SDL That Won't Break the Bank

Conference:  BlackHat USA 2018



The presentation discusses the importance of Secure Development Lifecycle (SDL) in building secure software and how it can be tailored for small companies. The main thesis is that developers build secure software and the security team can train, provide tools, consult, and advise them on secure development. Root cause analysis is crucial in driving the development process. The presentation emphasizes the need to manage third-party components and have a response process in place. The main points are:
  • SDL is crucial in building secure software
  • Developers build secure software
  • Security team can train, provide tools, consult, and advise developers
  • Root cause analysis is crucial in driving the development process
  • Manage third-party components
  • Have a response process in place
The presenter highlights the importance of SDL in building secure software and how it can be tailored for small companies. He notes that smaller companies may have a smaller security team, budget, and management that may not understand the importance of secure development. However, it is crucial to think about the company's situation and the criticality of their products. The presenter also emphasizes that a bug bounty program is not a substitute for an SDL process. He notes that penetration testing is crucial in finding vulnerabilities, but it is not a deterministic way of testing software. The presenter also mentions that threat modeling is important in building a secure architecture and design. However, it is not the only activity in the SDL process.


Over the last fifteen years, many large software development organizations have adopted Security Development Lifecycle (SDL) processes as effective approaches to delivering secure software. Motivation for SDL comes from the realization that software vulnerabilities can have real impacts – on information security, on organizations' reputations, on customer satisfaction, and on revenues. But what if you don’t have 40,000 developers and run a small to medium dev shop?Fortunately, SDL adoption need not be "only for the rich." While large organizations have the resources to create large teams and customized tools, smaller organizations have the advantage that they can focus an SDL on the specific products, tools, and threats that are relevant to the software they produce. They can also benefit from a wide array of free and affordable resources that can help them address many of the challenges posed by creating and sustaining an SDL program. With management commitment to SDL fundamentals and an investment of resources proportional to the size of the development organization and its products, it's possible for small organizations to build an SDL program and deliver software that customers will find secure.This briefing will describe some resources that can help smaller organizations create an effective SDL program. It will also outline some secure development concerns that may be especially important to those organizations – such as dependence on software they didn’t write – and ways that they can address those concerns.