Summary

Summary Selling security process improvements to upper management is not easy because security professionals have often focused on vague although troubling potential threats. Security experts are often seen as alarmists in the boardroom. Selling security as a means to mitigate riskmost notably privacy issues that could lead to legal action from affected customers and reliability issues that could lead to violation of service-level agreements and system downtimeis much more plausible and can be assigned monetary value by managers. Risks and potential costs are associated with the privacy issue and with downtime. Threats have changed, and the security and privacy landscape is not what it was in 2001. Everything is connected today, and criminals are being lured to the online community because that's "where the money is." There is no indication that this trend will abate any time soon. The software industry's past is littered with security bugs from all software vendors. If our industry is to protect the future and deliver on the vision of Trustworthy Computing, we need to update our processes to provide products that are more secure, more private, and more reliable for customers. Microsoft has learned from and has adopted the SDL to remedy its past mistakes. You should, too. Microsoft has seen vulnerabilities reduced more than 50 percent because of the SDL. You will, too.