail industry, Microsoft cybersecurity and retail experts have teamed up to provide guidance that identifies some of the unique threats and challenges faced by companies in the retail industry, and suggests some appropriate mitigations.
When ASLR Makes the Difference
Explore the importance of enabling Address Space Layout Randomization mitigation (ASLR) in modern software, and see how it can be used to mitigate two real exploits seen in the world today.
| | | | | Security Guidance | | | | | | Security Tip of the Month: Increase Your Microsoft SDL I.Q.
Ken Malcolmson, Group Manager, Microsoft Trustworthy Computing
This year is the tenth anniversary of the creation of Microsoft’s Security Development Lifecycle. Over the last decade the technology-agnostic SDL has been refined and improved based on real-world feedback, made available free of charge for anyone to adapt and adopt in their own environment, and most recently been declared to meet or exceed the guidance published in ISO/IEC 27034-1, the first international standard to address secure software development requirements.
The free SDL guidance, tools and resources have been downloaded more than a million times and adopted by organizations large and small around the world. In today’s landscape, where concerns over supply chain security, protecting customer data and personally identifiable information, and defending against malicious attackers are keeping IT professionals and managers awake at night, the SDL offers a flexible and adaptable secure development framework that can be introduced into any development environment. As a result, here are 10 of the top resources that can help you better understand and utilize the SDL in your organization.
Microsoft SDL Tools
Get to know the many free tools that will help you perform SDL security activities. Watch a short overview of the Microsoft SDL toolset then learn how to use some of the tools included in the toolset with these short demos:
Getting Started with the SDL Threat Modeling Tool
Get step-by-step guidance on how to start the thread modeling process using the SDL Threat Modeling Tool, keep track of progress using the tool’s reporting features, and think about the thread modeling process overall.
Using the SDL for LOB Windows Store Apps
Learn how to build security into your Windows Store app development project from the beginning by using the SDL to complete a risk assessment and define the security/privacy requirements for your app. Ready to build your app using SDL principles? Check out Using the SDL for a LOB Windows 8 App, Part 2 for practical guidance on developing an attack surface analysis and an attack surface reduction, and performing a software architectural risk analysis (more commonly known at Microsoft as a threat model).
Applying the SDL to Windows Azure
Find guidance to help you better understand the role that the SDL plays in producing secure and high quality code as well as moving an application "to the cloud" in a secure manner.
Microsoft SDL Forum
Whether you are new to the SDL, or an experienced user, find support for common issues encountered when implementing the SDL or get help with a new issue from a community of secure development experts.
| | | | | This Month's Security Bulletins | | | | | | March 2014 Security Bulletins
| | | March 2014 Security Bulletin Resources:
| | | | | Security Events and Training | | | | | | MSDN Webcast: Microsoft SDL and Mobile Security (Level 300)
Learn how to apply Microsoft SDL practices to mobile application development, specifically the requirements, design, and verification phases. Explore security requirements and approved tools as well as basic mobile threat modeling, secure coding practices, and penetration testing (pentesting) mobile applications for Android and iOS. The presentation also briefly outlines some defensive coding techniques to protect against the weaknesses that are caused by common development pitfalls.
Microsoft Webcast: Information about the April 2014 Security Bulletin Release
Wednesday, April 9, 2014 – 11:00AM Pacific Time
Join this webcast for a brief overview of the technical details of April’s Microsoft security bulletins. Ask questions and get answers from Microsoft security experts.
TechEd North America 2014
May 12-15, 2014 – Houston, Texas
In 2014, Microsoft is bringing together the best of TechEd and the Microsoft Management Summit (MMS) to help skilled technology professionals increase their technical expertise, share best practices, and interaction with Microsoft and a variety of industry experts and their peers. Explore the security aspects of data platforms and business intelligence, datacenter and infrastructure management, people-centric IT, Windows (devices and Windows Phone), and much more. Register today.
Microsoft Webcast: Information about the May 2014 Security Bulletin Release
Wednesday, May 14, 2014 – 11:00AM Pacific Time
Join this webcast for a brief overview of the technical details of May 2014’s Microsoft security bulletins. Ask questions and get answers from Microsoft security experts.
| | | | | | | | | | | | | | | | | microsoft.com/about/twc | Trustworthy Computing | | | | | | | | This is a monthly newsletter for IT professionals and developers–bringing security news, guidance, updates, and community resources directly to your inbox. If you would like to receive less technical security news, guidance, and updates, please subscribe to the Microsoft Security for Home Computer Users Newsletter.
© 2014 Microsoft Corporation Terms of Use | Trademarks
Microsoft respects your privacy. To learn more please read our online Privacy Statement.
If you would prefer to no longer receive this newsletter, please click here.
To set your contact preferences for other Microsoft communications click here.
Microsoft Corporation
One Microsoft Way
Redmond, WA 98052 USA | | | | | | | | |
