16 Core Software Security
outline a model for mapping SDL best practices to the software develop-
ment lifecycle and how you can use this to build a mature SDL program.
Although security is not a natural component of the way industry has
been building software in recent years, we believe that security improve-
ments to development processes are possible, practical, and essential, and
we trust that the software security best practices and model presented in
this book will make this clear to all who read this book, whether you are
an executive, manager, or practitioner.
References
1. President’s Information Technology Advisory Committee (2005), Cybersecurity: A
Crisis of Prioritization, Executive Office of the President, National Coordination
Office for Information Technology Research and Development, 2005, p. 39.
Retrieved from http://www.nitrd.gov/Pitac/reports/20050301_cybersecurity/
cybersecurity.pdf.
2. Ibid.
3. Aras, O., Ciaramitaro, B., and Livermore, J. (2008), “Secure Software
Development—The Role of IT Audit,” ISACA Journal, vol. 4, 2008. Retrieved
from http://www.isaca.org/Journal/Past-Issues/2008/Volume-4/Pages/Secure-
Software-Development-The-Role-of-IT-Audit1.aspx.
4. U.S. Department of Homeland Security (2006), Security in the Software Lifecycle:
Making Software Development Processes—and Software Produced by Them—More
Secure, DRAFT Version 1.2, p. 13. Retrieved from http://www.cert.org/books/
secureswe/SecuritySL.pdf.
5. Schwartz, M. (2012), “10 Security Trends to Watch in 2012.” Retrieved from
http://www.informationweek.com/security/vulnerabilities/10-security-trends-
to-watch-in-2012/232400392.
6. Parizo, E. (2012), “To Get Help with Secure Software Development Issues,
Find Your Own Flaws.” Retrieved from http://searchsecurity.techtarget.com/
news/2240129160/To-get-help-with-secure-software-development-issues-find-
your-own-flaw.
7. Microsoft Corporation (2012), Security Development Conference 2012
webpage, May 15–16, 2012, Washington, DC. Retrieved from https://www.
securitydevelopmentconference.com/main.aspx.
8. blackhat.com (2013), Black Hat USA 2012 Conference webpage, July 21–26,
2012, Las Vegas, NV. Retrieved from http://www.blackhat.com/html/bh-us-12.
9. rsaconference.com (2013), RSA 2013 Conference USA webpage, February 25–
March 1, 2013, San Francisco, CA. Retrieved from http://www.rsaconference.
com/events/2013/usa.
10. securitydevelopmentconference.com (2013), Security Development Conference