In January 2011, research firm Forrester Consulting published a report, which was commissioned by Microsoft, with the title “State of Application Security: Immature Practices Fuel Inefficiencies, But Positive ROI Is Attainable.” The report is available for download at http://www.microsoft.com/download/en/details.aspx?id=2629
The report has an obvious bias, namely, that if you use Microsoft’s SDL (Security Development Lifecycle) approach and/or CMMI (Capability Maturity Model Integrated) developed by Carnegie Mellon’s Software Engineering Institute, your software will have fewer “security defects” and hence require less fixing and patching. That’s good. While these methods might have their limitations, it is reasonable to assume that their use might lead to somewhat better quality software from a security perspective.
OK. But now let us examine the report in more detail. First, the composition of the sample of “150 North American software development influencers and decision makers” comprises 64 percent of companies from the “high tech” industry vertical, and only 2 percent from the entire public sector (government, education, etc.). For the purposes of this study “high tech” includes platform vendors (55%), independent software vendors (13%), original equipment vendors (11%), original design manufacturers (9%) and value-added resellers (4%). Is Microsoft included here? I doubt it, since the whole point of the report seems to be to show how bad the rest of the software development world is, implying that Microsoft is not one of those guys but operates on a higher plane. To some extent they are probably right. I’ve met (in person and/or via telephone) Steve Lipner, Michael Howard, and Adam Shostack and other top-flight software security guys at Microsoft, and they really know their stuff. They have gained significant traction ever since Bill Gates made his pronouncement in January 2002 about trustworthy computing. And it is a worthy goal to have other software companies and organizations developing custom software for their own use to adhere to effective application security standards.