(click image for larger view)
Microsoft made that assertion in "The SDL Progress Report," released Wednesday, which details the evolution of the company's security development lifecycle, used internally, as well as the uptake of mitigation technologies that Microsoft makes available to developers.
Two of those mitigation technologies are Data Execution Prevention (DEP), which helps prevent attackers from executing arbitrary code, and address space layout randomization (ASLR), which makes it difficult for attackers to locate objects, such as DLL files, that they might use to create a successful exploit.
But when Microsoft studied 41 of the most popular and latest consumer applications -- from Microsoft and others -- it found that while 71% of applications fully enable DEP, only 34% of applications fully enable ASLR. Furthermore, 70% of surveyed browser plug-ins don't implement ASLR, while only 20% of surveyed security products fully implement ASLR. As a result, those products and plug-ins, and by extension also IE and Windows, are at greater risk of attack.
Poor uptake of DEP and ASLR might be less of an issue if more organizations pursued secure development practices, which would independently help organizations avoid many of the bugs that DEP and ASLR attempt to block. Yet many organizations don't factor security into their software development lifecycle, which leaves their code at greater risk of being exploited by attackers.
Blame ignorance. "Awareness of security development practices is pretty low, and unfortunately if it's low, that gives criminals a potential advantage," said David Ladd, principal program manager for Microsoft's SDL group, in an interview. "That said, the business decision-makers we've talked to who are aware of security development processes, they need some assurance of ROI."
Secure development -- aka security development -- offers excellent ROI, or return on investment, said Ladd. For example, the average cost required to mitigate and fix a security issue, based on a 2010 report from Aberdeen Group, is $300,000 per vulnerability, per incident, he said. Compare that to the average cost of running a security software program in a development organization, which is $400,000 per year. "So at that point, a single security issue . . . nearly offsets your entire investment in the secure development software lifecycle," he said.
Here's an example of secure development at work: At the PWN2OWN 2011 contest held earlier this month at the CanSecWest conference, security researcher Stephen Fewer of Harmony Security chained together three vulnerabilities -- two for code execution, and another to escape IE's protected mode sandbox -- to successfully exploit the target machine via IE8.
But in the course of IE9 development, said Ladd, Microsoft had already independently identified and eliminated two of those bugs from the IE9 code base, which he offered as proof that taking the time to review code for security errors is a worthwhile pastime. "The reason we caught those two was not because of luck or serendipity, but because we did our homework and found out what the problem was," he said.
In other words, practicing secure coding techniques requires upfront investment, but produces results. "If people want to have a safer computing experience, then they need to invest up front to make sure the proper things are done to ensure security, for when it comes time to do business on the Internet," said Ladd.
