Risk
3/31/2011
12:09 PM
50%
50%

Microsoft Blames Poor Development Practices For Security Risks

Windows and Internet Explorer are at greater risk of attacks because developers don't use mitigation technologies built into the software, said Microsoft.

10 Massive Security Breaches
(click image for larger view)
Slideshow: 10 Massive Security Breaches
Too few applications and browser plug-ins are implementing attack-blocking security mechanisms built into Windows and Internet Explorer.

Microsoft made that assertion in "The SDL Progress Report," released Wednesday, which details the evolution of the company's security development lifecycle, used internally, as well as the uptake of mitigation technologies that Microsoft makes available to developers.

Two of those mitigation technologies are Data Execution Prevention (DEP), which helps prevent attackers from executing arbitrary code, and address space layout randomization (ASLR), which makes it difficult for attackers to locate objects, such as DLL files, that they might use to create a successful exploit.

But when Microsoft studied 41 of the most popular and latest consumer applications -- from Microsoft and others -- it found that while 71% of applications fully enable DEP, only 34% of applications fully enable ASLR. Furthermore, 70% of surveyed browser plug-ins don't implement ASLR, while only 20% of surveyed security products fully implement ASLR. As a result, those products and plug-ins, and by extension also IE and Windows, are at greater risk of attack.

Poor uptake of DEP and ASLR might be less of an issue if more organizations pursued secure development practices, which would independently help organizations avoid many of the bugs that DEP and ASLR attempt to block. Yet many organizations don't factor security into their software development lifecycle, which leaves their code at greater risk of being exploited by attackers.

Blame ignorance. "Awareness of security development practices is pretty low, and unfortunately if it's low, that gives criminals a potential advantage," said David Ladd, principal program manager for Microsoft's SDL group, in an interview. "That said, the business decision-makers we've talked to who are aware of security development processes, they need some assurance of ROI."

Secure development -- aka security development -- offers excellent ROI, or return on investment, said Ladd. For example, the average cost required to mitigate and fix a security issue, based on a 2010 report from Aberdeen Group, is $300,000 per vulnerability, per incident, he said. Compare that to the average cost of running a security software program in a development organization, which is $400,000 per year. "So at that point, a single security issue . . . nearly offsets your entire investment in the secure development software lifecycle," he said.

Here's an example of secure development at work: At the PWN2OWN 2011 contest held earlier this month at the CanSecWest conference, security researcher Stephen Fewer of Harmony Security chained together three vulnerabilities -- two for code execution, and another to escape IE's protected mode sandbox -- to successfully exploit the target machine via IE8.

But in the course of IE9 development, said Ladd, Microsoft had already independently identified and eliminated two of those bugs from the IE9 code base, which he offered as proof that taking the time to review code for security errors is a worthwhile pastime. "The reason we caught those two was not because of luck or serendipity, but because we did our homework and found out what the problem was," he said.

In other words, practicing secure coding techniques requires upfront investment, but produces results. "If people want to have a safer computing experience, then they need to invest up front to make sure the proper things are done to ensure security, for when it comes time to do business on the Internet," said Ladd.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2015-1414
Published: 2015-02-27
Integer overflow in FreeBSD before 8.4 p24, 9.x before 9.3 p10. 10.0 before p18, and 10.1 before p6 allows remote attackers to cause a denial of service (crash) via a crafted IGMP packet, which triggers an incorrect size calculation and allocation of insufficient memory.

CVE-2015-2072
Published: 2015-02-27
Multiple cross-site scripting (XSS) vulnerabilities in SAP HANA 73 (1.00.73.00.389160) and HANA Developer Edition 80 (1.00.80.00.391861) allow remote attackers to inject arbitrary web script or HTML via unspecified vectors to (1) ide/core/plugins/editor/templates/trace/hanaTraceDetailService.xsjs or...

CVE-2015-2075
Published: 2015-02-27
SAP BussinessObjects Edge 4.0 allows remote attackers to delete audit events from the auditee queue via a clearData CORBA operation, aka SAP Note 2011396.

CVE-2015-2076
Published: 2015-02-27
The Auditing service in SAP BussinessObjects Edge 4.0 allows remote attackers to obtains sensitive information by reading an audit event, aka SAP Note 2011395.

CVE-2015-2101
Published: 2015-02-27
Cross-site scripting (XSS) vulnerability in the Navigate bar in the Navigate module before 6.x-1.1 and 7.x-1.x before 7.x-1.1 for Drupal allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

Dark Reading Radio
Archived Dark Reading Radio
How can security professionals better engage with their peers, both in person and online? In this Dark Reading Radio show, we will talk to leaders at some of the security industry’s professional organizations about how security pros can get more involved – with their colleagues in the same industry, with their peers in other industries, and with the IT security community as a whole.