Sep 22, 2008

SDL vs Common Sense

Last week Microsoft finally decided to open up and share their Secure Development Lifecycle (SDL) methodology with the world. The announcement can be seen here.

Although some may argue that the SDL is nothing more than just common sense, I believe that there's more to it than just that:
  • Recognizing the methodology. A lot of the things preached by the SDL can be discovered through common sense. Some, like the STRIDE model in threat modeling, however, are not so obvious to the generally unarmed eye of the developer/architect. In an essence, the SDL is a narrow and focused approach to present key ideas that are otherwise existing in the vast knowledge pool known as common sense. It is my personal belief that these key ideas will be lost (or the very least not followed, which is practically the same) if they are not encompassed in a methodology such as the SDL.
  • Locking down the process. One of (and probably the most) coolest thing in the SDL is its ability to lock down each of the sub-processes that make the development lifecycle. The SDL provides actionable steps at each of the phases of development -- starting with requirements and ending with response. Having worked with various parts of the SDL for some time, I really believe that through understanding each step of the methodology and the supporting tools software vendors will be able to minimize the security bugs in their products.

No comments: