Start Secure. Stay Secure.TM

Microsoft Focuses on Web Application Security
CASE STUDY
"We felt that SPI Dynamics was superior in the three categories we were mainly concerned with -- accuracy, performance, and reporting." James Costello Senior IT Auditor for Microsoft

Background
Founded in 1975, Microsoft has changed the way the world conducts business. From creating operating systems, databases, business applications and productivity suites, Microsoft has lead the charge in transforming and streamlining business processes--becoming the de facto standard for personal and business computing. But being a leader has its challenges. It means you cannot stop evolving and redefining business processes. It also means that you can never stop earning the trust of the business community and consumer. These groups trust that all Microsoft applications will be developed and designed securely enough to prevent malicious activity from employees or hackers looking to gather sensitive data. Microsoft's goal is to maximize their customers' security by providing the most resilient and least vulnerable software options possible. Within Microsoft, a team of auditors has been assembled that is responsible for ensuring that critical security vulnerabilities have been identified, addressed and remediated before becoming generally available to the public for purchase.

Microsoft Focuses on Web Application Security
Problem

CASE STUDY

In the past the IT Audit group worked closely with third-party vendors to review source code and identify potential vulnerabilities. This process proved to be an expensive and extensive operation requiring hundreds of hours annually to perform manual code reviews. It became clear that there had to be an automated, cost effective and accurate means of reviewing source code for security vulnerabilities. James Costello, Senior IT Auditor for Microsoft, was commissioned by Steve Mar, Sr. Director IT Audit, to research, find and implement such a solution. Solution
After initial marketplace research, Microsoft invited the top Web application testing vendors to showcase their vulnerability testing capabilities. "We tested several products in headto-head comparisons and evaluated them for accuracy, performance and reporting," said Costello. After reviewing the Web application testing solutions on many of Microsoft's high implication internal applications, the company chose SPI Dynamics' WebInspectTM product as their tool of choice for the Internal Audit department's Web application testing needs. "We felt that SPI Dynamics was superior in the three categories we were mainly concerned with - accuracy, performance, and reporting. Not only did WebInspect outperform the other applications, the dedicated customer support from SPI Dynamics became a deciding factor in their favor," according to Costello. SPI Dynamics' WebInspect security assessment tool helps ensure the security of Microsoft's internally built business applications by identifying known and unknown vulnerabilities within the Web application layer. With WebInspect Enterprise Edition, application developers, quality assurance (QA) professionals, auditors, compliance officers, and security experts can perform security assessments on a Web-enabled application or Web service, providing usability at every phase of the Web application lifecycle from development to QA, to production and audit. According to Steve Mar "Having WebInspect in our 'IT toolkit' provides a greater number of auditors the ability to perform code reviews in a much more expedient fashion than previously, performing time-consuming manual code reviews on each application reviewed. We also noted an improved return on our tool investment given that we perform a greater number of application assessments by utilizing WebInspect. The detailed reports identify the risk implications and recommend steps to remediate any identified vulnerabilities. IT Audit has the confidence that we can provide our application teams with value added results that help secure and remediate the applications and systems in their environments."

Results
In three months, WebInspect has already shown its value. "Internal Audit has reduced costs using WebInspect. The tool allows us to perform a greater number of application reviews and freed up our IT Audit resources to cover a greater number of reviews and other initiatives across the company," says Mar. Mar and Costello have felt the team's visibility increased internally within Microsoft. "It has really helped when the application development manager has confidence in our application audits. Having a comprehensive report that outlines all of the application's strengths and weaknesses raises their comfort-level that we've done a thorough job and helps them realize the value we bring to the overall organization." legal standards. Costello states that, "With the amount of applications we have in our environment and level of compliance we have to meet, WebInspect is going to be a tool that helps bring our auditing capabilities to a new level of performance within the company." SPI Dynamics' product line allows the Microsoft auditing team to verify compliance to industry or enterprise-specific policies and standards. WebInspect's unique innovation allows Microsoft to easily define their organization's specific security policies (HIPAA, GLB, GISRA, SOX, etc.) and then test Web applications for compliance, privacy, and security.

The Future - Development
In the future, Costello sees WebInspect becoming a trusted partner in Microsoft's internal application development process. SPI Dynamics' product line makes building secure Web applications simple from the start by integrating into the existing application development process. Providing built-in security expertise, developers can run WebInspect against the code they've developed, ensuring top quality functionality that is free of security defects. "When we began using WebInspect and demonstrating it to our developers, they were excited that we procured an automated tool that could test a full range of known and unknown vulnerabilities in their code. After they have seen the product, they inevitably want to know where we got it and how they can get a copy of WebInspect," says Costello. SPI Dynamics helps Microsoft continue to maintain a leadership position in producing secure products while demonstrating a substantial return on investment. With the flexibility of WebInspect, Costello sees further usage of the product throughout Microsoft and other organizations.

The Future - Compliance
Virtually every organization using computers has information it must protect. Public companies, financial institutions, and healthcare organizations are under regulatory pressure to harden their systems against malicious attack. New compliance standards have been created to protect company assets and individual data. Industry specific standards require that organizations protect the confidentiality and integrity of particular information. Health care organizations must conform to Health Insurance Portability and Accountability Act (HIPAA) guidelines, financial institutions must meet GrahamLeach-Bliley (GLB) privacy requirements, and most Federal institutions must comply with the Government Information Security Reform Act (GISRA). The Sarbanes-Oxley (SOX) law requires disclosure of control weaknesses and management assertion over internal controls including IT controls. In practice, each of these initiatives requires organizations to undergo periodic security audits to verify and test compliance. As a result, many of Microsoft's internal applications must comply with these policies, laws, and standards to prevent the loss of confidential information and provide effective IT internal controls. Using WebInspect, Microsoft is able to verify that selected applications meet their corporate and

115 Perimeter Center Place, Suite 1100, Atlanta, GA 30346 Tel: 678.781.4800 | Fax: 678.781.4850 | Email: info@spidynamics.com

Copyright ©2005, SPI Dynamics Incorporated. All Rights Reserved.