The costs and benefits of Microsoft's Secure Development Lifecycle
Last year Microsoft (NASDAQ: MSFT) saw its lowest level of critical vulnerabilities in five years, which was at least partially a function of the Secure Development Lifecycle component of its Trustworthy Computing Initiative. In an interview at Dark Reading, Steve Lipner, director of programming management for the initiative, discusses both the costs and the effects of SDL, as well as how his ideas about software security have evolved.
To measure the success of SDL, Microsoft looks to customer confidence, and that gauge has improved considerably from a decade or so ago when the Trustworthy Computing Initiative kicked off, Lipner said. The company also reviews the number of flaws that require repair, the severity of the flaws and their impact on users. Additionally, it takes into consideration how hard it is to exploit vulnerabilities and cause real damage.
When asked about the cost of implementing SDL, Lipner said that the program is affordable although it's difficult to determine the exact cost. If you look at ROI in terms of reducing the number of vulnerabilities, there is a clear payoff. "There have been studies that show that fixing a bug in development is much cheaper than fixing after the product ships. But there is a big return on investment in terms of customer confidence," he said.
Microsoft is now working on SDL version 6, which will include tools that are easier for its product groups to apply. It is a continuous process of building on what is learned, Lipner said.
"Back when I started in this business, I thought we were going to build a secure system, prove it was secure mathematically, and we'd be done," he said. "But security doesn't work that way, so we continue to have to refine the process and make it more effective and easier to use."
For more:
- see the interview with Steve Lipner at Dark Reading
Related Articles:
Businesses hold third-party software to lower standards
Report: Majority of software programs lack acceptable security
Thinking about security from the beginning
Experts ponder software security conundrum
Comments