Skip to main content

Trustworthy Computing

Microsoft Security Newsletter

Stay up to date with security insights, resources, best practices, and events for IT professionals and developers. Browse past newsletters or subscribe to get the latest news delivered to your inbox.

Subscribe

 
 
 
Welcome to March’s Security Newsletter!

Our newsletter this month focuses on the importance of demanding secure software from your software or services providers. With the explosion of technology over the past decade, I frequently come across applications that are rushed to market with little thought given to security. Software providers are eager to make a quick return on their investment and may not recognize the long term consequences it can have to their reputation in the event that one of their customers is compromised by malware or cyber attacks. The potential impact can be even more significant if their software becomes widely adopted. Microsoft learned this lesson early on during the days of malware threats like Code Red. The Microsoft Security Development Lifecycle (SDL) was born from these lessons. The SDL is designed to reduce the number and severity of vulnerabilities in software and is a mandatory process through which all Microsoft products and services must pass. You can learn more about the evolution of the SDL in the never-before-told story, " Life in the Digital Crosshairs."

Because of its effectiveness, Microsoft has made the SDL process available for free to the public so that software developers both large and small can benefit from security development best practices. Whether you’re developing an application for a smartphone, tablet, PC, or other computing device, you can apply SDL principles to improve that application's state of security. Learn more about the benefits of incorporating the SDL into your development process in our SDL Chronicles.

In this fast moving technology market, providers are developing applications based on customer demand or priority which is why demanding secure software starts with you. Ask your software provider if they are using a security development process. If not, you should think twice about the security of that software. Don’t let security be an afterthought and potentially expose your organization to increased risks from malware and other threats.

Tim Rains Best regards,
Tim Rains, Director
Microsoft Trustworthy Computing


Have feedback on how we can improve this newsletter? Email us at secnlfb@microsoft.comand share your ideas.

 
Top Stories
 
Cyber Threats to Windows XP and Guidance for Small Businesses and Consumers
It’s been well publicized that on April 8th, 2014 Microsoft discontinues product support for Windows XP. While many organizations have recently finished, or are in the process of finishing, the migration to Windows 7 or Windows 8, others have no plans to update their Windows XP systems. Get insight on the specific threats to Windows XP-based systems that attackers may attempt after end of support to better understand the risks involved with remaining on Windows XP, and benefits of immediately upgrading to a more secure version of Windows, or accelerate existing plans to do so.

Threat Modeling a Retail Environment
In the wake of high profile attacks on organizations in the retail industry, Microsoft cybersecurity and retail experts have teamed up to provide guidance that identifies some of the unique threats and challenges faced by companies in the retail industry, and suggests some appropriate mitigations.

When ASLR Makes the Difference
Explore the importance of enabling Address Space Layout Randomization mitigation (ASLR) in modern software, and see how it can be used to mitigate two real exploits seen in the world today.

 

Security Guidance

Security Tip of the Month: Increase Your Microsoft SDL I.Q.
Ken Malcolmson, Group Manager, Microsoft Trustworthy Computing
This year is the tenth anniversary of the creation of Microsoft’s Security Development Lifecycle. Over the last decade the technology-agnostic SDL has been refined and improved based on real-world feedback, made available free of charge for anyone to adapt and adopt in their own environment, and most recently been declared to meet or exceed the guidance published in ISO/IEC 27034-1, the first international standard to address secure software development requirements.

The free SDL guidance, tools and resources have been downloaded more than a million times and adopted by organizations large and small around the world. In today’s landscape, where concerns over supply chain security, protecting customer data and personally identifiable information, and defending against malicious attackers are keeping IT professionals and managers awake at night, the SDL offers a flexible and adaptable secure development framework that can be introduced into any development environment. As a result, here are 10 of the top resources that can help you better understand and utilize the SDL in your organization.

The Simplified SDL– detailed walkthrough of the core concepts and activities involved in the SDL process
SDL for Agile – guidance on adopting SDL in Agile development environments
SDL Tools – free tools to utilize in each phase of the SDL
Microsoft Security Development Lifecycle Adoption: Why and How – downloadable report by the Edison Group on the use of secure development in the financial sector
Secure Software Trends in Healthcare – explores risks associated with the move to electronic healthcare records and the importance of secure application development to the healthcare sector
Secure Software Development Trends in the Oil & Gas Sectors – discusses how a holistic approach to software development can help mitigate many of the risks oil and gas organizations face
The emergence of software security standards: ISO/IEC 27034-1:2011 and your organization – Reavis Consulting LLC research report that examines the importance of ISO/IEC 20734 to software developers and customers, and how to leverage the SDL to help deliver more secure applications and services
Aligning the Microsoft SDL with PCI DSS/PCI PA-DSS Compliance Activity – explains how the SDL can help you meet some of the requirements of the Payment Card Industry Data Security Standard (PCI DSS) and the Payment Application Data Security Standard (PA-DSS)
Aligning Microsoft SDL Security Practices with the HIPAA Security Rule – describes how the SDL can help you comply with some requirements of the administrative simplification provision of the Health Insurance Portability and Accountability Act and its implementing regulations (HIPAA), including the Security Standards for Protecting Electronic Protected Health Information (HIPAA Security Rule) and the Standards for Privacy of Individually Identifiable Health Information (Privacy Rule)
www.microsoft.com/sdl– your destination for SDL guidance, tools, and support



