You know my opinion on collaboration between countries, on public-private-partnerships as well as on collaboration between companies.

Since quite a while we run a program called MAPP – the Microsoft Active Protections Program, where we share vulnerability information with security vendors to help them to get signatures out to our joint customers the moment we release a security update.

Additionally, we know form our data (see the Security Intelligence Report) that PDF is the most exploited file format. Therefore I think it is a great signal that Adobe will join the MAPP program to tighten our joint collaboration.

It is another clear signal that we are up for action to address the security challenges in the ecosystem.

Roger

Related posts:

1. Security through Collaboration
2. International Collaboration on Policies for Cybersecurity and Data Protection
3. The Importance of International Collaboration–Even in Exercises

This is always a fairly emotional theme. What is better to protect the ecosystem? Public or private disclosure? Should somebody paying for vulnerabilities or not? Is a vulnerability auction ethical or not?

I know that there are numerous views on that and I do not want to debate them here and now. What I just want to do here, is to show Microsoft’s position:

Since a long time Microsoft is working with the researcher community in close collaboration and my understanding is that the researcher community is fairly impressed with what we do, once they get the opportunity to look behind the scenes. One of the outcomes of this outreach is Bluehat – a Microsoft internal event where the researcher talk to our developers. A very and interesting and insightful get together.

When it comes to handling vulnerabilities, I guess you know Microsoft Security Response Center – the group within Microsoft chartered with handling security vulnerabilities. The policies behind working with the researcher community is two-fold:

• We are not paying for security vulnerabilities, nor do we intend to do so. There was an article on ZDNet again a few days ago: Microsoft: No plans to pay for security vulnerabilities
• We just recently announced a slight change in strategy towards Coordinated Vulnerability Disclosure, an approach, where the collaboration between the finder and the vendor shall be deepened.

For me, the joint goal between researcher and vendors has to be to protect the ecosystem against the criminals. And with ecosystem I mean not only the big enterprises, having security teams which are able to work on detailed vulnerability information but small and medium businesses as well as the consumer like my mom and dad as well. Therefore we think that the point above help to meet the requirements.

What are your thoughts on that?

Roger

Related posts:

1. Vulnerability Disclosure to Compete?
2. Selling Vulnerabilities and Ethics
3. Microsoft and Adobe: Collaboration Against Threats

The debate is probably as old as the Open Source software development model: Which one is more secure: Open Source or shared source as we at Microsoft run it? I know that we could now enter a religious debate about that, which I do not want to as I do not really believe in the value of such debate.

However, it is always interesting to see who is looking how at this debate. Does it help security if everyone can see the code or does it help the attackers? We have a program which we call Government Security Program, giving governments under certain circumstances (e.g. protection of intellectual property) access to our source. Sometimes we have the debate with government officials whether having access to the code could allow an attacking government to get an advantage in the area or cyberwar or cyber espionage. Looking at that debate, OpenSource would even be worse as it means access for everybody.

Now, I just read this article: Open-Source Could Mean an Open Door for Hackers. It is about a paper looking at data from Intrusion Detection Systems and their finding is that flaws in open-source software tend to be attacked more quickly and more often than vulnerabilities in closed-source software. An interesting statement in the light that we know that there are more vulns in OpenSource software than in shared source and fairly often it is because of the lack of processes enforced to engineer security into the product from the beginning.

Another thing which is important to me is “As defenders get out their patches, the attackers have more incentive to move on to a different exploit,” Ransbotham [the author of the paper] says. In other words, having a strong incident response (besides the engineering process) is at least as important.

This should be something the industry adopts. We made our engineering process called Security Development Lifecycle public and I think our incident response is wide known as well as being a best practice. So, something people should finally come to adopt

Roger

Related posts:

1. The Debate on Security Metrics
2. We Need Solid and Strong Transparent Processes for the Cloud
3. The Importance of Application Security

This morning I was reading an article called Google seeks to assure customers on cloud security practices on ComputerWeekly. I had to read this – obviously . It references a paper written by the Google Security Officer called Security Whitepaper: Google Apps Messaging and Collaboration Products. So, I read through it and to me it reflects – unfortunately – the state a lot of Cloud providers are in. Google (and not only Google to be fair), shows how good their physical security to their datacenter is, how they apply access control, monitoring, patch management etc. To me, kind of the standard security practices which I expect them to follow. It is just interesting that to my knowledge Google does not hold an ISO 27001 certification yet – but this is more a side-note.

