fertile field in which to work. As a consequence, we have to make
sure we are doing better vulnerability management. We also have to
look toward the future and ask ourselves, “How can we avoid having
these types of vulnerabilities in future generations of software that
we are increasingly dependent on?” The answer to this question is
particularly important because it is very beneficial to companies to
reduce these vulnerabilities and to stop them during the software
development process. It is significantly less expensive to build security
in through the use of a SDL than to come back and fix it post-release.
2. The second issue is that we need to start looking at a whole genera-
tion of what is referred to as “zero-day vulnerabilities.” If we can
eliminate the likelihood of finding a zero day by not allowing the
vulnerabilities to take place from the very beginning by adhering
to the best practices of a solid SDL, it will save companies money,
make the software and its users more secure, the critical infrastruc-
ture more resilient, and overall, more beneficial to us all.
As the Executive Director of the Software Assurance Forum for
Excellence in Code (SAFECode), a nonprofit organization dedicated
exclusively to increasing trust in information and communications
technology products and services through the advancement of effective
software assurance methods, I currently have a major focus on security
training for developers. The lack of security awareness and education
among the software engineering workforce can be a significant obsta-
cle to organizations working to implement software security programs.
However, better training for software developers so they have the skills
needed to write secure code is just one of the variables in the software
security equation. Software projects are under the constraints of costs
and tight timelines. In those situations, it is inevitable that security is sac-
rificed somewhere because of shortcuts taken. Cost, time, and resources
are typically the triad of software development supporting security, and
if you sacrifice one of the three, security and quality suffer. A software
development environment is built around a programmer who is pressured
on every side to work faster, to cut corners, and to produce more code at
the expense of security and quality.
It is impossible to have 100 percent security, but the developers and
their management should always strive to maximize the mitigation of
risk. It is about making it so difficult to access in an unauthorized man-
ner that adversaries:
xiv Core Software Security