The Microsoft Security Development Lifecycle (SDL) has been used at Microsoft for more than eight years to help reduce the number and severity of vulnerabilities in Microsoft products and services, thus limiting the opportunities for attackers to compromise computers. Microsoft has freely shared the processes, tools and guidance that form the SDL for more than five years to help our customers, partners and industry colleagues also develop more secure software. However, it can be difficult to make a business case for the adoption and enforcement of a software development process that could be perceived as a “development tax”. Because of this I’ve had many customers ask me for case studies or ROI studies that help make the case for adoption in their organizations. This is where the SDL Chronicles can help.
The SDL Chronicles bring together the most compelling evidence of the positive benefits of adopting secure development processes. Four separate papers have been compiled to create the SDL Chronicles:
- Good Harbor Consulting
- Mid American Energy
- Itron, Inc
- Government of India
We start with a report from noted Washington D.C. security firm, Good Harbor Consulting, LLC on the importance and value of strategic security development for several sectors of the U.S. economy. Good Harbor Consulting examined cyber risk in critical infrastructure and concluded that software application companies are rewriting poorly written applications that leave cracks in online security. According to the report, “Cybersecurity challenges in the critical infrastructure environment may be difficult to address, but their consequences are too great to ignore…If end users and developers want to avoid government intervention and costly failures, while achieving real cost savings, the time is now to show their commitment to software developed using a security development process.”
MidAmerican Energy Company, a US-based utility corporation, adopted secure development practices following a series of cyber-attacks and “realized increased efficiency – including a 20 percent productivity gain resulting from less change during testing, improved communication between developers and testing, earlier design cycle decisions and fewer after-the-fact fixes to code.”
Itron, Inc., a US-based utility technology company stated that it “used the Security Development Lifecycle to drive new efficiencies in [its] business, enabling teams to spot previously overlooked weaknesses well in advance and save time and money in security testing. The SDL allowed for a more proactive approach, instead of just “looking for bugs.”
India is in the midst of an information technology boom, with IT revenue expected to triple in the next eight years. But as the nation’s prominence increases in the IT industry, India is an increasing target for cybercriminals. As a result, the Government of India included language calling for formalized security measures in its 12th Five Year Plan, which is a national statement of economic intent. IT professionals in India say that using the SDL saves on the expense of fixing breached code, the hard costs of lost data if there is an attack and the brand damage incurred when software turns out not to be as safe as expected.
I encourage you to download and read the SDL Chronicles to gain insight into the positive value that these organizations have realized as a result of adopting secure development practices. If you want more information – including access to the free SDL tools, processes and guidance – visit the Microsoft Security Development Lifecycle website.