Most software developers recognise the importance of security development, however, the vast majority of businesses do not build their products and services with security in mind.
This was revealed by Steve Lipner, partner director of Software Security, Trustworthy Computing Security, at Microsoft, speaking yesterday at the Microsoft Security Development Conference, in San Fransicso.
A study commissioned by the company in November 2012 found that a mere 37% of surveyed IT professionals have adopted security development. In addition, 61% of developers are not taking advantage of existing mitigation technologies.
Over 2 200 IT practitioners and 490 developers across the globe were surveyed. Lipner said the findings were concerning, particularly as the number of people connected to the Internet has grown from 350 million a decade ago, to over 2.4 billion today. "Secure development isn't happening to the extent that it should be."
Too often in the past, security has taken a back seat to pressures such as being first to market, and still today there are three major roadblocks preventing businesses from adopting security development processes, namely the lack of management approval, lack of training and support, and finally, cost.
He said standardisation and compliance can assist in overcoming many of the barriers associated with management approval. "Where there are standards, management understands and is willing to say that this is something they should be doing."
The International Organization for Standardization (ISO) has released ISO 27034-1, a new international standard that focuses on processes and frameworks needed to build a comprehensive software security program. "ISO standards can be a force for demand and management acceptance."
Lipner says ISO is a huge step in the right direction for security, and Microsoft has publicly conformed to this standard. In this way, the company hopes to lead by example for other organisations.
The ISO 27034-1 standard offers a common validation language for security development practices, and straightforward and clear steps to adopting a security development framework. "Adopting this standard could be a potential competitive differentiator for customers," says Lipner.
He says for customers buying software or services from vendors, the standard provides a single "language" for buyers to demand secure development across industries, platforms and regions.
In terms of training and support, Lipner says Microsoft offers free, downloadable tools and guidance on its secure development Web site. He adds that the company's partner network includes several members willing to help customers adopt secure development.
The final barrier, cost, is incorrectly understood. "In the long haul, secure development is less expensive than not doing secure development."
Although cited as a major hindrance to adopting a security development framework, secure development leads to real cost savings. He says the Aberdeen Group did a study that clearly revealed that securing at the source results in cost savings. Forrester Research concurred with the findings, and stated that those practicing SDL specifically reported significantly better return on investment than those that don't.
Lipner says today's threats are very real, and their potential impact well understood. As a result, businesses that use software must demand secure software products, and developers must implement secure development if they wish to stay competitive.
Share