Booz Allen Hamilton recently released a State-of-the-Art Report (SOAR) on Software Security Assurance on behalf of the Information Assurance Technology Analysis Center (IATAC); an analysis and consulting group sponsored by the US Department of Defense. I had seen the report before, but hadn’t had the time to dive into it as its nearly 400 pages long. However, I had to travel for Microsoft business recently, and there’s really nothing like a long plane ride to allow one to catch up on back reading!
Upon closer inspection, it is a fairly exhaustive work that seeks to provide a snapshot of the current state of the software security assurance field. I was pleased to note significant mentions of the SDL and of other work done by Microsoft. The report made some made some salient points about SDL – questioning its suitability for use in certain circumstances (e.g. policy-driven non-technical risk management scenarios). However, the authors were also quick to point out that SDL is a technical, software development process, and could be paired with other methods to meet government requirements.
For the record – we make no claims about the universal applicability of SDL – it’s a constantly evolving, security-focused software development process – first, last and always. While the SDL is well suited to our work environment, we might have made different process tradeoffs in other environments. The important thing to focus on is process evolution – learning from customer pain, decisions made, and effectiveness of what you’re doing – and using that information as a catalyst for change.
As with any report, there are points on which reasonable people will differ – however, it does a reasonably good job at presenting “one-stop shopping” for information on software security assurance. It’s definitely worth a look.
I’d be interested in hearing other opinions…