Are you a startup?
Get BizSpark cloud access
Get up to $3,700 of cloud benefits
Don’t have MSDN?
Here’s cloud access
Developers should be doing more to secure consumer applications, according to a new report from the Security Development Lifecycle team. The SDL Progress Report shares data and analysis from various groups in our organization. We hope you find valuable information on secure development lessons learned at Microsoft, how we've applied security science, and the correlation between holistic security processes, risk reduction, and organizational efficiency.
We surveyed 41 popular applications in use worldwide to assess the use of technologies like Address space layout randomization (ASLR) and Data Execution Prevention (DEP). In addition, we did a further analysis to look at the use of these technologies in four European countries - France, Germany, Russia and the UK. I'd encourage you to take a look - the results are eye-opening. For example, ASLR usage across the sample set of 41 apps is mixed - 34% enabled full support, 46% partially enabled support and (unfortunately) 20% did not enable ASLR support in their applications. Lots of great data, lots of insightful analysis.
One of the goals in writing this paper was to illustrate the point that using a holistic development process is more than just a good idea - application of security process in a holistic fashion leads not only to risk reduction, but also leads to increased organizational efficiency. Two recent studies published by Forrester Research and the Aberdeen Group lend credence to that assertion.
Also included in the document is a history of the Microsoft SDL from its earliest days. For example, some of the theoretical underpinnings of the threat modeling process (most notably STRIDE), are based on a paper written by Praerit Garg and Loren Kohnfelder in 1999.
See For your consideration: The SDL Progress Report on the SDL Team Blog.
To get started with Software Development Lifecycle and to download the free tools, see the SDL Portal.
Bruce D. Kyle ISV Architect Evangelist | Microsoft Corporation