Duct Tape, Band-Aids and Bubble Gum
Shouldn’t Be Used to Build Security
Security Innovation, Inc.
187 Ballardvale Street, Suite A170
Wilmington, MA 01887
Duct Tape, Band-Aids and Bubble Gum Shouldn’t Be Used to Build Security
hroughout my time spent delivering talks at security conferences and in classrooms of prominent
software companies, I consistently hear the same question: “What can we do to secure our
software completely?” This question typically comes in response to feeling completely
overwhelmed by all the best practices, methodologies, and techniques to which my audience has just
SDLC by Any Other Name….
Unfortunately there is no single or easy answer to this question. Security must be dealt with and
considered in every phase of the software development lifecycle. I know practitioners would rather that
I discuss the silver bullet solution, but there is none. Security in the SDLC is essential – so much so that
Microsoft has bestowed upon it a completely new name: the Secure Development Lifecycle, or SDL.
While these acronyms may be similar, the way we think about software differs drastically in each model.
The original software development lifecycle was created to deliver applications that are feature-rich, free
of bugs and are shipped on time. It was designed at a time prior to security being the prevalent issue
that it is today. The Secure Development Lifecycle attempts to marry the pillars of the original SDLC with
fundamental secure practices throughout the lifecycle. This practice will create an application that has a
secure core and can better withstand attacks.
When software development teams begin to think about security early in the SDLC, it reforms our ideas
of what our software will look like and gives us flexibility to address the concerns of not only security,