The timeless truth of software security fundamentals
More than a decade’s worth of good deeds were recently memorialized with Microsoft’s announcement that Michael Howard and Steve Lipner’s book The Security Development Lifecycle (PDF) is now available for free online. What a great contribution by Michael, Steve, and Microsoft to the community; and cheers to the continued growth of software and application security as a discipline!
I had the pleasure of working at Microsoft, near Michael and Steve, around the time that they were developing SDL. A lot of memories were stirred up by this announcement. One thing that struck me was Michael’s note that the more things change, the more they stay the same.
In fact, Michael’s sentiment is important enough to quote at length:
Even though much has changed in the intervening years, it’s amazing how the simple fundamentals still hold true. […] Sure, the book doesn’t mention ‘IoT’ or ‘cloud’ and the word ‘mobile’ rarely gets mentioned, but banned functionality, threat modeling, and numerous other core SDL tenets—such as static analysis, bug bars, fuzz testing, and correct cryptographic design—apply to IoT, cloud, and mobile as much as they do to three-tier applications and websites. For example, Microsoft recently released a paper on IoT security architecture, and the first section’s title is ‘Security starts with a threat model.’
Same problem, different day
My own phrase for this concept is “same problem, different day,” and I have experienced nearly the exact same feeling when working with customers on these topics (IoT, mobile, cloud, and so on). While I certainly acknowledge that these things do in fact encompass new capabilities, it remains remarkable to me how much the simple fundamentals still apply in software security—especially the idea that security starts with a threat model. The first step in security is indeed understanding what it is you’re trying to protect, how it is (or has been) attacked, and how it is (or has been) defended.
Stick to the fundamentals
Unfortunately, I still see more scattershot than fundamentally grounded approaches in software and application security nowadays. One of my favorite ongoing themes is that software and application security can be straightforward if one just sticks to the fundamentals! Michael and Steve’s book provides no better reminder of this timeless truth.
