Attacks are increasingly targeting applications rather than operating systems and pose a significant threat to your customers and sensitive information. These attacks may target every company, irrespective of their size.
Microsoft has been facing the same challenges as your company for many years now and has addressed them by developing the SDL. Flagship Microsoft products that were developed with the SDL show measurably reduced vulnerability counts after release, enhancing the security and privacy of the Microsoft platform to better protect customers from malicious and costly attacks..
SDL has proven to be effective at Microsoft – Now n.runs will help you to leverage the same process in your organization.
The core elements of the Microsoft SDL are very close to the main elements of n.runs SDL training and consultancy practice. As member of the Microsoft SDL Pro Network, a group of security consultants and trainers that specialize in application security and have substantial experience and expertise with the methodology and technologies of the SDL, and based on this long term experience, n.runs is committed to help application developers address their current security problems, by assisting them with the implementation of the SDL in their environment. n.runs will help you develop more secure applications and reduce the risks of malicious and costly attacks..
The services offered by n.runs are available to companies of all sizes. Closely following the SDL, these services are designed to span the entire lifecycle and make security and privacy an integral part of how software is developed..
n.runs will be providing the specific SDL services which fall into the following capability areas:
 |
Training, policy and organizational capabilities, including security training and general counsel on how to implement the SDL
|
|
Requirement and design, including risk analysis, functional requirements and threat modeling |
|
Implementation, including use of safe APIs, code analysis and code review |
|
Verification, including fuzzing and web application scanning
|
|
Release and response, including Final Security Review (FSR), penetration testing, and response planning and execution |
|
Reduce customer risk and improve customer trust by making software more inherently secure and protecting sensitive information
|
|
Reduce the total cost of development by finding and eliminating vulnerabilities early in the design phase. According to NIST (the National Institute of Standards and Technology), eliminating vulnerabilities in design stage can cost 30 times less than fixing them post release |
|
Reduce the cost of ownership for customers by issuing less security patches, therefore lowering the cost of managing patches for your applications |
For detailed information please do not hesitate to contact our n.runs SDL-Team .
1. What is the Microsoft SDL Pro Network?
The Microsoft SDL Pro Network is a group of security consultants and trainers from around the world that specialize in application security and have substantial experience and expertise with the methodology and technologies of the Security Development Lifecycle (SDL), the industry-leading software security assurance process created by Microsoft and proven to be effective since 2004. The SDL Pro Network was created to address the challenges developers are facing with the increasing shift of attacks to the application layer. It is part of Microsoft’s commitment to enable organizations outside the company to develop more secure applications through SDL technologies, prescriptive guidance and industry partnerships.
2. Who are the members of the Microsoft SDL Pro Network?
The one-year pilot program consists of nine companies:
- Cigital Inc., Dulles, Va.
- IOActive Inc., Seattle Wash.
- iSEC Partners Inc., San Francisco, Calif.
- Leviathan Security Group Inc. Westminster, Colo.
- Next Generation Security Software Ltd. (NGS), London, United Kingdom
- n.runs AG, Oberursel, Germany
- Security Innovation Inc. Wilmington, Mass.
- Security University Inc., Stamford, Conn.
- Verizon Business, Basking Ridge, N.J.
3. Can my company become a member of the Microsoft SDL Pro Network?
The SDL Pro Network, which begins in November 2008, will run in pilot phase for the first year of
operation, therefore membership is limited during this time. However, over the next year, Microsoft
and the additional member companies will evaluate how to best expand the program to others in the
industry. For updates, please visit the SDL portal,
http://www.microsoft.com/sdl.
4. What are my risks of a cybercrime?
- Cybercrime is a huge market with serious financial implications for businesses everywhere
- A 2005 FBI survey estimated
annual loss due to computer crime at $67.2 billion for U.S. organizations.
- The estimated losses associated with identity theft in 2006 are $49.3 billion.
- In a 2006 study, the Ponemon Institute, LLC
found that the average cost a data breach rose in 2006 to $4.8 million, an increase of 30 percent from the previous year.
