sdlDevelopers should be doing more to secure consumer applications, according to a new report from the Security Development Lifecycle team. The SDL Progress Report shares data and analysis from various groups in our organization. We hope you find valuable information on secure development lessons learned at Microsoft, how we've applied security science, and the correlation between holistic security processes, risk reduction, and organizational efficiency.

We surveyed 41 popular applications in use worldwide to assess the use of technologies like Address space layout randomization (ASLR) and Data Execution Prevention (DEP). In addition, we did a further analysis to look at the use of these technologies in four European countries - France, Germany, Russia and the UK. I'd encourage you to take a look - the results are eye-opening. For example, ASLR usage across the sample set of 41 apps is mixed - 34% enabled full support, 46% partially enabled support and (unfortunately) 20% did not enable ASLR support in their applications. Lots of great data, lots of insightful analysis.

One of the goals in writing this paper was to illustrate the point that using a holistic development process is more than just a good idea - application of security process in a holistic fashion leads not only to risk reduction, but also leads to increased organizational efficiency. Two recent studies published by Forrester Research and the Aberdeen Group lend credence to that assertion.

Also included in the document is a history of the Microsoft SDL from its earliest days. For example, some of the theoretical underpinnings of the threat modeling process (most notably STRIDE), are based on a paper written by Praerit Garg and Loren Kohnfelder in 1999.

Important Lessons

  • If we have learned one prevailing truth over the years, it's that security threats aren't static - as a result, our work developing secure software and evolving the SDL to stay ahead of complex attacks will never be done.
  • Those using SDL (or SDL-like processes) report notable ROI gains relative to those organizations who don't take a coordinated approach.
  • It requires no great intellectual feat to conclude that a deliberate approach to finding and fixing vulns pays for itself very shortly after the first critical vulnerability in a development project is found and fixed, prior to release.
  • We're seeing more complex "edge cases" - not the traditional stack overflows that we were seeing five years ago.
  • I think over time, IT orgs will be confronted with the need for something more than the typical "How do I stack up against Process X?" or the latest security popularity contest.

For More Information

See For your consideration: The SDL Progress Report on the SDL Team Blog.

To get started with Software Development Lifecycle and to download the free tools, see the SDL Portal.

 

Bruce D. Kyle
ISV Architect Evangelist | Microsoft Corporation

channel9