Microsoft Security Blog

The official Microsoft blog for discussing industry and Microsoft security topics.

If you are looking to join Microsoft at the RSA conference this year, there are a number of ways you can do so. The full list of sessions is below. Don’t forget that you can also join us at the Microsoft booth (#1616) where there are a number of demo pods and a theatre.

SEM-002 - Improving Application Security Seminar (Full Day - Delegates only)

Monday, February 27, 8:30 AM, Room 305

Speaker(s)                     Kathy Kriese, Principal Product Manager, Symantec Corporation

Jacob West, Director, Security Research Group, HP

Chris Eng, Vice President of Research, Veracode, Inc.

Brad Arkin, Senior Director, Product Security & Privacy, Adobe

Alexander Hoole, Principal Security Researcher, Fortify Software, an HP company

Brian Hope, Principal Consultant, Cigital, Inc.

Katie Moussouris, Senior Security Strategist Lead, Microsoft

Abstract: Building security into applications is a much less expensive proposition than trying to add security later in the software development lifecycle. Through demonstration and lecture, participants will learn about a broad variety of security issues as well as prevention techniques/countermeasures.

KEY-102 - TwC for our Computing-centric Society

Tuesday, February 28, 8:50 AM, Moscone North Hall D

Speaker(s)                      Scott Charney, Corporate Vice President Trustworthy Computing, Microsoft

Abstract: In the ten years since Microsoft announced the creation of its Trustworthy Computing (TwC) initiative, much has changed: society has become far more dependent on information systems; those attacking networks have become more persistent and determined; and new concerns about supply chain and cyber warfare are now frequently discussed in national capitols. Additionally, users are moving to the cloud, ushering in the era of big data. Scott Charney will talk about how these factors are affecting the future of TwC.


ASEC-106 - Making Sense of Software Security Advice: Best vs. Practiced Practices

Tuesday, February 28, 1:10 PM, Room 302

Moderator                    Reeny Sondhi, Director, Product Security, EMC Corporation

Panelist(s)                      Gary McGraw, Chief Technology Officer, Cigital, Inc.

Kyle Randolph, Senior Manager, Security & Privacy, Adobe

Gary Phillips, Senior Director, R&D, Symantec Corporation

David Ladd, Principal Security Program Manager, Microsoft

Abstract: There’s no shortage of software security advice out there. How do you make sense of it and apply it to your work? Organizations such as SAFECode promote software security best practices. Others like BSIMM won’t tell you what you should do; but rather what others are doing. This session will cut through the noise and demonstrate how to find and use the right advice to achieve real-world success.


HT1-108 - Vulnerability Panel: Is it ZERO Day or ZERO Care?

Tuesday, February 28, 3:50 PM, Room 102

Moderator                    Jake Kouns, Chief Executive Officer, Open Security Foundation, Director, Cyber Security and Technology Risks Underwriting at Markel Corporation

Panelist(s)                      Steve Christey, Principal Information Security Engineer, MITRE

Dan Holden, Director, HP DVLabs, HP

Carsten Eiram, Chief Security Specialist, Secunia

Katie Moussouris, Senior Security Strategist Lead, Microsoft

Abstract: Vulnerability Databases have provided information about security vulnerabilities for over 10 years. This enables analysis on trends and changes in the security industry. This session will examine vulnerability information over the past several years with an emphasis on understanding security researchers, quality of research, vendors, disclosure trends and the value of security vulnerabilities.

TECH-108 - Targeted Exploits & Spear Phishing – Will it be the Demise of Trusted Email?

Tuesday, February 28, 3:50 PM, Room 307

Moderator                    Craig Spiezle, Executive Director, Founder & President, OTA Alliance

Panelist(s)                      John Scarrow, General Manager of Safety Services at Microsoft, Microsoft

Andy Steingruebl, Manager of Internet Standards & Governance, PayPal, Inc.

