Cybercrime poses a significant financial threat
The rapid evolution of computer interconnectivity has had immense cultural and economic benefits. Unfortunately, this evolution has also enabled criminal activity that exploits this interconnectivity for financial gain and other malicious purposes:
- In a June 2007 report, the U.S. Government Accountability Office (GAO) described cybercrime as “having significant economic impacts” and claimed that the annual loss due to computer crime was estimated at $67.2 billion for U.S. organizations.
- In a 2008 study, the Ponemon Institute, LLC estimated the average cost of lost business per data breach for a company at $6.6 million, including lost business due to customer churn as a result of negative publicity.
Your applications are under attack
- Applications are the primary targets of cybercriminals
According to the Microsoft Security Intelligence Report v6, about 10% of vulnerabilities disclosed through December 2008 were targeted at Operating Systems (OS). With about 90% of vulnerabilities targeted at the application layer, all software development organizations are at risk.
- Both small and large organizations are targeted by cybercriminals
It is important to note that large vendors are not the only ones being targeted. The 2008 IBM Internet Security Systems X-Force report found that only 11% of the all vulnerabilities disclosed in 2008 belong to the top five software vendors (Microsoft, Oracle, IBM, Apple, and Cisco).
Security and privacy are most effective when "built-in" throughout the entire development lifecycle
We’ve seen that cybercriminals are increasingly attacking applications and these attacks are extremely costly for organizations. Considering the risk and the impacts of security incidents, it is critical to develop software applications with security in mind. From a financial and business perspective, it is very beneficial to eliminate security problems as early as possible in the software development process. The National Institute of Standards and Technology (NIST) estimates that code fixes performed after release can result in 30 times the cost of fixes performed during the design phase.
The Microsoft SDL has led to measurable improvements in the security of Microsoft products
The Microsoft SDL involves modifying an organization’s software development process by integrating measures that lead to improved software security and privacy. The intention of these modifications is not to totally overhaul the process, but rather to add well defined security checkpoints and security deliverables to help minimize the quantity and severity of security vulnerabilities in software. In order to measure the effectiveness of the SDL, Microsoft uses metrics that serve as proxies for software security. These metrics include training coverage for engineering staff (at the beginning of the development lifecycle), and the rate and severity of vulnerabilities in software that has been released to customers. Decreased vulnerability rates for flagship Microsoft products that have been developed with SDL demonstrate that the Microsoft SDL is an effective way to create more secure software. In addition to improved security effectiveness and efficiency, the reduction in vulnerability counts reduce the total cost of ownership (TCO) for your products, as customers need to deal with fewer patch events and security advisories. These improvements lead to increased customer satisfaction and trust, whose significant business value is evident.
Leverage the Microsoft SDL in your organization
The Microsoft SDL process guidance section of this Web site provides detailed information on SDL requirements in each phase of the development process. In the face of cybercrime’s growing financial risk, your organization can leverage this proven software security assurance methodology to improve the security and privacy of your applications early-on and throughout the development lifecycle.
If you need assistance with the implementation of the Microsoft SDL in your organization, read more about the Microsoft SDL Pro Network.