In its latest Software Development Lifecycle (SDL) Progress Report, Microsoft says it has done its part to make operating systems and browsers more secure, but third-party developers have not taken basic steps to secure their applications. The report finds that only 43 percent of the applications surveyed, including 20 percent of security applications, had implemented Address Space Layout Randomisation (ASLR), which makes it more difficult for malware to access DLL files. In addition, 29 percent of applications surveyed were not using Data Execution Prevention (DEP), despite the fact that it is very easy to implement.
The report also points out that it is much more economical to make security fixes before an application is released. “The National Institute of Standards and Technology (NIST) estimates that code fixes performed after release can result in 30 times the cost of fixes performed during the design phase,” the authors write.