The SDL & Critical Infrastructure Protection, the Return on Investment

Doug Cavit here, blogging from the Security Development Conference 2012 in Washington, D.C.

I am excited to announce a new set of important SDL Chronicles case studies detailing the efforts of two organizations to enhance their overall security posture using the SDL.  The Government of India and Itron, Inc. represent two very different but uniquely important components of the global critical infrastructure upon which we all depend daily. Both face the similar issues of trying to balance how they can privately combat cyber threats to their infrastructure while transparently talking about the processes they use to secure those assets. 

The first case study being released today is from the Government of India. The government believes the issue of proactive application security is so vital that it has incorporated the concept into the next draft five year economic plan for the country.  The government organizations CERT-in and National Informatics Centre have also adopted the use of secure application principles, as embodied in the Microsoft SDL. The case study gives a fascinating story of how the highest levels of government  view the subject of application security as a key economic and national security issue which extends to government operations, public-private partnerships and regulatory requirements.  The Government of India has made a public policy decision on application security and they are using process transparency to help communicate that commitment to all the government’s various constituents.  There is often a discussion of how to measure the return on security investments and how hard that is to do accurately.  When we talk about ROI, efficiency and scalability are key metrics.  One key element of the case study is how they use the SDL to deliver repeatable and scalable training to over 10,000 cyber forensic investigators.  As evidenced in this case study and the one below, there is now more direct evidence for organizations considering the adoption of secure application development to leverage the impact of the SDL and the return on investment it provides.  You can read more about the steps the Government of India is taking to secure its environment in the case study available for download.

The second case study is from Itron, Inc. and discusses their use of the SDL.  Itron realized early on that the Smart Grid, with all of its promise, also represents a potential for harm to the electrical network through external threats.  Their evaluation of proactive security practices led them to look to the Simplified Microsoft SDL as the best process to incorporate into their own secure development program.  Particularly interesting is the fact that they have also extended the SDL principles into looking not just at software applications but also the entire system including the firmware and the hardware.  Itron is already benefiting from their adoption of the SDL, as the process has given them a mechanism to communicate with customers who have been asking for proof of security in the products they buy.  By showing conformity to a well-established and transparent process they can demonstrate the considerations and features they are building into their products to decrease vulnerabilities and to limit the severity of attacks.  Itron has also seen some immediate ROI from this process.  Rather than spending large sums on outside vendors for testing, they have brought security tools and process in-house to resolve issues more rapidly with lower overall expense. This has also resulted in measurable productivity gains from a streamlined engineering process.  You can read more about the process Itron is using to secure its systems through a case study we have published for download here.

I also wanted to call attention to an important paper that Good Harbor Consulting LLC released during Richard A. Clarke‘s keynote yesterday at the conference – titled Confronting Cyber Risk in Critical Infrastructure: The National and Economic Benefits of Security Development Processes. The key tenet of the paper is that secure application development processes are core to securing critical infrastructure and that solid evidence of economic benefit coming from the use of these methods exists.  The paper includes information from many different providers and regulators of critical infrastructure and talks about the importance of SDL practices in achieving those results.  It is a comprehensive overview I would recommend for anyone interested in the critical infrastructure sector.  You can download a copy of the Good Harbor Consulting paper from here.

These three papers provide documented experience and direct evidence on the use of the SDL spanning a broad spectrum of critical infrastructure. Each of these papers discuss a common process and set of principles represented by the Microsoft SDL as well as tangible returns on investment when adopting these security practices.  This common approach is also being seen at the Security Development Conference 2012 where representatives from all of these critical infrastructure providers as well as leaders from over 100 other companies who have come together to share many of the best practices described in these papers and discuss their own experiences.  We are both humbled and excited about the adoption the SDL has gained in this important area and the value it has provided to others. Our hope is that more companies will benefit from reading case studies like these and will use that information to help accelerate their own unique adoption of SDL practices.


About the Author

Trustworthy Computing, Microsoft

Douglas Cavit helps protect and secure global critical information infrastructure through technology innovation and collaborative efforts with others in industry and government. Specifically, he drives forward the SDL process as a methodology to improve development and implementation of technology in Read more »