Over the last fifteen years, many large software development organizations have adopted Security Development Lifecycle (SDL) processes as effective approaches to delivering secure software. Motivation for SDL comes from the realization that software vulnerabilities can have real impacts – on information security, on organizations' reputations, on customer satisfaction, and on revenues. But what if you don't have 40,000 developers and run a small to medium dev shop?
Fortunately, SDL adoption need not be "only for the rich." While large organizations have the resources to create large teams and customized tools, smaller organizations have the advantage that they can focus an SDL on the specific products, tools, and threats that are relevant to the software they produce. They can also benefit from a wide array of free and affordable resources that can help them address many of the challenges posed by creating and sustaining an SDL program. With management commitment to SDL fundamentals and an investment of resources proportional to the size of the development organization and its products, it's possible for small organizations to build an SDL program and deliver software that customers will find secure.
This briefing will describe some resources that can help smaller organizations create an effective SDL program. It will also outline some secure development concerns that may be especially important to those organizations – such as dependence on software they didn't write – and ways that they can address those concerns.
Steven B. Lipner is the Executive Director of SAFECode, a non-profit industry organization dedicated to increasing trust in ICT products and services through the advancement of effective software assurance methods. He is also an Adjunct Professor of Computer Science in the Institute for Software Research, School of Computer Science at Carnegie Mellon University. Lipner retired in 2015 as Partner Director of Software Security at Microsoft where he was the creator and long-time leader of the Microsoft Security Development Lifecycle (SDL). He was also responsible for Microsoft's policies and strategies for security evaluation of products by governments, and for Microsoft's approach to supply chain security and product integrity. Before joining Microsoft, Lipner worked for several commercial vendors and government contractors as a researcher, consultant, engineering manager and general manager in computer and network security. He has written numerous technical papers on aspects of cybersecurity and served on nine National Academies committees. He holds twelve U.S. patents in computer and network security, and served two terms, a total of ten years, on the Information Security and Privacy Advisory Board. Lipner was elected in 2010 to the Information Systems Security Association Hall of Fame, in 2015 to the National Cybersecurity Hall of Fame, and in 2017 to the National Academy of Engineering.