The ultimate test of the SDL is the extent to which it can reduce the number and severity of vulnerabilities in software. In order to measure the extent to which these goals are met, security experts analyzed public vulnerability counts in "pre-SDL" and "post-SDL" versions of the same product in the 12 months (or more) following the release.
Although these results do not imply that all vulnerabilities will be found, the examples below demonstrate the effectiveness of the SDL in reducing the number of security vulnerabilities of products that were developed with it.
Microsoft SQL Server: 91% Fewer Vulnerabilities in SQL Server 2005
Organizations that develop software need to comply with a variety of complex, ever-changing regulations. Incorporating the SDL into the application development process helps meet compliance requirements and produce a return on investment (ROI) by guiding organizations to make smart choices early in the design process, thereby minimizing expensive inefficiencies.
The SDL encourages organizations to:
SDL Helps Reduce the Total Cost of Development
Analyst reports: Microsoft SDL adoption producing a better ROI
The Forrester Consulting State of Application Security study reported that organizations implementing an SDL process showed better ROI results than the overall surveyed population.
Aberdeen Group demonstrated how adopting an SDL process increases security and reduces the severity and cost of vulnerability incidents while generating a stronger return on investment (four-times higher) than other application security approaches.