View the final security check of Microsoft products

Original Xia

Since last year, the ACE group has performed Final Security Review (FSR) on MSN products of GFS (Global Foundation Services ). The final Security check is based on the Security Development Lifecycle (SDL) and performs the final Security check on the software before leaving the factory.

The security development lifecycle has two goals: one is to reduce security-related design defects and program code defects, and the other is to reduce the severity of incomplete defect errors.

The final security check requires one or more people in each product development team to be responsible for security and privacy. Their work includes managing all security and privacy issues, urging developers to execute and meet the company's security and privacy requirements, and making rational decisions in the face of tricky Security and Privacy decisions.

Generally, product developers register their products on the Intranet a few months before the design or software is completed, and complete a questionnaire list to help Security Inspectors understand the product. At the same time, based on the answers to the questionnaire, determine which security tests are required for the software.

The final security check requires at least 80% of employees to have an opportunity to learn security knowledge once a year and record it. Microsoft provides many online resources or courses guided by lecturers.

During the final security check, security inspectors and the development team jointly analyze the threat analysis model of the product. measure the test taker's knowledge about the assets to be protected by the product, the threats and vulnerabilities introduced by the product, and how the product can mitigate these threats. In addition, consider whether threats and weaknesses come from the product deployment environment or from interaction with other products or end-to-end solution systems.

Common Threat analysis models include Threat Modeling Tool v3 and TAM (aspx? Familyid = 59888078-9DAF-4E96-B7D1-944703479451 & displaylang = en "> http://www.microsoft.com/downloads/details.aspx? Familyid = 59888078-9DAF-4E96-B7D1-944703479451 & displaylang = en)

The following are common (but not only) security detection tools for final security checks:

Fuzz testing includes File Fuzzing, RPC Fuzzing, and ActiveX Fuzzing.

App Verifier: a Runtime tool that performs jobs in the running application. It can identify memory-related issues during Run Time, including accumulation Buffer Overflow.

ComChk: Check COM Control

XRAY: used to capture the attack surface on the machine and discover the intentional or unintentional attack surface of the product.

Binscope: Check binaries code

CAT. NET: used by the ACE group to discover SQL injection, cross-site scripting, and other data injection problems on the webpage.

Through the final security check, the product design group can use its own security detection tools to inspect the code or system at each stage of the security development lifecycle. For high-risk products, while completing the final security review, we recommend that they ask the ACE group or third-party companies to perform code security testing, and b1ackbox testing.

Finally, the security inspectors decide whether the software can be published or need to be reworked based on the findings.