My team talks a lot about “proactive security” – the concept of baking cybersecurity measures into architecture and design as opposed to responding to vulnerabilities and breaches when they occur. However, I lacked a quantitative answer when recently asked: “how do you convince businesses to start being proactive?”
Windows developers may be familiar with “banned.h” or “strsafe” libraries. Introducing safe libraries to development is nothing new, as was covered in the 2007 presentation on SDL for Windows Vista (slide 7). While basic, these basic libraries have been shown to provide significant value - as discussed later in the deck, 41% of bugs that Microsoft removed in Vista early on were due to removal of ‘banned’ API function calls.