Hi, Michael Howard here.
One very low-cost and low-friction SDL task that has high impact is removing (and not adding) banned functionality. The most common examples of banned functionality include various C runtime functions, such as strcpy(), strcat(), strncpy(), sprint(), gets() and their evil brethren; and weak crypto algorithms, such as DES, MD4 and SHA-1.
Over the years, I have shepherded the banned API requirement through the SDL, making updates along the way. One of the biggest changes in recent years (other than adding memcpy() to the list) is a separation of ‘required banned’ functions and ‘recommended banned’ functions. The reason for this change is some functions are a ‘clear and present danger’ and should never be used in any code. Ever. E.V.E.R! This is the SDL ‘required banned’ list.
Other C runtime functions pose less of a risk; but in high-risk code, or code with a very high attack surface, they should be considered for removal, and certainly not added to new code in the first place. This is the SDL ‘recommended banned’ list.
Feel free to leave a note if you have a question of comment