How vulnerable are software applications?

In a June 2007 report, the U.S Government Accountability Office (GAO) described cybercrime as “having significant economic impacts and a threat to U.S. national security interests” and referenced a 2005 FBI survey estimating that U.S. businesses lost $67.2 billion because of cyber crime and the estimated losses associated with identity theft in 2006 were $49.3 billion.

As much as everybody understands that cybercrime is serious, it isn’t clear to me that there is a broad understanding of where we are the most vulnerable.

According to the June 2007 Microsoft Security Intelligence Report, less than 10% of vulnerabilities disclosed through June 2007 were targeted at Operating Systems. With more than 90% of vulnerabilities targeted at the application layer, all software development organizations need to really think about security as it relates to applications.

 

 

 

It is important to note that large vendors are not the only ones whose applications are being targeted. The 2007 IBM Internet Security Systems X-Force report found that only 13.6% of the 6,437 new vulnerabilities disclosed in 2007 belong to the top five software vendors (Microsoft, Oracle, IBM, Apple, and Cisco).

A good question to ask in this context is “What is Microsoft doing to help developers build more secure applications?”

As software becomes the target for cyber criminals, it is more critical now than ever to make security an integral part of the software development process. Ever since Bill Gates’ 2002 Trustworthy Computing memo Microsoft has been infusing security into its software development lifecycle with the goal of protecting customers by reducing the number and severity of vulnerabilities in code.

In hindsight, I am very glad to note that Developer Division was one of the SDL (Security Development Lifecycle) pioneers at Microsoft. The original “security push” in 2001 was on the .NET Common Language Runtime. The “security push” format was later applied to other Microsoft products and evolved to encompass the entire development lifecycle. In 2004 the SDL became a mandatory policy for all products at Microsoft (and DevDiv of course). Silverlight is one recent and excellent example of how we leverage the SDL to enhance the security of our products. As an innovative and widely used web platform, Silverlight was developed with much attention to security and data privacy. Threat modeling, a method for analyzing security and privacy risks in the design phase, was used extensively to identify and mitigate potential attack vectors within the Silverlight framework. After the design stage, the threat models were used to focus the security efforts in the coding and testing phases of the development process. By emphasizing security and privacy early and throughout all stages of development, the Silverlight product team was able to not only enhance security, but also to surpass a higher bar of quality. In my mind, this is what the SDL is all about.

The Microsoft SDL is the industry-leading software security assurance process. SDL has played a critical role in embedding security and privacy in Microsoft software and culture. Combining a holistic and practical approach, SDL introduces security and privacy early and throughout the development process. As the images below clearly show, the SDL has led Microsoft to measurable and widely-recognized security improvements in flagship products such as Windows Vista and SQL Server:

With attacks moving to the application layer, Microsoft is committed to supporting a more secure and trustworthy computing ecosystem by making SDL process guidance, tools and training available for every developer. I encourage you to learn more about the Microsoft SDL and how you can leverage SDL resources and best practices to “bake security in” to your software applications.

Namaste!