SDL and Incident Response ◾ 201
(modules), and locally loaded client applications are quickly becoming browser-based Web apps.
Suddenly the skimpy pieces of information dropped in the audit trail are insuffi cient to meet evi-
dentiary requirements, and the disparate sources and formats of audit trails are hampering com-
pliance eff orts. Gone are the perimeter, network, and host security defenses applications relied on
to reduce security threats; now the user comes directly to the application. Gone are the physical
barriers that kept data isolated and safe; now thousands of users share the same processor and
storage facilities in the cloud infrastructure. All of these factors impact SDL, which for most
organizations (if they are using it at all) is a fairly new practice. Adapting SDL to these diff erent
environments is a stretch, to say the least. SDL was designed for large packaged products. It isn’t
well suited to Web applications that are constantly being updated and changed. Logging and
audit standards haven’t caught up with statutory and regulatory reporting requirements, and
application intrusion detection is practically nonexistent. Not only is it a problem with lagging
or missing standards, but it is also a problem with coverage. e process for packed application
development begins with product envisioning and ends with product release. In the online world,
product release is when the real work begins. Once the service goes online, it is a continual process
of fi xes, updates, and enhancements; you don’t get to walk away and start on the next version.
is is a major shift in the development paradigm, a shift many developers are not fi nding easy
to make.
Getting application developers to change their mind-set and incorporate mandatory function-
ality (performance, management, security, etc.) into their design and coding practices is not easily
accomplished. Microsoft’s trustworthy computing initiative kicked off in 2000 with a security
stand-down that many both inside and outside the company considered a joke and a complete
waste of time. It took years of training, reinforcement, process refi nements, and tooling to fi nally
get everyone on board, and 10 years after the fact, Microsoft is still struggling to make SDL
work well in its services business. SDL was designed to be used in the development of large pack-
aged software products with long development time frames. Many environments have very short
development and testing time frames where existing SDL processes do not work well. To address
that issue internally Microsoft developed a version of SDL for agile development methodologies.
After refi ning it for a while in-house, Microsoft made it available to the public in the fall of 2009.
Change takes time: Change impacts development schedules, and it takes time for people and
organizations to assimilate the new elements that change brings. Unfortunately, time is not always
a luxury organizations have.
SIDEBAR: STRANGER IN A FOREIGN LAND
I (Bill) used to do security code reviews and, believe me, developers do not like to be told their babies are ugly.
People tend to think development is a technical skill. To some extent it is, but mostly it is an art. As a reviewer,
I was constantly amazed at the creative ways that developers came up with to solve very complex problems. You
can teach an artist technique, but when you start telling her you want structure and order to what she is doing, you
are going to get resistance. Anyone who thinks Bill Gates stood up one day and said, “Okay from now on we’re
doing to develop trustworthy code,” and everyone said, “Yeah and amen,” you are kidding yourself. It takes time to
become skillful and productive at something, whether it is painting or programming; the more skillful you become,
the less interested you are in change, unless there is a compelling reason. Technology drives change, but unlike
painting, technology consumes the old when it produces the new. There have been thousands of improvements to
paint, but I can still buy a canvas; technology consumes the canvas and forces you to use a graphics pad. You can
spend 10 years learning how to be profi cient in a computer programming language, only to fi nd that it’s no longer
available and no longer supported. Consider this: In my 25 plus years working with computers, I have developed
reasonable profi ciency in eight different programming languages, four of which are obsolete. I still have code in my
development library that I couldn’t compile and run on any current technology if my life depended on it. The point
I’m making is that technology introduces more than enough change into the environment for developers to deal with.
For example, multiple 64-bit processors are now the standard for PCs; learning to leverage the capabilities of this
TAF-K11348-10-0301-C011.indd 201TAF-K11348-10-0301-C011.indd 201 8/18/10 3:11:03 PM8/18/10 3:11:03 PM