What really stroke me, is that they do not at all talk about their engineering practices. They always talk about Secure Programming or Implementation Level Security – this is not the whole story as we at Microsoft learned the hard way. It is not about the code as such and if I would have to choose between looking at the code and looking at the engineering practices, I would choose the later. A good product is “just” the outcome of a good process, something we learned in engineering at the university when I was there. So, looking into the code is just the smaller part of the story.

Bearing that in mind, I actually searched for the engineering practices they have and actually found them: Google’s Engineering organization does not require Product Development teams to follow a specific software development process; rather, teams choose and implement processes that fit the project’s needs. As such, a variety of software development processes are in use at Google, from Agile Software Development methodologies to more traditional, phased processes. If I learned one thing during my whole security career then it is that you need fairly strong processes to ensure security – being it on the network or in the design of applications.

That’s the reason we have our Security Development Lifecycle in place. Do not get me wrong, this will not lead to perfect security as there is no such thing like perfect security. However, I am definitely convinced that looking at product security makes less sense than looking into the process the product was engineered. Knowing that it is a requirement for governments, Common Criteria targets at the result and not at the process.

Therefore, statements like: Designed in-house from the ground up, Google’s production servers are based on a stripped and hardened version of Linux that has been customized to include only the components necessary to run Google applications, such as those services required to administer the system and serve user traffic. The system is designed for Google to be able to maintain control over the entire hardware and software stack and to help provide a secure application environment. would not really make me feel any better in the light of what I wrote above.

We as an industry should definitely put more emphasis into the development lifecycle rather than code security and the product as such – I am clear that secure programming as such as well as tools to do static code analysis are important as well and not to be forgotten.

Rather than re-invent the wheel, I would ask Google (and others) to join SafeCode which exactly targets the process/engineering approach.

Roger

Related posts:

1. Security – A Feature Discussion? Some Thoughts on Google’s Chrome OS
2. Open Source and Hackers
3. Secure Development: More than „just“ code!

Ait ss you know from my postings on Cloud and security and the paper on the Cloud Security Considerations we wrote, I am convinced that there are five areas you should look at, when you try to migrate to the Cloud:

1. Compliance and Risk Management
2. Identity and Access Management
3. Service Integrity
4. Endpoint Integrity
5. Information Protection

The details on these five points are in the paper above. However, I was missing customer stories on that. I had a lot of discussions with customers and they all agreed on the model but I had not too many customers which were ready to talk about these challenges publically.

Recently we published some customer stories, which are worth looking at – even though they are “just” Microsoft case studies.

Let’s start with Why Phaeton Automotive Chose Exchange 2010: There were a few statements, which stroke me (those are customer quotes, not ours). The customer said that We’d been using Google Apps to manage employee messaging and collaboration needs but wanted better security and privacy. Google Apps was inadequate in meeting business needs. I do not want to challenge Google’s security. What I want to show here is that obviously the customer moved to the cloud “just trusting” that the provider will solve their security challenges – see Consideration #1 above. Even #2 was violated: It didn’t allow single sign-on service, user migration and couldn’t help us centrally manage multiple domains.

When we move on to Rexel: Electrical Distributor Picks Proven Microsoft Messaging Technology over Google Apps, we see law consideration #3 kicking in: With Exchange Online, we knew that we were not taking major risks. Google has less experience in the corporate world, and I don’t think it makes sense to take risks that you can avoid.

Last but not east Serena: Customer Story: Why Serena Software is Going with BPOS. It is again about the the service delivery and service integrity: They deliver trustworthy, enterprise-class solutions – with the performance, security, privacy, reliability and support we require. We know that Microsoft is a leader in the providing these kinds of solutions, and in our discussions with them, it became clear that they are 100% committed to Serena’s success and delivering solutions that drive the future of collaboration

So, it seems that these considerations are really important. We did not look at #5 – Information Protection which is the absolute base for any cloud implementation. You have to understand what you want to move to which implementation of the cloud and which cloud provider.

Roger

Related posts:

1. Why Google Won’t Beat Microsoft on Cloud Collaboration
2. Mature your IT and then move to the Cloud
3. Insider Threat of Cloud Computing

I was recently pinged by a customer asking for the “real” version of this game. It was distributed at RSA in the US and I do not have any anymore – but you can still print it yourself.

