Today marks the first day of the Security Development Conference 2013. Security professionals from companies, government agencies and academic institutions have traveled from all over the world to learn, network and share proven security development practices that can reduce an organization’s risk. As I sit here waiting for Scott Charney to take the stage, I am reminded that it’s been almost a decade since Microsoft implemented its Security Development Lifecycle (SDL). So much has changed in that time.
In the past decade, Internet usage has gone from roughly 350 million people online to more than 2.4 billion. Today there are more opportunities than ever before for developers. Windows 8 is still relatively new, the cloud is in its early stages of adoption and there has been an explosion in new mobile devices and platforms. While the Internet has created many new opportunities and ways to do business, it has also spawned a digital underground for online crime. Security breaches that have financial consequences or lead to intellectual property loss, website defacement or espionage have become a reality in today’s computing landscape.
Many of the developers I talk with generally recognize the importance of security development. Despite this, the evidence suggests that the vast majority of organizations still have not adopted security development as a fundamental professional discipline. Microsoft recently surveyed over 2200 IT professionals and 490 developers worldwide. The survey found that only 37 percent of IT Professionals cited their organizations as building their products and services with security in mind. Furthermore, 61 percent of developers were not taking advantage of mitigation technologies that already exist such as ASLR, SEHOP and DEP. These mitigations have been freely available to the industry for years and are often simple additions to existing development practices–and yet only a minority of developers are leveraging them. This is concerning to me and it should be concerning to everyone who uses the Internet.
Furthermore, the survey revealed the biggest roadblocks that prevent organizations from adopting a security development process were 1) lack of management approval, 2) lack of training and support and 3) cost. Today at the Security Development Conference, Microsoft and others are taking steps to eliminate these barriers and to help close the gap on security development adoption.
Management Approval – Standardization and compliance can help overcome many of the barriers involved with management approval. The International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC) recognized the need for standards around security development processes and released ISO/IEC 27034-1. This new international standard is the first of its kind to focus on the processes and frameworks needed to build a comprehensive software security program. ISO/IEC 27034-1 is an important step in the right direction for security and opens up a number of possibilities for organizations. Microsoft recognizes this important milestone in security development and today announces through its Declaration of Conformity that Microsoft’s SDL conforms to ISO 27034-1. We hope that by publically conforming to this standard, we can serve as an example for other businesses looking to make a commitment to secure development.
o For businesses that develop or sell software, this standard provides a common validation language for security development practices, offers a clear and simple outline for adopting a security development framework and can serve as a competitive differentiator in the marketplace.
o For customers purchasing software or services from vendors, this standard provides a single “language” for purchasers to demand secure development across industries, platforms and regions
For more information on ISO 27034-1, I recommend checking out a paper released today, commissioned by Microsoft and published by Reavis Consulting Group, LLC titled “The emergence of software security standards: ISO/IEC 27034-1:2011 and your organization.”
Many industries are faced with the uphill battle of securing their infrastructures and conforming to industry regulations. An example of a sector addressing this very challenge is the healthcare industry. Today, Microsoft also released a paper titled “Secure Software Trends in Healthcare” that speaks to this industry challenge and demonstrates how the SDL can have a positive impact.
Training and Support –Microsoft provides free, downloadable tools and guidance on its SDL Website including SDL for Agile, the Threat Modeling tool and the Attack Surface Analyzer, to help automate and enhance the SDL process, gain efficiencies, and ease the implementation of the SDL. To help with implementation, Microsoft’s Partner Network includes a number of members committed to helping customers adopt secure development practices based on SDL.. In addition to these resources, today The Software Assurance Forum for
Excellence in Code (SAFECode) announced new free online training courses on security development.
Cost – Lastly, IT professionals and developers cited cost as a major hindrance to adopting a security development framework. But truth be told, a secure product isn’t the only benefit that comes out of implementing this process–writing secure code also leads to real cost savings. The Aberdeen Group study also showed that companies adopting a “secure at the source” (Microsoft SDL-like) strategy realized a very strong 4.0-times return on their annual investments in application security. Forrester reconfirms this finding by stating that those practicing SDL specifically reported visibly better ROI than the overall population.
With a growing number of applications today, developers have no shortage of work. And the competition is also tough for developers. Every new software product and app must battle with competitive offerings. We’ve been in this situation before, and security too often took a back seat to the commercial pressures of being first to market, or to stand out with amazing features. But this time I hope it’s different. Cyber criminals are, unfortunately, a very real and common threat and the impact they can have on us as individuals and as organizations is well understood. As a result, organizations that use software must demand software products that are more secure, and developers must implement secure development as a means to satisfy that demand and stay competitive.