Mike Hammer, Web Operations Security, American Greetings Interactive

Abstract: Email continues to be the attack vector of choice by cybercriminals. This session will review how email authentication and the use of IETF standards (SPF and DKIM) can aid the enterprise in detecting forged email and help protect business and government data. Speakers will review recent research revealing adoption in various industries compiled by the Online Trust Alliance.

ASEC-201 - War Stories: The Good, Bad and the Ugly of Application Security Programs

Wednesday, February 29, 8:00 AM, Room 302

Moderator                    Chenxi Wang, Vice President & Principal Analyst, Forrester

Panelist(s)                      Doug Cavit, Principle Security Strategist, Trustworthy Computing, Microsoft

James Routh, Managing Director & Global Head of Application, Internet and Mobile Security, JPMorgan Chase & Co.

Abstract: Despite the increasing awareness that vulnerabilities at the application level are behind some of the most dangerous attacks, application security remains a small and largely untapped market. This panel will address critical questions regarding application security technologies and the nuances of building an effective app sec program.

STAR-201 - Application Access Control - Taming the Wild West

Wednesday, February 29, 8:00 AM, Room 304

Moderator                    Eric Green, EVP, Business Development, Mobile Active Defense

Panelist(s)                      Ward Spangenberg, Director of Security Operations, Zynga Game Network

Mike Convertino, Director, Network Security, Microsoft

Matthew Dosmann, Emerging Technologies Team Chief, U.S. Army

Elias Manousos, Chief Executive Officer, RiskIQ

Abstract: It’s been said that app stores are the number one malware delivery mechanism ever created by mankind. So even if you want to stick your head in the ground and believe apps are being code reviewed properly first time around, surely you don’t believe they go through the same testing for new versions. So how do you protect your mobile enterprise from rogue apps? The answer can only be – In real time!

SPO1-203 - Compliance, Audits and Fire Drills: In the Way of Real Security?

Wednesday, February 29, 10:40 AM, Room 120

Speaker(s)                     John Howie, Senior Director of Technical Security Services, Microsoft

Mark Estberg, Senior Director, Microsoft

Abstract: Meeting compliance obligations, passing audits, and dealing with incidents real or perceived can all distract a security organization from its core mission – maintaining the security and privacy of data and assets. In this session, hear how one large cloud provider ensures these distractions do not get in the way of the goals of information security.


HT1-301 - Code Red to Zbot: 10 Years of Tech, Researchers and Threat Evolution

Thursday, March 1, 8:00 AM, Room 102

Speaker(s)                     Tim Rains, Director, Microsoft

Jeffrey Jones, Director, Microsoft

Abstract: Windows XP just recently reached end of life. Bill Gates’ TwC is now ten years old. The threat landscape has constantly evolved in dramatic and unexpected ways, changing the character of Internet risk completely. Using data from millions of computers and online services, this session will provide a unique retrospective on how computing has changed over the past 10 years.

DAS-301 - Always-On SSL: A Necessity to Deal with an Inconvenient Truth

Thursday, March 1, 8:00 AM,  Room 301

Moderator                    Craig Spiezle, Executive Director, Founder & President, OTA Alliance

Panelist(s)                      Quentin Liu, Senior Director Engineering, Symantec Corporation

Alex Rice, Product Security, Facebook

Andy Steingruebl, Manager of Internet Standards & Governance, PayPal, Inc.

John Scarrow, General Manager of Safety Services at Microsoft, Microsoft

Abstract: A growing number of high-profile account hijacking attacks on prominent websites have highlighted that while we routinely employ countermeasures to deal with sophisticated attacks, most organizations don’t provide end-to-end encryption when transmitting confidential data of people using their web sites. We will explore why there is technical inertia and the call to action by the industry leaders.

ASEC-301 - What Motivated My Company to Invest in a Secure Development Program?

