Skip to content
Microsoft Secure

The oil and gas industry is one of the world’s largest industries in terms of sheer dollar value.  This energy source is what keeps us warm in cold weather, makes it easy to cook our food and heat our water, generates our electricity and fuels our transportation needs.  Given that the oil and gas industry is so critical to our everyday lives, application security is of paramount importance. 

Over the past few years, we have seen some highly publicized attacks on this industry.  In an industry that manages critical infrastructure needs, software application security is absolutely essential and must be a top priority.  The importance cannot be overstated.  Today, Microsoft released a new case study entitled “Secure Software Development Trends in the Oil & Gas Sectors” which takes a close look at application security in the oil and gas industry and discusses how a holistic approach to software development can help mitigate many of the risks these organizations face. 

This case study includes perspectives from industry leaders:

  •  Aaron Merrick, vice president of information technology at Apache Corporation, a multinational oil and gas company based in Houston with more than 3 billion barrels’ equivalent of proven oil and natural gas reserves.

  • Paul Williams, executive director of security services at White Badger Group, who has experience advising clients in the oil and gas industry.

  • Jonathan Pollet, founder and principal of Red Tiger Security, a data security consultancy with extensive experience in the oil and gas industry.

  • Alan Hasling, an account technology strategist for Microsoft who works with the oil and gas industry.

The case study also examines how a holistic approach to secure development, such as the Microsoft’s Security Development Lifecycle (SDL), can help to protect an organization from cybersecurity attacks.    This approach is used in companies of every size and in every industry, from small software development firms to global enterprises. It’s also free. Microsoft provides the SDL to customers and the industry in an effort to help create a more secure environment for everyone. The basics of the SDL are relatively easy to introduce, and are designed to help developers whether they have security experience or not.  The simplified SDL is a 17-page document and can be downloaded here.

In addition to the SDL, Microsoft has developed MURA (Microsoft Upstream Reference Architecture), a reference architecture that shows our Upstream Oil & Gas customers what is achievable in the future with the technology available today.  As part of this guidance, we provide a set of principles for establishing sound cybersecurity policies and procedures.  These procedures have been tested and proven in real-world implementations, and designed to meet the specific requirements of the upstream oil and gas environment.  More information on MURA can be found here

Of course, system compromises are not isolated to the oil and gas industry.  Application security is critical to any organization that develops or sells software, and to customers that purchase software or services from vendors.

If you are responsible for the development or procurement of software then I strongly encourage you to check out this new case study and the many free security development resources available at

Tim Rains
Trustworthy Computing