Applying the SDL Framework to the Real World 265
essentially follow a foreshortened SDL cycle to get the errors remediated,
tested, and released.
Testing shows the presence, not the absence of bugs.
2
Out of the population of extant errors, some proportion will have
effects that can be manipulated to the advantage of an attacker; that is, these
errors will be security “vulnerabilities.” We focus here on vulnerabilities.
There is reasonable certainty that developers will produce incorrect
code at least some of the time and some of those errors will be subject
to malicious manipulation, ergo, there will be vulnerabilities in the
code. This is not a reason to abandon efforts to write correct code. The
advantages of correctness at the outset far outweigh the expenditure; it
is an established fact that achieving correctness as early as possible in the
develop ment cycle is by far cheaper and easier. The earliest point will be
when the code is written.
There are several complementary activities that, when put together,
will contribute to fewer security defects as code is being written: developer
training, safe libraries, and proven implementations generalized for reuse.
Obviously, developers must know what is expected of them, where
to pay attention to security, and what the correct behavior is that must
be programmed. Any and all training approaches have benefit, although
some approaches have less effectiveness than may be obvious.
Developers should understand, at a very high level, that some defects
have profound effects within the software they write. Functional speci-
fications describe how the software will be used. Among these specifi-
cations will be those security attributes and features that users and the
owners of the software require. Generally, that which has been specified
gets built. That is not to say that errors don’t creep in; they do. But since
the properties are a part of the requirements, developers have an organic
exposure to systems such as authentication and authorization, and to the
API functions and classes that implement communications protections,
such as TLS/SSL. If specified, the developer will generally attempt to
build the functionality.
The security industry has primarily been interested in vulnerabil-
ity (something that can be exploited), that is, in security weakness.
Vulnerabilities are defects that when manipulated cause side effects
that can be used to advantage; vulnerabilities are bugs. Since security