While endpoint security products, firewalls, data loss prevention (DLP) products and a host of other security offerings can help you boost your IT security, Microsoft would like to remind administrators and business decision makers that arguably the most vulnerable part of your company may be the applications that you and your end-users rely on to meet your daily business objectives.
Earlier today I spoke with David Ladd, a Principal Security Program Manager for the Security Engineering Strategy Team at Microsoft. Ladd stressed how important it is for all admins, senior IT managers and developers to "bake in" a holistic security approach even during the software development process. Ladd said that Microsoft encourages developers to use their Security Development Lifecycle (SDL), which outlines best practices for developers and admins to follow when it comes to application development and deployment.
"Security threats are on the increase, and roughly 80% of attacks are directed at applications," Ladd said. He also pointed out that while most modern browsers have impressive security credentials, that can lead to hackers being forced to stage more complicated attacks. As an example, Ladd said that the recent takedown of IE8 (and other browsers) at the CanSecWest "Pwn2Own" competition often required complex, multi-stage attacks. "That attack required exploitation of three individual vulnerabilities, two of which were fixed with the release of IE9. It was an innovative approach that underscores how complex and sophisticated this new breed of attacks have become."
Ladd pointed to some research done by the Aberdeen Group that revealed the average cost for using a SDL-style security process when developing applications was about $400,000. The same report indicated that the cost to fix an application security failure was about $300,000 per security failing. (See the full Aberdeen report here.)
In a post earlier today on the SDL blog, Ladd argues that business stakeholders and developers need to take a more proactive approach to security that begins before the first line of code for an application is written:
"I think over time, IT orgs will be confronted with the need for something more than the typical 'How do I stack up against Process X?' or the latest security popularity contest. Consequently, the adoption of dynamic end to end security processes - like the SDL - that track the threat environment and adjust process and technology accordingly, will increase."
Are your application developers using the SDL development process? Let me know what you think by commenting on this blog post or following me on Twitter.