Microsoft Security Newsletter - March 2014

Trustworthy Computing | March 2014 Microsoft Security Newsletter     Welcome to March’s Security Newsletter! Our newsletter this month focuses on the importance of demanding secure software from your software or services providers. With the explosion of technology over the past decade, I frequently come across applications that are rushed to market with little thought given to security. Software providers are eager to make a quick return on their investment and may not recognize the long term consequences it can have to their reputation in the event that one of their customers is compromised by malware or cyber attacks. The potential impact can be even more significant if their software becomes widely adopted. Microsoft learned this lesson early on during the days of malware threats like Code Red. The Microsoft Security Development Lifecycle (SDL) was born from these lessons. The SDL is designed to reduce the number and severity of vulnerabilities in software and is a mandatory process through which all Microsoft products and services must pass. You can learn more about the evolution of the SDL in the never-before-told story, " Life in the Digital Crosshairs." Because of its effectiveness, Microsoft has made the SDL process available for free to the public so that software developers both large and small can benefit from security development best practices. Whether you’re developing an application for a smartphone, tablet, PC, or other computing device, you can apply SDL principles to improve that application's state of security. Learn more about the benefits of incorporating the SDL into your development process in our SDL Chronicles. In this fast moving technology market, providers are developing applications based on customer demand or priority which is why demanding secure software starts with you. Ask your software provider if they are using a security development process. If not, you should think twice about the security of that software. Don’t let security be an afterthought and potentially expose your organization to increased risks from malware and other threats. Best regards, Tim Rains, Director Microsoft Trustworthy Computing Have feedback on how we can improve this newsletter? Email us at secnlfb@microsoft.com and share your ideas.   Top Stories   Cyber Threats to Windows XP and Guidance for Small Businesses and Consumers It’s been well publicized that on April 8th, 2014 Microsoft discontinues product support for Windows XP. While many organizations have recently finished, or are in the process of finishing, the migration to Windows 7 or Windows 8, others have no plans to update their Windows XP systems. Get insight on the specific threats to Windows XP-based systems that attackers may attempt after end of support to better understand the risks involved with remaining on Windows XP, and benefits of immediately upgrading to a more secure version of Windows, or accelerate existing plans to do so. Threat Modeling a Retail Environment In the wake of high profile attacks on organizations in the retail industry, Microsoft cybersecurity and retail experts have teamed up to provide guidance that identifies some of the unique threats and challenges faced by companies in the retail industry, and suggests some appropriate mitigations. When ASLR Makes the Difference Explore the importance of enabling Address Space Layout Randomization mitigation (ASLR) in modern software, and see how it can be used to mitigate two real exploits seen in the world today.   Security Guidance   Security Tip of the Month: Increase Your Microsoft SDL I.Q. Ken Malcolmson, Group Manager, Microsoft Trustworthy Computing This year is the tenth anniversary of the creation of Microsoft’s Security Development Lifecycle. Over the last decade the technology-agnostic SDL has been refined and improved based on real-world feedback, made available free of charge for anyone to adapt and adopt in their own environment, and most recently been declared to meet or exceed the guidance published in ISO/IEC 27034-1, the first international standard to address secure software development requirements. The free SDL guidance, tools and resources have been downloaded more than a million times and adopted by organizations large and small around the world. In today’s landscape, where concerns over supply chain security, protecting customer data and personally identifiable information, and defending against malicious attackers are keeping IT professionals and managers awake at night, the SDL offers a flexible and adaptable secure development framework that can be introduced into any development environment. As a result, here are 10 of the top resources that can help you better understand and utilize the SDL in your organization. • The Simplified SDL – detailed walkthrough of the core concepts and activities involved in the SDL process   • SDL for Agile – guidance on adopting SDL in Agile development environments   • SDL Tools – free tools to utilize in each phase of the SDL   • Microsoft Security Development Lifecycle Adoption: Why and How – downloadable report by the Edison Group on the use of secure development in the financial sector   • Secure Software Trends in Healthcare – explores risks associated with the move to electronic healthcare records and the importance of secure application development to the healthcare sector   • Secure Software Development Trends in the Oil & Gas Sectors – discusses how a holistic approach to software development can help mitigate many of the risks oil and gas organizations face   • The emergence of software security standards: ISO/IEC 27034-1:2011 and your organization – Reavis Consulting LLC research report that examines the importance of ISO/IEC 20734 to software developers and customers, and how to leverage the SDL to help deliver more secure applications and services   • Aligning the Microsoft SDL with PCI DSS/PCI PA-DSS Compliance Activity – explains how the SDL can help you meet some of the requirements of the Payment Card Industry Data Security Standard (PCI DSS) and the Payment Application Data Security Standard (PA-DSS)   • Aligning Microsoft SDL Security Practices with the HIPAA Security Rule – describes