So, if you want to introduce SDL or if you introduced it already and want to re-enforce the message, look at that Elevation of Privilege (EoP) card game and start to play!

Roger

Related posts:

1. Security Development Lifecycle – Website!
2. Security Development Lifecycle Template – Your next step to “Secure Development”
3. The Impact of the Security Development Lifecycle

To start with: I am an engineer not a lawyer – and this might be part of the problem…

When I started to think about the Cloud and security and thought about all the work I do with Law Enforcement and the challenges they face. Additionally, I started to think about the legal challenges we – as an industry – already had. Or better, the legal challenges I knew about. Our Cloud Security Challenges paper just touches a little bit on this but to me it is a big challenge (to big for an engineer ?)

Let me give you an example: A case which happens often is that Law Enforcement is approaching any mail-provider with the request to access the content of a mailbox because they have a case where the suspect is expected to have mails which can be used as evidence. This is actually fairly standard and within the legal boundaries of a country straight-forward if the law enforcement officer has a court decision. Now, with international providers it gets more complicated as a case in Belgium showed: The Belgium policed asked Yahoo! to give them access to a mailbox of a person living in Belgium based on a Belgium court decision. However, this data is hosted in the United States. Pretty normal: The police then should the FBI for help, they issue the corresponding papers (together with the court) and Yahoo! would hand over the data – this process is called MLAT (mutual legal assistance treaty). Belgium refused to do that as it was their position that a Belgium decision is good enough because the suspect lives in Belgium. Yahoo! now had two choices: Violate the US law by handing over the data or violate the Belgium court decision by not handing over the data – a lose-lose position they were in .

And the worst thing to me is that we all have just one goal: We want to get the criminals arrested – this is a battle where law enforcement, policy makers and the industry are on the same side! If you want to read more: Yahoo Fined By Belgian Court For Refusing To Give Up E-Mail Account Info

And there are a lot of cases like this. Cases where the data retention policy in one country asks for data up to 12 months and another country tells you that you are not allowed to keep data for longer than 8 months because of the Data Protection law – if you operate in both, what do you do?

The longer I work in this space the more complicated it gets for me and more of such challenges pop up. This morning I read the following article: A step in the right direction. Basically this blog post covers a privacy law put in place in Massachusetts which has broad impact as it is valid not only if you are located in Massachusetts but if the company owns or licenses, receives, stores, maintains, processes, or otherwise has access to personal information in connection with the provision of goods or services or in connection with employment. In other words – if you “run the risk” of selling to somebody in Massachusetts, you are subject to this law!

As I said, the situation gets incredible complex.

Where does this lead us to? To me there are a few things which should be done:

• Governments and the industry have to work much closer together. The industry has to have the ability to show the stumbling blocks for the businesses and together – the government and the industry – have to find solutions which protects the citizens’ rights, helps to grow the economy and helps to go after the criminals.
• Governments have to think globally and act locally. Today’s cybercrime environment does not allow anymore for “local only” solutions. There needs to be a certain level of harmonization of laws across the countries and the willingness to collaboration fast. As there is not a global jurisdiction on that level, the willingness to have harmonized legislation will be key. The challenge however is that governments are re-elected locally – not globally…
• The Industry has to behave responsibly. In order to make this happen, the industry has to be seen as a partner for the government. The only way to get there – in my opinion – is to act responsibly. If I look at certain behaviors I see in the industry, it is sometimes too much focused on the short-term revenue, rather than a responsible behavior.

This will definitely be the basis for a better collaboration and an environment where the legal challenges (see the Yahoo! case above) do not have to be solved on the shoulders of the businesses “just because” of legal deficiencies between countries. As I said above, we all want to fight crime as it is necessary and as it is the only way to grow the Internet in the future. And this all helps us I think

Roger

Related posts:

1. A Detailed Analysis of an Attack – Do We Need an International Incident Sharing Database?
2. Council of Europe – Octopus Conference (Cooperation against Cybercrime) Day 1
3. Council of Europe – Octopus Conference (Cooperation against Cybercrime) Day 2

I often talk about how we learned to engineer security into the products and the results prove that we are on the right track. One of the challenges we always have is how to help the ecosystem to improve as well. One of the ways is to communicate through our website. Not, that this is really new news – it is actually a few weeks old but still… We renewed our Security Development Lifecycle site.

