Software is integral to business operations for most organizations. Unfortunately, the increasingly indispensable nature of software-based systems has also made them high-value targets for cyber crime.
Today, most of vulnerabilities targeted by cyber criminals are at the applications level rather than at the operating system or network levels. The cost involved in fixing these vulnerabilities is very high due to:
· Incident response
· Customer compensation
· Penalties for compliance violations
· Short-term fixes
· Cost to remediate the problem
When a cyber attack is successful, fixing vulnerabilities can grow even more costly.
Although recognition of the importance of secure systems is growing, software security must still compete for a place in an increasingly tight enterprise budget. However, a well-optimized security program can reduce the overall cost of developing an application and the business process it enables. The program can integrate security at various layers to mitigate risks that the company or software can face.
One proven and time-tested model is to incorporate security into every stage of the software development lifecycle. The Microsoft Security Development Lifecycle (SDL) is one such comprehensive process that offers an industry-leading software security methodology. The Microsoft SDL embeds security and privacy throughout the software development process.
The SDL delivers real cost savings:
· When software development processes include security practices as early as possible, the cost to fix many vulnerabilities can decrease dramatically.
· A structured approach to security makes the process more predictable, can significantly improve its efficiency, and allows the security team to deploy its resources in a heavily leveraged, top-down manner.
· It is cheaper to plan early and have a security requirement rather than performing a final verification.
· A combination of high-level analysis, low-level review, metrics-based risk management, and tools can provide an optimal, measureable ROI.
By following a defined process like the SDL, vulnerabilities are more likely to be found and fixed prior to application deployment. This helps reduce the total cost of software development.
Improving the security of a system makes it more reliable and less expensive to operate in multiple ways. While software security efforts require some resource commitment, a significant ROI can often be achieved with a small initial expense. Careful use of metrics allows tracking of the effects of the investment, and those same metrics allow long-term improvement of security ROI and overall effectiveness.
Understanding software security problems is a foundational part of building better software. A recent survey conducted by Forrester Consulting noted that 0 out of 7 company executives who responded selected “lack of time to perform security tasks” as a challenge for implementing a secure development program. Rather, they cited “lack of security expertise”… as a top challenge. So it’s essential to know what talent is available in-house and where to look for expert advice.
Aujas is a member of the Microsoft SDL Pro Network, a group of security consultants, training companies, and tool providers that specialize in application security and have substantial experience and expertise with the methodology and technologies of the SDL. We can help you make security and privacy an integral part of how software is developed for your company.
For more information about Aujas and the Microsoft SDL Pro Network, contact Karl Kispert at karl.kispert@aujas.com.
