20 Core Software Security
2.1 Overcoming Challenges in
Making Software Secure
As mentioned in Chapter 1, SDLs are the key step in the evolution of
software security and have helped to bring attention to the need to build
security into the software development lifecycle. In the past, software
product stakeholders did not view software security as a high priority. It
was believed that a secure network infrastructure would provide the level
of protection needed against malicious attacks. In recent history, how-
ever, network security alone has proved inadequate against such attacks.
Users have been successful in penetrating valid channels of authentica-
tion through techniques such as Cross-Site Scripting (XSS), Structured
Query Language (SQL) injection, and buffer overflow exploitation. In
such cases system assets were compromised and both data and organi-
zational integrity were damaged. The security industry has tried to solve
software security problems through stopgap measures. First came plat-
form security (OS security), then came network/perimeter security, and
now application security. We do need defense-in-depth to protect our
assets, but fundamentally it is a software security flaw and needs to be
remediated through a SDL approach.
The SDL has as its base components all of the activities and security
controls needed to develop industry and government-compliant and best
practices–hardened software. A knowledgeable staff as well as secure soft-
ware policies and controls is required in order to truly prevent, identify,
and mitigate exploitable vulnerabilities within developed systems.
Not meeting the least of the activities found within the SDL provides
an opportunity for misuse of system assets from both insider and outsider
threats. Security is not simply a network requirement, it is now an infor-
mation technology (IT) requirement, which includes the development of
all software for the intent to distribute, store, and manipulate informa-
tion. Organizations must implement the highest standards of develop-
ment in order to insure the highest quality of products for its customers
and the lives which they protect.
Implementation of a SDL program ensures that security is inherent
in good enterprise software design and development, not an afterthought
included later in production. Taking an SDL approach yields tangible
benefits such as ensuring that all software releases meet minimum security
criteria, and that all stakeholders support and enforce security guidelines.