If you are developing software internally you should definitely look at the site and think how to implement SDL in your organization. If you want help, there is the SDL Pro Network here to help you to implement SDL. Or leverage the tools we make available. Or much more…

If you are “just” buying software, look at the lifecycle and start to ask your vendors a few questions like:

• How do you engineer security into the products? (I am not talking about the classical software engineering processes – I am talking about security…)
• How do you do Threat Modeling (to me a key piece of the engineering process)
• …

Roger

Related posts:

1. Security Development Lifecycle Template – Your next step to “Secure Development”
2. Want to introduce the Security Development Lifecycle? Play a Game
3. The Impact of the Security Development Lifecycle

Our EMEA Security Program Manager, Henk van Roest, started this series internally and with his consent I am publishing it here in my blog as I think it contains a lot of great information for you to use.

So far, in the first 4 chapters, we have addressed the usual excuses for not Managing Your IT Environment and Security Updates:

1. Security is not worth it, nothing ever happens and if it does it will be “no big deal”
2. I installed the Microsoft updates, but my network was still compromised
3. OK now I understand why Security is important but no idea how I start
4. I now know what I want to do, I just don’t know how, I need training

Here we address the need for automation, cost reduction and standardization, Microsoft has literally hundreds of tools to help management assess risk and administrators implement security updates and policies.

Security Update Management Tools: http://technet.microsoft.com/en-gb/security/cc297183.aspx#EPC

Security Update Detection Tools: http://technet.microsoft.com/en-gb/security/cc297183.aspx#EID

Security Risk Assessment Tool: http://technet.microsoft.com/en-gb/security/cc297183.aspx#EUD

Lockdown, Auditing, Intrusion Detection, Remediation Tools: http://technet.microsoft.com/en-gb/security/cc297183.aspx#E2D

Virus and Malware Protection and Removal Tools & Apps: http://technet.microsoft.com/en-gb/security/cc297183.aspx#E1E

Reduce Your Risk: 10 Security Rules To Live By

This is from 2006 but it demonstrates on a conceptual level how the technology can change but the rules remain the same.  Yet again we learn that Security is a Process, not a Product!

http://technet.microsoft.com/en-us/magazine/2006.05.reducerisk.aspx

Related posts:

1. Why it pays to be secure – Chapter 1 – Data Breaches
2. Why it pays to be secure – Chapter 4 – I want to learn!
3. Why it pays to be secure – Chapter 3 – But how do I?

As you all know, I have two main pet themes: Risk Management and Compliance Management as I see very often that there is room for improvement when it comes to such processes within our customers. Internally, we often think about how we can make it easier for our customers to manage compliance in their networks.

So, basically it is about helping you to plan, deploy, operate, and manage the baselines in your environment. As you might know, we provide free tools, which we call Solution Accelerators since quite a while (if you did not know, shame on us), we provide a Security Compliance Manager in this program as well and have the new version just in Beta now.

Basically the new Security Compliance Manager Solution Accelerator helps you to provides you a few pretty exciting features:

• Centralized management and baseline portfolio
• You can customize the security baselines
• You can compare them and export them (e.g. to GPOs)
• You can verify and monitor them

As a picture shows more than a thousand words, here are a few (cool!!) screenshots of the tool:

Check for Baselines

Compare Baselines

Customize the Baseline

Export it (to enforce it through GPOs)

Merge different Baselines

So, if you are as excited as I am, you should join the Beta program, which is now open. That’s the way to give feedback and influence it now! Therefore my “call to action” for you is:

• Join the Security Compliance Manager Beta. Then tell the development team what you think!
• Already a member? Bookmark this link for access to the program page.
• Help us spread the word—share the beta invitation link with your friends.
• Want to see where it all started? Download the current version: Security Compliance Management Toolkit.

The beta will run through March 2010. That means now is the time to join the beta program, take an early look at this tool, and provide the Security Solution Accelerators team with your feedback.

Want the facts straight from the development team? Check out this series of short videos! Better yet, post your own video response sharing your favorite feature.

Want more information on a specific feature? Interested in speaking with the development team? Please contact Michelle Arney.

Have a lot of fun!!

Roger

Related posts:

1. Microsoft Security Compliance Manager: Now available!
2. Security Compliance Management – Solution Accelerator Available
3. Security Compliance Management Toolkit