Businesses are unnecessarily exposing themselves to cyber attack simply by failing to update to the latest versions of the software they are running, according to Microsoft and Adobe.
Both software companies are developing products using a security development lifecycle (SDL) approach first introduced by Microsoft in 2004 and later adopted and adapted by Adobe, where it was rolled out between 2009 and 2010, and entered the first phase of automation in 2010 to 2011.
The SDL, called the secure product lifecyle (SPLC) at Adobe, is integrated into the development lifecycle and enables continuous improvement in the security posture of software products, said Steve Lipner, senior director, security engineering strategy, at Microsoft's Trustworthy Computing (TwC) group.
Security development lifecycle effectiveness
The effectiveness of the SDL and its ability to respond to the changing cyber threat landscape and provide protection against the newest and emerging threats is demonstrated by the reduction in vulnerabilities from Windows Vista to Windows 7.
Although an early version of the SDL was used in the development of Vista, said Lipner, the process did not include threat modelling and was much more mature for Windows 7, for which there were about 50% fewer vulnerabilities detected in the first year after release than for Vista.
The effects were even more marked for SQL server, for which Microsoft achieved a 91% reduction in vulnerabilities after the introduction of SDL for SQL Server 2005. The number of vulnerabilities disclosed for the first 36 months came down from 34 for SQL Server 2000 to three, compared with 187 for a competing commercial database.
Popular software is hacker target
Adobe turned to Microsoft's SDL to accelerate the process of hardening its products as attacks began to move beyond the operating system to target applications, particularly Adobe Flash Player and Reader, which the company estimates are installed on around 98% of the world's PCs.
A wide install base, rich feature set and broad compatibility with a wide variety of platforms has made these applications a target for attack because that is where the users are and that means a bigger return for criminals, said Brad Arkin, senior director, product security and privacy, at Adobe.
Adobe's security strategy is to keep customers up to date by simplifying the updating process, to enhance overall application security through the SPLC, and to engage with the security community and the rest of the software industry to help prioritise and guide projects.
Despite these efforts, Arkin says he often has to face angry chief information security officers, but these CISOs are typically running older versions of Adobe software and Microsoft's Windows operating systems that are not as robust as the latest version.
Software updates feature increased security
The latest versions of Adobe Reader and Adobe Acrobat, introduced in November 2010 and June 2011 respectively, have shown a marked improvement in security.
"I am very happy with the results as there has not been a single successful malicious PDF exploit attack against either Adobe Reader X or Adobe Acrobat X since their release," said Arkin.
He ascribed the success to a whole host of security improvements made through the SPLC, which include protected mode based on sandboxing techniques used by Microsoft and Google.
The fact that attackers have continued to find ways of exploiting Reader 9 proves that businesses can reduce the risk of attack by moving to the latest version of the business software they are running and ensuring that any new patches are applied as quickly as possible, said Arkin.
Photo: Jupiter Images