Secure software development key to business, says Microsoft

Software security and comprehensive development practices are becoming a competitive differentiator, according to Microsoft.

Software security and comprehensive development practices are becoming a competitive differentiator, according to Microsoft.

As cyber attacks become increasingly sophisticated, targeted and motivated by financial and political gain, no applications is immune from attack, said David Ladd, principal group program manager, security engineering strategy, SDL evolution at Microsoft.

"Operational security measures such as web application firewalls and anti-virus are no longer enough, and organisations need to take a trusted stack approach to security that includes secure development practices," David Ladd said.

For this reason, governments and quasi-government organisations are expanding the focus from operational security to include development security along the lines of Microsoft's security development lifecycle (SDL).

As more organisations begin to understand this and acknowledge secure development requirements showing up in government regulations and guidelines, Ladd said purchasing decisions will increasingly include security considerations.

Independent software developers are looking to meet those demands for competitive advantage. These developers are looking for repeatable processes - rather than descriptive approaches to security, which typically take the form of list of top ten threats.

"We have noted a deliberate shift away from the descriptive approach towards actionable security measures," said Ladd. He said this is why Microsoft now publishes a simplified guide to implementing the SDL, which consolidates the 170-page SDL down to 17 pages and 16 practices.

The simplified guidance, which has notched up nearly 250,000 downloads since April 2008, is non-proprietary, platform-agnostic, suitable for organisations of any size and mapped to common regulations such as PCI.

The guidance, published under a creative commons licence to encourage adoption, enables other companies besides big industry players such as Cisco and Adobe, to tap into the benefits of the SDL.

Energy holding company MidAmerican is one of the more recent success stories in adopting the SDL, said Ladd.

MidAmerican made the move after repeated cyber attacks and reduced bug counts by a factor of 100. The company estimated productivity gains up to 20%, which provides independent validation of the SDL, Ladd said.

Other independent validation came from Forrester Research , which found those practising SDL reported better ROI. Aberdeen Group reporting a four times ROI, higher than the find-and-fix and defend-and-defer approaches to software development.

Ladd believes security at development time is rapidly becoming conventional wisdom. He said the process will be firmly established practice in two years among enterprise developers, although it could take longer for niche developers.

"As security increasingly becomes a priority at executive level, developers will have to start paying attention," Ladd said.

Read more on IT risk management