Thursday, March 1, 8:00 AM, Room 302

Moderator                          Brad Arkin, Senior Director, Product Security & Privacy, Adobe

Panelist(s)                           Gunter Bitz, Head of Product Security Governance, SAP AG

Steven Lipner, Senior Director of Security Engineering Strategy, Microsoft

Gary Phillips, Senior Director, R&D, Symantec Corporation

Janne Uusilehto, Director, Head of Nokia Product Security, Nokia

Abstract: Behind every company that has a significant emphasis on secure software development lies a great story on how it all got started. Come hear the real-world war stories of what put five major software producing organizations on the road to security salvation. You'll laugh, you'll cry and you'll learn some tricks that may prove useful in your own environment.

MBS-303 - BYOD: Securing Mobile Devices You Don’t Own

Thursday, March 1, 10:40 AM, Room 305

Moderator                          Kevin Mahaffey, Chief Technology Officer, Lookout

Panelist(s)                           Mike Convertino, Director, Network Security, Microsoft

Alex Stamos, Founding Partner of iSEC Partners, iSEC Partners

Jeff Moss, Founder & Director, Blackhat

William Boni, Corporate Information Security Officer, T-Mobile USA

Abstract: As billions of people around the world use their phones as PCs, hackers are paying attention. In the workplace, personally owned phones and tablets are rapidly becoming the norm, making the tightly-managed PC obsolete. In this panel we'll discuss issues affecting devices now and in the future as well as what security professionals can do to stay on top in this rapidly changing environment.

ASEC-304 - Privacy by Design: Baking Privacy into Business and Product Development

Thursday, March 1, 1:00 PM, Room 302

Speaker(s)                          Brendon Lynch, Chief Privacy Officer, Microsoft

Trevor Hughes, President & Chief Executive Officer, IAPP

Abstract: The Federal Trade Commission, European Commission and data protection officials in Canada have all called on companies to build Privacy by Design (PbD) into the corporate policies and the software development lifecycle. Learn how leading companies are implementing PbD within their organizations and the benefits this approach provides.

GRC-304 - Collective Defense: How the Defenders Can Play to Win

Thursday, March 1, 1:00 PM,  Room 309

Speaker(s)                          Maarten Van Horenbeeck, Senior Program Manager Lead, Microsoft

Abstract: Modern software security response is complex, requiring defenders from across industries to collaborate. Critics, though, claim the offensive side is better coordinated, and “winning.” This talk shows how Microsoft has taken deliberate action to make collaboration among industry and government leaders a core part of its security response process. We’ll demonstrate how defenders are playing to win.

AUTH-005 - Mark Russinovich: Zero Day: A Novel

Thursday, March 1, 3:00 PM, Room 134

Speaker(s)                          Mark Russinovich, Technical Fellow, Microsoft Windows Azure Group

Abstract: An airliner’s controls abruptly fail mid-flight over the Atlantic. An oil tanker runs aground in Japan when its navigational system suddenly stops dead. Hospitals everywhere have to abandon their computer databases when patients die after being administered incorrect dosages of their medicine. In the Midwest, a nuclear power plant nearly becomes the next Chernobyl when its cooling systems malfunction. At first, these random computer failures seem like unrelated events. But Jeff Aiken, a former government analyst who quit in disgust after witnessing the gross errors that led up to 9/11, thinks otherwise. Jeff fears a more serious attack targeting the United States computer infrastructure is already under way. And as other menacing computer malfunctions pop up around the world, some with deadly results, he realizes that there isn’t much time if he hopes to prevent an international catastrophe. Written by a global authority on cyber security, Zero Day presents a chilling “what if” scenario that, in a world completely reliant on technology, is more than possible today---it’s a cataclysmic disaster just waiting to happen.

HT2-403 - Evil Though the Lens of Web Logs

Friday, March 2, 11:20 AM, Room 104

Speaker(s)                          Russ McRee, Manager, Security Incident Management & Pentesting Services, Microsoft

Abstract: Web logs can be analyzed with specific attention to Internet Background Radiation (IBR). Two bands of the IBR spectrum include scanning and misconfiguration where details about attacker and victim patterns are readily available. Via web application specific examples this discussion will analyze attacks exhibiting traits, trends, and tendencies from the attacker and victim perspectives.