how the SDL can help you comply with some requirements of the administrative simplification provision of the Health Insurance Portability and Accountability Act and its implementing regulations (HIPAA), including the Security Standards for Protecting Electronic Protected Health Information (HIPAA Security Rule) and the Standards for Privacy of Individually Identifiable Health Information (Privacy Rule)   • www.microsoft.com/sdl – your destination for SDL guidance, tools, and support Microsoft SDL Tools Get to know the many free tools that will help you perform SDL security activities. Watch a short overview of the Microsoft SDL toolset then learn how to use some of the tools included in the toolset with these short demos: • SDL Threat Modeling Tool   • MSF-Agile+SDL Process Template for Visual Studio Team System   • Anti-Cross Site Scripting (XSS) Library   • SDL Process Template   • Banned.h Header File   • SDL Regex Fuzzer   • BinScope Binary Analyzer   • SiteLock ATL Template   • Code Analysis for C/C++   • FxCop Overview Getting Started with the SDL Threat Modeling Tool Get step-by-step guidance on how to start the thread modeling process using the SDL Threat Modeling Tool, keep track of progress using the tool’s reporting features, and think about the thread modeling process overall. Using the SDL for LOB Windows Store Apps Learn how to build security into your Windows Store app development project from the beginning by using the SDL to complete a risk assessment and define the security/privacy requirements for your app. Ready to build your app using SDL principles? Check out Using the SDL for a LOB Windows 8 App, Part 2 for practical guidance on developing an attack surface analysis and an attack surface reduction, and performing a software architectural risk analysis (more commonly known at Microsoft as a threat model). Applying the SDL to Windows Azure Find guidance to help you better understand the role that the SDL plays in producing secure and high quality code as well as moving an application "to the cloud" in a secure manner. Microsoft SDL Forum Whether you are new to the SDL, or an experienced user, find support for common issues encountered when implementing the SDL or get help with a new issue from a community of secure development experts.   This Month's Security Bulletins   March 2014 Security Bulletins Critical   • MS14-012: 2925418 Cumulative Security Update for Internet Explorer   • MS14-013: 2929961 Vulnerability in Microsoft DirectShow Could Allow Remote Code Execution Important   • MS14-014: 2932677 Vulnerability in Silverlight Could Allow Security Feature Bypass   • MS14-015: 2930275 Vulnerabilities in Windows Kernel-Mode Driver Could Allow Elevation of Privilege   • MS14-016: 2934418 Vulnerability in Security Account Manager Remote (SAMR) Protocol Could Allow Security Feature Bypass   March 2014 Security Bulletin Resources:   • Microsoft Security Response Center (MSRC) Blog Post   • Security Bulletin Webcast   • Security Bulletin Webcast Q&A   Security Events and Training   MSDN Webcast: Microsoft SDL and Mobile Security (Level 300) Learn how to apply Microsoft SDL practices to mobile application development, specifically the requirements, design, and verification phases. Explore security requirements and approved tools as well as basic mobile threat modeling, secure coding practices, and penetration testing (pentesting) mobile applications for Android and iOS. The presentation also briefly outlines some defensive coding techniques to protect against the weaknesses that are caused by common development pitfalls. Microsoft Webcast: Information about the April 2014 Security Bulletin Release Wednesday, April 9, 2014 – 11:00AM Pacific Time Join this webcast for a brief overview of the technical details of April’s Microsoft security bulletins. Ask questions and get answers from Microsoft security experts. TechEd North America 2014 May 12-15, 2014 – Houston, Texas In 2014, Microsoft is bringing together the best of TechEd and the Microsoft Management Summit (MMS) to help skilled technology professionals increase their technical expertise, share best practices, and interaction with Microsoft and a variety of industry experts and their peers. Explore the security aspects of data platforms and business intelligence, datacenter and infrastructure management, people-centric IT, Windows (devices and Windows Phone), and much more. Register today. Microsoft Webcast: Information about the May 2014 Security Bulletin Release Wednesday, May 14, 2014 – 11:00AM Pacific Time Join this webcast for a brief overview of the technical details of May 2014’s Microsoft security bulletins. Ask questions and get answers from Microsoft security experts.     Essential Tools   • Microsoft Security Bulletins   • Microsoft Security Advisories   • Security Compliance Manager   • Microsoft Security Development Lifecycle Starter Kit   • Enhanced Mitigation Experience Toolkit   • Malicious Software Removal Tool   • Microsoft Baseline Security Analyzer Security Centers   • Security TechCenter   • Security Developer Center   • Microsoft Security Response Center   • Microsoft Malware Protection Center   • Microsoft Privacy   • Microsoft Security Product Solution Centers Additional Resources   • Trustworthy Computing Security and Privacy Blogs   • Microsoft Security Intelligence Report   • Microsoft Security Development Lifecycle   • Malware Response Guide   • Security Troubleshooting and Support Resources   • Trustworthy Computing Careers     microsoft.com/about/twc Trustworthy Computing     This is a monthly newsletter for IT professionals and developers–bringing security news, guidance, updates, and community resources directly to your inbox. If you would like to receive less technical security news, guidance, and updates, please subscribe to the Microsoft Security for Home Computer Users Newsletter. © 2014 Microsoft Corporation Terms of Use | Trademarks Microsoft respects your privacy. To learn more please read our online Privacy Statement. If you would prefer to no longer receive this newsletter, please click here. To set your contact preferences for other Microsoft communications click here. Microsoft Corporation One Microsoft Way Redmond, WA 98052 USA