Businesses need to understand the critical importance of secure software development in defending against hackers.
"Businesses need to look at their reliance on software and consider the importance of secure development to their organisation and customers," said David Ladd, principal security group program manager at Microsoft.
To help get this message out, Microsoft held its first Security Development Conference in Washington in May 2012.
The event attracted 240 attendees from 115 organisations around the world and presenters from 30 different organisations.
Speakers included Microsoft's Scott Charney, corporate vice-president of trustworthy computing; Richard Clarke, former special advisor to the US president for cyber security; and Michael Hayden, former director of the CIA and US National Security Agency.
"The response to the event was a clear indication that the time has come for a focus on developers and security," said Ladd.
Collaboration on secure development
He called on business organisations to take advantage of industry resources.
These include Microsoft's own Security Development Lifecycle (SDL), for which the company claims over one million free downloads since April 2008.
"We encourage organisations to grab what suits them and implement it in their organisations," said Ladd.
He also called on organisations to collaborate with their peers to learn from others who have implemented secure development and share best practices.
"Anyone working for an organisation not doing that should ask why not, and if their organisation is, they should be asking how they can get involved," said Ladd.
Independent software suppliers implementing SDL practices include Adobe, in its Secure Product Lifecycle; and Cisco Systems, in its secure development lifecycle.
Microsoft customers implementing SDL practices include energy holding company, Mid American, and smart grid software supplier, Itron.
Five security challenges
There are five security challenges driving the need for an SDL to be more proactive through security by design, said Ed Paradise, vice-president of the global government solutions group at Cisco.
These are:
Systemic challenges found in all phases of development; The epidemic nature of threats; Persistent problem of critical defects; The costly impact of late phase detection; The heightened awareness and concern of customers.
Paradise said Cisco had been evolving product security since 2004, putting in place the first version of its secure development lifecycle in 2009, with input from Microsoft's SDL.
"Customers and developers now recognise the importance of security in products as a differentiator," Paradise said.
To maintain and expand security awareness at Cisco, the company set up a security team of more than 160 security advocates and implemented a regular security training programme.
Government attention to smart grid security is one of the top reasons for implementing an SDL, said Ido Dubrawsky, head of the security engineering team in the office of the CTO at Itron.
Measurable return on secure development
"Lifecycle approach to security ensures that potential vulnerabilities are addressed before a product ships, rather than patching a vulnerability afterwards," Dubrawsky said.
According to Gartner, if 50% of vulnerabilities are removed before software goes into the production environment, enterprise management and incident response costs are reduced by 75%.
In the face of easy-to-use hacking tools such as Metasploit, Itron realised they needed to improve standards to protect their smart grid systems.
An SDL also meets customer requirements for documentation of development practices and standards, documentation of coding practices and a robust level of error handling.
Itron did not want to bolt on security because that does not work, said Dubrawsky. The company wanted to reduce the cost of developing and deploying software.
Costs for fixing vulnerabilities increase dramatically in the later stages of development and after the software is released, Dubrawsky said.
Itron chose Microsoft's SDL as a model for its own secure development lifecycle because it was a tried and tested framework.
"I hope other suppliers in the utility industry follow our lead; we would like to see them adopt an SDL because it is a critical part of national infrastructure," said Dubrawsky.
Benefits of an SDL include improved code, reduced vulnerabilities and increased customer and industry confidence, he said.
According to Dubrawsky, Itron has a measurable return on investment in reduced development costs, with 50% fewer bugs found in code since the introduction of an SDL in 2010.
