Microsoft alerts business to cost benefits of secure software

The software industry can do a lot better to improve the security of applications, says Microsoft.

The software industry can do a lot better to improve the security of applications, says Microsoft.

Most of the thousands of high severity vulnerability disclosures in applications each year are relatively easy to exploit, according to Microsoft's latest Security Development Lifecycle (SDL) Progress Report.

Some developer organisations are starting to understand the importance of secure development, but for many there is still much that can be done, says Steve Lipner, senior director of security engineering strategy at Microsoft.

The main reasons for this, he told Computer Weekly, is that not all developer organisations are aware that there are several effective and affordable mitigations that can be easily built into their applications without affecting compatibility.

In-depth Special Report on Microsoft. Click here to download this independent analysis from Computer Weekly (requires registration)

The SDL Progress Report is aimed at giving developers a background to Microsoft's SDL and illustrating the business benefit that the software maker is seeing after nine years of investment in secure development processes.

The report is not only aimed at the development community, says Lipner, but also IT decision makers in the public and private sectors, to make them aware of how securely developed software can translate into a real return on investment.

The US National Institute of Standards and Technology (NIST) estimates that code fixes performed after release can result in costs 30 times that of fixes performed during the design phase, says the Microsoft report.

It also cites Aberdeen Group research published in December 2010 that found organisations that implemented structured programmes for security development realised a return of four times on their investments in application security.

More software developers are likely to adopt the SDL or something like it if CIO's and CISO's all start to demand proof that any software they buy is developed securely and includes all the basic threat mitigation techniques available.

These techniques include Address Space Layout Randomisation (ASLR) and Data Execution Prevention (DEP).

Despite the fact that ASLR was introduced in Windows Vista to randomise the memory location of software components such as DLLs to stop hackers accessing them reliably on every PC, it is fully enabled by only 34% of applications surveyed by Microsoft, with 19.5% not supporting it at all.

DEP, which was introduced even further back in Windows XP Service Pack 2 to stop attackers executing machine code from areas of memory reserved for data, is not used by almost a third of applications surveyed by Microsoft.

The report details five other mitigation techniques that are available to software developers to mitigate against common threats.

Lipner says experience has shown that government-led software assurance programmes have not have been as effective as they should have been, which is why he believes the software industry should take the lead in defining software security standards and developing best practices to guide future legislation and regulation.

Microsoft, Cisco and Adobe are among the software and hardware suppliers, who are members of the Safecode industry organisation to share best practice, but Lipner says the more developers that collaborate, the more trustworthy computing will become.

Sign-up to Computer Weekly to download our in-depth Special Report on Microsoft.

Read more on IT risk management