Re: The Organic Secure SDLC

[Paco Hope <Paco () cigital com>]

> To clarify further, this is not meant to be prescriptive or even a set
> of best
> practices. It's simple observation on how many organizations tend to
> evolve if
> secure SDLC is not a major priority. I can't say it's based on hard data
> but we
> have compiled the steps from experiences at several clients and
> validated it with
> several others.

That is exactly the process we followed with the BSIMM. Some of the BSIMM
participants were well-established, highly capable, and mature. Others,
however, were just getting their security initiatives off the ground. We
didn't cherry-pick the best of the world. We went to firms that were
significant and found out what they were doing.

> If you were seeking advice on how to build security into the SDLC from
> the ground
> up or looking for a set of activities to perform, you'd be better served
> by looking
> at BSIMM.

I don't think someone starting from the ground up looks at the BSIMM. If
you do, it's a brainstorming exercise to acquaint yourself with terms and
activities. If you want something prescriptive, Cigital's touchpoints, or
Microsoft's SDL are methodologies that tell you what to do. Think of the
BSIMM like a thermometer. It can tell you the temperature of your SDLC.
What it can't tell you is whether that's the right temperature or not. If
you're making ice cream or if you're making waffles, you have different
temperature needs. BSIMM simply tells you how you're doing right now. (And
over time if you take repeated measurements).

> The organic secure SDLC misses things, like threat modeling, because in
> our
> observations they don't seem to be done consistently.

I think this "organic SDLC" is mis-named. It is not a software development
lifecycle. It is, if anything, a description of how security awareness
evolves at some organisations. That is, minimally aware people take the
first step of pen testing production systems. As they grow additionally
more aware, they start looking earlier and earlier in the lifecycle. This
thing itself is not a lifecycle. It's an observation about some
organisations and how they gradually awaken to the need for security in
the SDLC.

It is entirely possible that "climbing the wall" might happen as the
result of taking a measurement using the BSIMM. Instead of a linear arrow,
I wonder if you want to have time on the X axis and level of effort on the
Y axis. There's a curve here and "climb the wall" is a point in the curve
where the effort is high.

Anyways, this is just "the order that some firms seem to adopt activities
in their lifecycles." It is not a lifecycle.

Paco


_______________________________________________
Secure Coding mailing list (SC-L) SC-L () securecoding org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
_______________________________________________