Home SecurityApplication Security Lessons learned through 15 years of SDL at work

Lessons learned through 15 years of SDL at work

by ethhack

Do a quick search on secure development and you’ll find pages and pages of advice and best practices. You could relatively quickly create a long checklist of best practices and how-tos covering everything from how to create a threat model to the dos and don’ts of avoiding cross site-scripting mistakes. Newer articles and papers might focus in on applying secure development to mobile applications or making it work in a DevOps environment as the way we have built code has changed over the years.

And yet, despite all we know about creating secure code, many organizations still struggle with making secure development work in practice.

In fact, it’s been a little more than 15 years since Microsoft mandated its Security Development Lifecycle (SDL) in summer 2004. This was two years after the now-famous Trustworthy Computing memo went out and Microsoft began its unprecedented investment of resources into secure software development. But 2004 is a milestone that retains special significance for me and one that holds a lesson often lost in the pages and pages of how-tos and best practices – and has been the key to the SDL’s longevity in a rapidly evolving technology climate – it’s all about the developers. We discovered quickly that focusing on the practices without consideration for how software development is actually done or what developers need to be successful was an effort destined to fail.

Rather, we had to start with an understanding of the development process and then define how security would work within that framework. SDL was created to support the developer in the creation of more secure software resulting in more secure products and more satisfied end-users.

We found that this approach worked. After 15 years, and despite the massive changes in both how technology is used and how software is created, SDL still provides the foundation for the software security programs at many of the world’s largest and most influential software organizations and there are no signs of its use or adoption slowing down.  Of course, there have been modifications and changes to the original parameters set years ago at Microsoft.  But this is the beauty of SDL: it was designed to evolve.

Nothing remains the same – 15 years of evolution and change

The three most significant changes to SDL over the last decade and half can be summarized as follows: 

Copyright © 2019 IDG Communications, Inc.

Source link

Related Articles

Leave a Comment