There’s a popular article on CNET about why the security industry never actually makes us secure. They make specific note about how Microsoft’s SDL program is a success, but that the solution doesn’t scale.
We at Security Compass and SD Elements tend to be more optimistic about scaling an SDL program. Secure Application Lifecycle Management tools arm security & development teams with consistent, reliable upfront application security requirements. Top tier hands-on Computer Based Training classes are making self-paced education more accessible.
In our experience, industry has one major hurdle to achieving holistic secure SDLC at scale: insufficient data.
Getting development management to understand a business case for a holistic secure SDLC is one hurdle. Getting individual developers to embrace the change is, potentially, a much larger one. As John Wilander pointed out, security competes with user interaction design, test-driven development, availability, scalability, reliability, performance and many other design considerations for precious time in the early phases of a development iteration / release. Security does not have a monopoly on the “earlier is better” mantra. Security competes with other factors, and doesn’t contribute much to client-feature directed activities such as a Sprint Review Meeting. If we want developers to move away from crash testing, we need hard evidence that the up-front investment is worth it. Most security practitioners have empirical data that investing in security early is valuable, but that just won’t cut it. Luckily, we’re beginning to see real data on this: Microsoft points to a Forrester report and an Aberdeen Group report that both illustrate a positive ROI for adopting a secure development lifecycle. Forward thinking members of academia, such as Bill Chu and his team from UNCC, are also starting to research the issue. We need more. We need wide-spread, indisputable evidence to convince developers and management that a little time up-front saves major security remediation headaches down the road.
This sort of challenge isn’t unique to early-phase application security: it’s analogous to the difficulties Atul Gawande and fellow researchers faced when using checklists in operating rooms to reduce surgical defects (see the Checklist Manifesto). Surgeons were skeptical about this tool, but hard data from research indicated that adherence to simple checklists cut down deaths by 47%. Application security needs more solid, research-backed numbers like this. Armed with sufficient, indisputable data, we may just have a shot at achieving application security at scale.