The financial services industry is one of the world’s largest industries by monetary value, and an industry which has a direct impact on the lives of billions of people around the world. Organizations in the financial services industry handle trillions of transactions each year involving sensitive information about individuals,companies, and other third parties. To help protect this sensitive information it is important that financial services organizations are developing, procuring, and using software applications that have been developed with security in mind.

Microsoft commissioned an independent research and consultancy firm, The Edison Group, to examine the current state of application development in the financial services sector from a security perspective. Their report – Microsoft Security Development Lifecycle Adoption: Why and How – is available today.

The paper was developed following in-depth interviews with Chief Security Officers and senior executives representing some of the leading banks and financial services companies in the United States. Some highlights from the paper:

  • The Edison Group examined the usage of the Microsoft Security Development Lifecycle (SDL) and how it has been integrated into the software design life cycles of financial services companies.
  • The study describes the business benefits of using the SDL, along with adoption approaches and integration methods.
  • The adoption maturity of the Security Development Lifecycle (SDL) in participating organizations ranged from highly refined through years of implementation, to a brand new adopter about to begin integrating the SDL into the development processes.
  • The paper also includes two case studies, one illustrating the use if the SDL in a Microsoft Windows based environment, and one illustrating the adoption of the SDL in an open source development environment.

In addition to these highlights, the Edison Group found that using a software development process, such as the SDL, to help developers build more secure software can also help address security compliance requirements. For example, the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) recognized the need for standards around security development processes and developed ISO/IEC 27034-1. This international standard is the first of its kind to focus on the processes and frameworks needed to build a comprehensive software security program. Earlier this year, Microsoft announced through its Declaration of Conformity that Microsoft’s SDL conforms to ISO 27034-1. Organizations using the Microsoft SDL to develop more secure software may already be conformant to the standard.

In the United States financial services sector, many of the largest companies came together in 1996 to form BITS, a division of the Financial Services Roundtable. BITS is an organization that addresses threats and opportunities relevant to the financial services sector, particularly those related to cybersecurity. In 2012, the BITS Software Assurance Framework was created to document the importance of secure development practices and to provide guidelines that financial services organizations can use to implement these practices more fully.  The Software Assurance Framework was developed to help financial institutions better follow secure development practices and avoid the risks outlined above.

The Framework is rooted in education, integration of security in design using standards and threat modeling, best practices for coding, focused and comprehensive testing and followed with important implementation and response practices.  The Framework was developed in collaboration with Microsoft, and integrates the Microsoft Security Development Lifecycle at the foundation.

According to Paul Smocer, BITS president, “Building safe software is a necessity, a priority and a complex process for financial institutions.  The BITS Framework offers a practical approach to software security through strong design, implementation and testing processes.”
If you are responsible for the development or procurement of software for companies operating in the financial sector, then I strongly encourage you to check out this new whitepaper and the many free security development resources available at www.microsoft.com/sdl.

Tim Rains
Director
Trustworthy Computing