Hi, Bryan here. Regular readers of this blog know that I’m more likely to write technical posts about new defense tactics than I am to pontificate on the state of the security industry. However, while I was at the RSA Conference last month, I overheard a concerning misconception about the SDL that I’d like to address.
During a panel discussion on static- and source-analysis techniques, the panelists – Chris Wysopal of Veracode, Jerry Archer of Intuit, Mary Ann Davidson of Oracle, and Brian Chess of Fortify – had strayed somewhat from the original topic and into a discussion of security processes. At this point, several of them stated their belief that the SDL is only useful for large organizations running Windows, and that it wouldn’t work well for “5-person shops writing PHP.”
Now, I don’t believe that the only way to create secure software is to follow the SDL exactly the way we follow it at Microsoft. Not everyone building software is ready to commit as much time and energy to security as we do. For that matter, not everyone even needs to commit as much time and energy to security as we do! But everyone building software should be doing something to make that software more secure, which is exactly why we developed the SDL Optimization Model.
It’s true that if you have 1000 or more developers, you’ll probably want to eventually work your way up to the Dynamic level of the Optimization Model (where we see ourselves), but the 5-person PHP shop could greatly benefit from implementing the SDL at the Standardized level. At the Standardized level, you perform high-ROI security activities such as validating input and encoding output to defend against cross-site scripting attacks, using stored procedures to defend against SQL injection attacks, and fuzzing your application inputs to find unknown errors. These all sound pretty applicable to a 5-person PHP shop to me!
Ok, that’s definitely enough pontification for me for a while. The next time I post, I promise it’ll be something technical, like a comparison of various managed code static analysis tools or best practices for implementing cryptographic agility in your applications. Talk to you then.