More and more enterprises are realizing the importance of proactive security practices and those involved in critical infrastructure are no exception. One of the most effective ways to drive security improvements in critical infrastructure is through industry consensus. Microsoft has been deeply involved in collaborating with several critical infrastructure sectors to better understand their needs and to help improve their secure software development practices. A critical sector is financial services where Microsoft has had long term collaboration with BITS, a part of the Financial Services Roundtable, made up of major US financial institutions that are responsible for almost 93 trillion in managed assets.
Today, BITS announced the release of their Software Assurance Framework. The purpose of this framework is to document the importance of secure development and to provide guidelines that financial services organizations can use to implement these practices more fully. The framework is rooted in education, integration of security in design using standards and threat modeling, best practices for coding, focused and comprehensive testing and followed with important implementation and response practices. This type of holistic, prescriptive, risk-based approach has been a hallmark of Microsoft’s SDL since inception back in 2004. The BITS Framework goes on to further cite the Forrester Consulting study which details the compelling economic (ROI) reasons to invest in a SDL program.
The framework was also designed to provide guidelines to software suppliers of the financial services industry in writing better, more secure software. BITS recognized the importance of making this an industry-wide effort which is why we are extremely pleased to see it was made available to the public. Microsoft has been a strong advocate for improving secure development practices with free information and tools for many years now. The BITS framework is another great example on the importance of prescriptive security versus descriptive security practices such as checklists.
Of note, this Framework was a collaborative effort that involved several financial services companies in conjunction with Microsoft. The BITS group contains some of the most experienced security people in the financial services industry working together to define clear guidance on the most critical software development best practices for financial services.
We encourage you to take a look at this important document and see how practices from Microsoft’s SDL have helped to make a difference in improving software security within the financial services industry
– Doug Cavit