Microsoft held its first Security Development Conference in Washington, D.C., to share information about computer security with industry, government and academia, as well as to promote the Microsoft Security Development Lifecycle (SDL).
At Microsoft's
Security
Development Conference 2012 in Washington, D.C., a diverse set of
companies, government agencies and academic institutions shared their own
experiences with adopting a
Security Development Lifecycle (SDL).
The event, held May 15 and 16 at
Washington's Fairmont hotel, included information for leaders in software
engineering, process and business management who are responsible for implementing
or accelerating the adoption and effectiveness of secure development practices
in their organizations. The 2012 conference was the first in what is to be an
annual series of SDC events, Microsoft said.
Keynote speakers included Scott
Carney, corporate vice president for Trustworthy Computing at Microsoft;
Richard A. Clarke, chairman of Good Harbor Consulting and former special adviser
to the President for cyber-security; and General Michael V. Hayden, principal
at the Chertoff Group and former director of the Central Intelligence Agency
and National Security Agency. Diamond sponsors of the SDC were Adobe, Cisco and
Microsoft.
In a blog post about the event,
Steve Lipner, partner director of program management for Trustworthy Computing
at Microsoft, said:
"To see more and more private
and public organizations recognize the value and importance of implementing
secure development practices makes me cautiously optimistic that in the future
software will be more secure than the software we've seen in the past. I
remember when in 1997 I attended the RSA Security Conference held in the
basement of the Mark Hopkins Hotel in San Francisco with a few hundred
attendees. Today, the annual RSA Conference is a major industry event with more
than 10,000 attendees. I'm not certain that the Security Development Conference
will follow that sort of trajectory, but I do believe that secure development
is of growing importance, and I also know that industry commitment can start
small and grow."
As part of the conference, Microsoft
announced two new success stories: The government of India and Itron have both
integrated the SDL into their processes.
The
government
of India has recognized the importance of a holistic integration of
security and is promoting that key concept by including secure coding practices
in its draft national economic five-year plan, Lipner said.
"They believe this is a
significant step that will help improve the security of all software and services
produced in their programs. India's Computer Emergency Response Team (CERT-In),
which leads the country's response to cyber-threats, has already taken steps to
implement the five-year plan by leveraging Microsoft's SDL as one of the core
tenets for application security," he said.
"In addition, the National
Informatics Centre, part of the Central Government Office of India, requires
training in SDL principles including the training of more than 10,000 of India's
cyber forensic investigators. The government of India is also encouraging
domestic businesses to adopt similar processes, showcasing the significant role
public-private partnerships play in making critical systems more secure. You
can read more about the steps the government of India is taking to secure its
environment in the case study available for download
here."
Itron,
a provider of energy and water resource management solutions for nearly 8,000
utilities around the world, also has incorporated the SDL into its development
process.
"With the increase in threats
to critical infrastructures, Itron realized it needed to take proactive steps
to protect its systems by building security in from the start," Lipner
said. "The company recently implemented Microsoft's SDL, making it
mandatory for the development of all of its software and hardware. Itron now
has one of the most mature secure development programs in the Smart Grid space.
You can read more about the steps Itron is taking to secure its systems through
a case study we have published for download
here."
In addition to the keynote speakers,
other speakers at the event included representatives from IBM, Symantec, Red
Hat, the National Security Agency, Itron, Cisco, Adobe, the National Institute
of Standards and Technology (NIST), Lockheed Martin, EMC, Salesforce.com and a
host of others, including several other speakers from Microsoft.
To date, Microsoft's free
SDL tools and resources have
been downloaded more than 940,000 times reaching over 150 regions around the
world.
Recent Microsoft research has
demonstrated an overall decline in the exploitability of vulnerabilities in
Microsoft products by greater than 30 percent
when comparing the latest
version of all Microsoft software to all supported previous versions over the
past 18 months.
Three hundred and fifty days after
implementing the Microsoft SDL,
MidAmerican Energy was the
only business unit inside its parent holding company, MidAmerican Energy
Holdings Co., that external auditors found to have no security vulnerabilities.
And MidAmerican realized an overall productivity gain of up to 20 percent using
Microsoft SDL.
A recent study by the Aberdeen Group
found the total cost of remediating an actual application security-related
incident at about $300,000 and that organizations that implemented an SDL realized
four times their return on annual investments in security. Forrester reconfirms
this by stating those practicing SDL specifically reported visibly better ROI
results than the overall population.
Email
Print
