For your consideration: The SDL Progress Report

I wanted to take a few moments to alert you to a new publication from Trustworthy Computing entitled “The SDL Progress Report.”  This work has been in progress for a number of months and incorporates data and analysis from various groups in our organization. We hope you find valuable information on secure development lessons learned at Microsoft, how we’ve applied security science, and the correlation between holistic security processes, risk reduction, and organizational efficiency.

If we have learned one prevailing truth over the years, it’s that security threats aren’t static – as a result, our work developing secure software and evolving the SDL to stay ahead of complex attacks will never be done. We believe our SDL tools and processes add value and should be shared broadly with the security ecosystem – a collective effort is needed to meet the threat to computer users worldwide.

The first section of the document focuses on the history of the Microsoft SDL from its earliest days -highlighting important milestones in the development of the SDL process.  As we collated material for this section of the document, it wound up being an interesting history lesson; starting with Bill Gates’ original TwC memo in 2002, it pinpoints the inclusion of many of the processes and technologies over time that make up the SDL as it is practiced today.

For example, some of the theoretical underpinnings of the threat modeling process (most notably STRIDE), are based on a paper written by Praerit Garg and Loren Kohnfelder in 1999. We would be remiss if we failed to include a “tip of the hat” to the security researcher community. We noticed increased use of fuzzing techniques to find vulnerabilities starting in the late ’90’s. In keeping with the “use what works” philosophy here, we integrated fuzzing in the early days of the SDL – we remain aggressive advocates of fuzz testing to this day.

In the second section of the document, Matt Miller did an excellent job at illustrating our ongoing commitment to security science.  In addition to going into detail on some of the mitigation techniques required by the SDL, the security science section exposes some interesting data about the adoption of these techniques by a section of the ISV community.

We surveyed 41 popular applications in use worldwide to assess the use of technologies like ASLR and DEP.  In addition, we did a further analysis to look at the use of these technologies in four European countries – France, Germany, Russia and the UK.  I’d encourage you blog readers to take a look – the results are eye-opening.  For example, ASLR usage across the sample set of 41 apps is mixed – 34% enabled full support, 46% partially enabled support and (unfortunately) 20% did not enable ASLR support in their applications.  Lots of great data, lots of insightful analysis…

As mentioned above, one of the goals in writing this paper was to illustrate the point that using a holistic development process is more than just a good idea – application of security process in a holistic fashion leads not only to risk reduction, but also leads to increased organizational efficiency.  Two recent studies published by Forrester Research and the Aberdeen Group lend credence to that assertion.

The Forrester Consulting thought leadership paper (Full Disclosure: a Microsoft sponsored study) concludes that end to end approaches to security reduce risk and increase ROI; and those using SDL (or SDL-like processes) report notable ROI gains relative to those organizations who don’t take a coordinated approach.

In addition, Aberdeen Group (independent research) found that the average investment in holistic security processes is $400k – while the average cost to fix a critical vulnerability after application deployment, hovers around $300k per vulnerability.  It requires no great intellectual feat to conclude that a deliberate approach to finding and fixing vulns pays for itself very shortly after the first critical vulnerability in a development project is found and fixed, prior to release. Finally, the companies Aberdeen surveyed reported a 4x return on annual investment for those that take a deliberate approach to achieving application security.

Two things struck me as I worked with Matt and others on the creation of this report.

First, from a defender standpoint, I believe that the days of “easy find” vulnerabilities are over.  Mind you, I am not saying that there are no easy vulns still out there – I know the security researcher community will continue to find problems based on some failure of process, tooling or human error. That said, Microsoft is seeing an uptick in the number of attacks that are unique and complex. For example, the attack against IE8 at the CanSecWest “Pwn2Own” competition required exploitation of three individual vulnerabilities – and two of those had already been fixed using the SDL for IE9.  It was a very innovative approach – that helps to illustrate my point.  We’re seeing more complex “edge cases” – not the traditional stack overflows that we were seeing five years ago.

Second, I remain convinced that “list based” approaches to security (while initially helpful) are not a good long term bet for development orgs concerned about security. Until recently, claims about the effectiveness of holistic approaches were based on anecdotal data and gut feel.  I think over time, IT orgs will be confronted with the need for something more than the typical “How do I stack up against Process X?” or the latest security popularity contest. Consequently, the adoption of dynamic end to end security processes – like the SDL – that track the threat environment and adjust process and technology accordingly, will increase.

Thanks for reading – download the report and sound off about what you think!


P.S. Stay tuned for more details on how the SDL is helping real organizations with IT security challenges.

P.P.S. Follow our Twitter feed for more information on SDL related releases, events and news!

About the Author
Dave Ladd

Principal Security Group Program Manager