Professional Documents
Culture Documents
Practices At Microsoft
Ensuring the lowest possible
exposure and vulnerability to
attacks
Published: January
2003
Solution Overview
Situati
on with the daunting task of inventorying, cataloging, assessing
Faced
, and securing each LOB application, the Microsoft IT group needed
to create an organizational framework for handling the job
Solutio
n
Microsoft IT developed the Application Security Assurance
Program (ASAP) to inventory, assess and – when necessary –
ensure the resolution
of security vulnerabilities found in LOB applications
Benefits
Lower cost of recovery and lost productivity
Minimize loss of data
Improve customer confidence
Decrease legal risks
Motivation For
Application Security
Cost of recovery and lost productivity
Loss of data
Impact on consumer confidence
Legal risks
Security Principles
Confidentiality
Integrity
Authentication
Authorization
Availability
Non-repudiation
Managing Risk
Strategic
Tactical
Operational
Legal
Overview Of ASAP
Wide variety of LOB applications designed by
Microsoft IT or individual business unit IT teams
Securing applications and data has grown in
significance and complexity
LOB applications function in a complex
operational and legal environment with an
equally complex underlying infrastructure
Every organization should develop its own plan
for securing applications
ASAP Deployment
Risk assessment
Design review
Pre-production assessments
Post-production followup
Assessment Criteria
Definition of an application
Scope of assessments
High-risk
Medium-risk
Low-risk
Assessment Criteria
Types of Assessments
Limited assessments
Comprehensive assessments
Participants
Applicat
Corpora Operati
ion
te ons
Review
Security IT
Security Policy Team
Risk Assessment Action on Audit
Threat Modeling Audits Findings
Business
Unit IT
Groups
Action on Audit
Findings
Application Security
Process Framework
Apply Lessons
Educate IT Professionals
Learned
Design, Develop, Test, and Verify Secure
Apps
Verify In Production Applications