“The key trend that we see is a large move toward vulnerabilities being discovered in applications, as opposed to operating systems and browsers", Lipner told Infosecurity.
The best way to head off security threats to applications is by using secure development, such as Microsoft’s secure development lifecycle (SDL) process, Lipner stressed.
“We are seeing organizations start to adopt secure development processes, but as the mitigation data shows, it is clear that organizations need to continue to move in that direction”, he added.
Microsoft recently released a report that demonstrates the correlation between secure application development, reduced attacks, and business efficiencies. Using both Microsoft and outside information, the report concludes that adopting secure development processes can identify software vulnerabilities earlier and offset the costly cycle of addressing vulnerabilities at the end of the development cycle or after an attack.
The report identified a number of mitigation techniques that are required by the DSL and have been shown to reduce application vulnerabilities. These include data execute protection (DEP) and address space layout randomization (ASLR). “These measures complement each and make it much more difficult to exploit buffer overrun vulnerabilities, even if they remain in software”, Lipner said.
Microsoft surveyed 41 popular applications and found that only 34% enabled full ASLR support, 46% partially enabled support, and 20% did not enable ASLR support. “So if there is a remaining buffer overrun vulnerability in one of those applications, exploiting it is pretty straightforward”, he observed.
“The release of the report is a call to action for industry to enable support for these two mitigations so that the safety of software would be improved”, he added.
In releasing the report, Microsoft cited research by the National Institute of Standards and Technology (NIST), Forrester Research, and the Aberdeen Group showing how fixing code vulnerabilities early in the software development cycle can have a significant cost benefit to organizations.
NIST estimated that waiting until after code is released before fixing flaws can result in 30 times the cost of fixing the flaw during the design phase. In a study sponsored by Microsoft, Forrester found that organizations employing a coordinated prescriptive approach to application security experienced a stronger return on investment (ROI).
Aberdeen Group published a study that found that the average investment in secure development processes is $400,000, while the average cost to fix a critical vulnerability after application deployment, was around $300,000. Aberdeen also reported a four times return on annual investment for those organizations that took a deliberate approach to application security.
Lipner emphasized that Microsoft’s SDL is a proactive process. “We not only incorporate measures that attack and remove vulnerabilities that we know about, but by doing things like requiring mitigation and requiring threat modeling analysis of software design, we enable developers to find unknown vulnerabilities and remove them before they are exploited.”
Lipner cited the case in which SDL was able to find and fix a vulnerability in Internet Explorer version 9 before a hacker at the CanSecWest Pwn2Own competition discovered and exploited that vulnerabilities to hack into IE version 8.
“We are encouraging organization to learn more about SDL…implement security mitigation techniques such as ASLR and data execute protection to reduce the likelihood that vulnerabilities in their software will be exploitable…and integrate security into their development practices”, Lipner concluded.