Introduction 9
embedded in code. Static analysis tools can, however, peer into more
of a program’s dark corners with less fuss than dynamic analysis, which
requires actually running the code. Static analysis also has the potential to
be applied before a program reaches a level of completion at which testing
can be meaningfully performed. The earlier security risks are identified
and managed in the software development lifecycle, the better.
While these SDL practices have been good in theory, when applied
to enterprises, results have been mixed. There are multiple reasons for
this. Legacy code still forms a large codebase of our software industry, so
going back in time and applying these practices is very difficult. Software
outsourcing or off-shoring is another area where these practices are dif-
ficult to implement efficiently. Software developers and companies often
work under tight deadlines to put a product out before competition,
and thus software security has typically taken a back seat. There is a lack
of management commitment to effectively implement SDL practices in
such a fast-moving environment where software security is often done as
an afterthought.
Even though some security practices are common to both software and
application security, such as penetration testing, source code scanning,
security-oriented testing, and security education, there is no substitute for
integrating security into the software development lifecycle. The human
element of the process is key to the success of any security development
process and requires very seasoned software security architects and engi-
neers to be successful. Threat modeling, applying principles such as least
privilege and defense in depth, is perhaps the most understood, important,
and needed element of the software development lifecycle and requires
human expertise and not tools to accomplish. One must also gather the
real security requirements for a system and consider compliance, safety
issues, contractual requirements, what data the application will process,
and business risk.
Training is another critical element of the SDL that requires the
human element. Training helps to reduce the cost of security, and an
effective training program will motivate your development team to pro-
duce more secure software with fewer problems with more efficiency and
cost effectiveness. It should be emphasized that no point solutions will
provide a single solution for software security; rather, a holistic defense-
in-depth approach is required, including a blend of people, process, and
technology with a heavy emphasis on people. Although tools can parse