The Status Quo of Software Development Life Cycles

The geography we have created is all about speed, convenience, and scale; security is an afterthought.

General Michael Hayden, retired head of CIA, NSA

Reid Hoffman, the founder of LinkedIn, famously said, “If you are not embarrassed by the first version of your product, you’ve launched too late.” Although this has been the status quo in software innovation to achieve a proverbial leg up on the competition, it can be a dangerous status quo when it comes to the security of a software product.

Embarrassment arising from software might indeed be an acceptable risk when it applies to functionality, to features, or to the user interface (UI) or user experience (UX). However, when embarrassment is the potential result of a compromise of your users’ security or privacy, it should be considered a completely unacceptable risk.

The challenge within the Software Development Life Cycle (SDLC) is to include both offensive testing and defensive building in organizational security strategy. Security is not one or the other—because offensive testing and incident response are not replacements for good code, strong architecture, and threat-based design.

This report discusses how security practitioners can work with other stakeholders in your organization to improve the security of an existing SDLC. Software is often created and released before formal security oversight is implemented, so it is important ...