Hello all world-Dave here...
I wanted to take a few moments to alert you about a new publication of Trustworthy Computing, entitled "the SDL Progress Report." This work is in progress for a number of months and integrates the data and the analysis of various groups in our Organization. We hope that you will find valuable information on the lessons of development secured at Microsoft, how we have applied the science of security and the correlation between the process of global security, risk reduction and organizational effectiveness.
If we have learned a truth prevails over the years, is that threats to security are not static - as a result, our work to secure software development and the evolution of the SDL to stay ahead of the complex attacks will never be made. We believe that our SDL tools and processes add value and should be shared widely with the ecosystem of security - a collective effort is needed to meet the threat to computer users around the world.
The first section of the document focuses on the history of the Microsoft SDL since its early days - highlighting important milestones in the development of the SDL process. As we have collected material for this section of the document, it wound up being an interesting history lesson; from original TwC memo from Bill Gates in 2002, he discovered the inclusion of a large number of processes and technologies over time that make up the SDL, as it is practised today.
For example, some of the theoretical foundations of the threat of process modelling (including STRIDE), are based on a document written by Praerit Garg and Loren Kohnfelder in 1999. We would be remiss if we did not include a "tip of the hat" security researcher community. We have noticed an increased use of technical fuzzing to find vulnerabilities from the late ' 90. In accordance with the "use what works" philosophy here, we have integrated the fuzzing in the early days of the SDL - we remain aggressive advocates of fuzz testing to date.
In the second section of the document, Matt Miller has done an excellent job to illustrate our ongoing commitment to the science of safety. And going into detail on mitigation techniques required by the SDL, the science of security section exposes some interesting information on the adoption of these techniques by a section of the ISV community.
We surveyed 41 popular applications around the world to evaluate the use of technologies such as ASLR and DEP. In addition, we have further analysis to look at the use of these technologies in four European countries - France, Germany, Russia and the United Kingdom. I would encourage you readers of the blog to take a look - the results are telling. For example, use of ASLR in 41 apps sample all is mixed-34% activated full support, 46% partially allowed to support and (unfortunately) 20% did not support ASLR in their applications. Many data much, much perceptive analysis...
As mentioned above, one of the goals in writing that this article was to illustrate this point by using a holistic development process is that a good idea - holistic security process leads to the reduction of the risk, but also tracks to increase organizational effectiveness. Two recent studies published by Forrester Research and the Aberdeen Group lend faith in this statement.
Forrester Consulting thought leadership paper (full disclosure: study sponsored a Microsoft) concluded that end-to-end security approaches reduce the risk and increase the King; and those who use SDL (or similar SDL process) report significant ROI gains to organizations that do not support a coordinated approach.
In addition, Aberdeen Group (independent research) concluded that the average investment in the process of comprehensive security is $400 k - while the average cost of fixing a vulnerability critical after deploying the application, close to 300 k $ by the vulnerability. It requires no great intellectual conclusion feat than a deliberate find approach and fixation vulns pays for itself very shortly after the first critical in a development project vulnerability is found and fixed, before release. Finally, the respondent companies Aberdeen reported a 4 x return on annual investment for those who adopt an approach deliberately to the realization of the security of applications.
Two things struck me, I have worked with Matt and others on the creation of this report.
First of all, to advocate a point of view, I think that the days of "easy find" vulnerabilities are more. Note, I am not saying that there is no easy vulns still there - I know that the security research community will continue to find issues based on a process, human error or equipment failure. That said, Microsoft is seeing an increase in the number of attacks that are unique and complex. For example, the attack on IE8 in the "Microsoft" required three individual vulnerabilities CanSecWest contest - and two of those already was set using the SDL to announced. This is a very innovative approach - to illustrate my point of view. We see more complex cases "edge" - not the traditional stack overflows that we have witnessed five years ago.
Second, I remain convinced that the approaches of the "list of basic" security (at the useful starting) are not a bet of good long-term development concerned about security associations. Until recently, allegations about the effectiveness of holistic approaches were based on anecdotal data and usability of the digestive tract. I think over time, IT associations will be faced with the need for something more than the typical "how I stack against process x?" or the last security popularity competition. Therefore, the adoption of security processes of dynamic end - as the SDL - that follow the threat environment and adapt accordingly the process and technology, will increase.
Thank you for reading - download the report and the sounds in the wide, what you think!
Dave
P.S. Stay tuned for more details on how the SDL is using real organizations with the challenges of security.
P.P.S. that follow our Twitter feed http://twitter.com/msdl for more information about SDL News releases, events and news!
0 comment:
Post a Comment