- Every company is a target
Contrary to what you might expect, the vast majority of vulnerabilities are found in software that is produced by smaller software vendors.
Key figure: Only 14% of vulnerabilities in 2007 were in software from the 5 largest SW vendors (Microsoft, Apple, Oracle, IBM and Cisco) (IBM x-force 2007 security report).
- Applications, rather than operating systems, are the most significant target.
No matter how good a job your IT team does in locking down vendor software, a poorly developed application can open the system wide to attack. You are not just a consumer of product security features, you are a full partner with Microsoft in the process of securing your applications and your customers’ and/or company’s sensitive data.
Key figures:
93% of new vulnerabilities in H12008 were in applications, only 7% in Operating Systems (Microsoft SIR 2008).
89% of all disclosed vulnerabilities in 2007 could be exploited remotely (IBM x-force 2007 security report).
5. Why should I use the services of the Microsoft SDL Pro Network?
With personal information becoming a valuable commodity for criminals, cybercrime poses a significant threat to every company, large or small. In addition, attacks are clearly shifting up the stack to the application layer. Therefore, it has become more critical that software developers embed security and privacy into their software development process through the SDL.
6. Why did Microsoft decide to make SDL available to the industry at large?
Microsoft is committed to protecting customers and enabling a more trusted computing experience –
one of the ways to reach this goal is by sharing security and privacy expertise, guidance,
technology and processes with the industry. The combination of Microsoft’s experience and
proven success with the SDL and the expertise of the program members form an excellent basis for
helping development organization outside of Microsoft to create more inherently secure applications
7. What proves that SDL is effective?
Flagship Microsoft products that were developed with the SDL show measurably reduced vulnerability counts after release, enhancing the security and privacy of the Microsoft platform to better protect Microsoft customers from malicious and costly attacks.
Windows Vista, IE7 and SQL server 2005 are examples of flagship products whose vulnerability counts after release have significantly decreased.
- 45% reduction of vulnerabilities for Windows Vista (66) vs. XP (119) in the first year after release
- 91% reduction of vulnerabilities for SQL server 2005 (3) vs. 2000 (34) in the three years after release
- 35% reduction of vulnerabilities (65% in high severity vulnerabilities) IE7 (17) vs. IE6 (26) in first year after release
Windows Vista, IE7 and SQL server 2005 beat the competition in minimizing vulnerability counts.
More globally, Microsoft’s share of the total newly disclosed vulnerabilities significantly decreased from 4.2% in H12007 (1st place) to 2.5% in H12008 (3rd place), according to the IBM X-Force 2007, 2008 security reports.
8. Is the SDL also applicable to small companies?
Yes, the relevance of SDL is determined by the risk a company’s software exposes to, not its size. Microsoft makes available a range of documents, tools and now services such as the SDL Pro Network, which are designed to help companies of all sizes adopt the SDL in a gradual, practical and cost-effective manner. To this end, Microsoft has developed the SDL Optimization Model, which allows development organizations, both small and large, to assess where they are in terms of current secure development practices, define their goals and create a practical roadmap based on their unique resources and risk profile.
9. What is Microsoft SDL Optimization Model?
Microsoft SDL Optimization Model was created to facilitate gradual, consistent and cost-effective
implementation of the SDL in development organizations outside of Microsoft. It allows development managers
and IT policy-makers to assess the state of the security during development and create a vision and road map
for reducing customer risk. In November 2008, the model will be freely available via a download on the MSDN Web
site. The SDL Optimization Model provides development organizations with a way to self-assess their current
software development security practices and create a strategy for gradual improvement.
10. What are the benefits of the Microsoft SDL Optimization Model?
There are three primary benefits of Microsoft SDL Optimization Model. First, it enables development organization to assess their current state of security during development. It then helps to create a long-term plan to build and achieve security assurance in software through relevant, innovative and practical process guidance – something that can be hard to come by. Finally, it helps outline practical and cost-effective activities to progressively attain measureable security process improvements.
|