Microsoft SDL Tools
Get to know the many free tools that will help you perform SDL security activities. Watch a short overview of the Microsoft SDL toolset then learn how to use some of the tools included in the toolset with these short demos:

SDL Threat Modeling Tool  MSF-Agile+SDL Process Template for Visual Studio Team System
 
Anti-Cross Site Scripting (XSS) Library  SDL Process Template
 
Banned.h Header File  SDL Regex Fuzzer
 
BinScope Binary Analyzer  SiteLock ATL Template
 
Code Analysis for C/C++  FxCop Overview



Getting Started with the SDL Threat Modeling Tool
Get step-by-step guidance on how to start the thread modeling process using the SDL Threat Modeling Tool, keep track of progress using the tool’s reporting features, and think about the thread modeling process overall.

Using the SDL for LOB Windows Store Apps
Learn how to build security into your Windows Store app development project from the beginning by using the SDL to complete a risk assessment and define the security/privacy requirements for your app. Ready to build your app using SDL principles? Check out Using the SDL for a LOB Windows 8 App, Part 2 for practical guidance on developing an attack surface analysis and an attack surface reduction, and performing a software architectural risk analysis (more commonly known at Microsoft as a threat model).

Applying the SDL to Windows Azure
Find guidance to help you better understand the role that the SDL plays in producing secure and high quality code as well as moving an application "to the cloud" in a secure manner.

Microsoft SDL Forum
Whether you are new to the SDL, or an experienced user, find support for common issues encountered when implementing the SDL or get help with a new issue from a community of secure development experts.

 

This Month's Security Bulletins
 

March 2014 Security Bulletins

Critical

 
MS14-012:2925418 Cumulative Security Update for Internet Explorer
 
MS14-013:2929961 Vulnerability in Microsoft DirectShow Could Allow Remote Code Execution


Important

 
MS14-014:2932677 Vulnerability in Silverlight Could Allow Security Feature Bypass
 
MS14-015:2930275 Vulnerabilities in Windows Kernel-Mode Driver Could Allow Elevation of Privilege
 
MS14-016:2934418 Vulnerability in Security Account Manager Remote (SAMR) Protocol Could Allow Security Feature Bypass
 

March 2014 Security Bulletin Resources:

 
Microsoft Security Response Center (MSRC) Blog Post
 
Security Bulletin Webcast
 
Security Bulletin Webcast Q&A


 

Security Events and Training
 
MSDN Webcast: Microsoft SDL and Mobile Security (Level 300)
Learn how to apply Microsoft SDL practices to mobile application development, specifically the requirements, design, and verification phases. Explore security requirements and approved tools as well as basic mobile threat modeling, secure coding practices, and penetration testing (pentesting) mobile applications for Android and iOS. The presentation also briefly outlines some defensive coding techniques to protect against the weaknesses that are caused by common development pitfalls.

Microsoft Webcast: Information about the April 2014 Security Bulletin Release
Wednesday, April 9, 2014 – 11:00AM Pacific Time
Join this webcast for a brief overview of the technical details of April’s Microsoft security bulletins. Ask questions and get answers from Microsoft security experts.

TechEd North America 2014
May 12-15, 2014 – Houston, Texas
In 2014, Microsoft is bringing together the best of TechEd and the Microsoft Management Summit (MMS) to help skilled technology professionals increase their technical expertise, share best practices, and interaction with Microsoft and a variety of industry experts and their peers. Explore the security aspects of data platforms and business intelligence, datacenter and infrastructure management, people-centric IT, Windows (devices and Windows Phone), and much more. Register today.

Microsoft Webcast: Information about the May 2014 Security Bulletin Release
Wednesday, May 14, 2014 – 11:00AM Pacific Time
Join this webcast for a brief overview of the technical details of May 2014’s Microsoft security bulletins. Ask questions and get answers from Microsoft security experts.

 
 

Essential Tools

 
Microsoft Security Bulletins
 
Microsoft Security Advisories
 
Security Compliance Manager
 
Microsoft Security Development Lifecycle Starter Kit
 
Enhanced Mitigation Experience Toolkit
 
Malicious Software Removal Tool
 
Microsoft Baseline Security Analyzer
 

Security Centers

 
Security TechCenter
 
Security Developer Center
 
Microsoft Security Response Center
 
Microsoft Malware Protection Center
 
Microsoft Privacy
 
Microsoft Security Product Solution Centers
 

Additional Resources

 
Trustworthy Computing Security and Privacy Blogs
 
Microsoft Security Intelligence Report
 
Microsoft Security Development Lifecycle
 
Malware Response Guide
 
Security Troubleshooting and Support Resources
 
Trustworthy Computing Careers
 
 
 
 
 microsoft.com/about/twcTrustworthy Computing 
 
 
 Microsoft respects your privacy. To learn more please read our online Privacy Statement.

If you would prefer not to receive the Microsoft Security Newsletter from Microsoft and its family of companies, please click here. These settings will not affect any other newsletters you’ve requested or any mandatory service communications you’ve requested that are considered part of certain Microsoft services.

To set your contact preferences for other Microsoft communications, click here.