276 Core Software Security
focus on timely delivery is well embedded at the point when a software
security practice is started or improved. It is only natural that teams will
want to know how, in their already busy schedules, they will manage to
accomplish a series of what appear to be additional tasks.
Obviously, one can argue that developers should have been integrating
security into development practices already. Interestingly, many times,
teams have responded that they are, in fact, doing just that: producing
“secure” software. “Secure” here is an operative term; “security” has no
precise meaning and is highly overloaded.
Digging a little deeper, we will be told that the authentication mecha-
nism for the software has been well thought through and is built and
tested. Or, perhaps, all communications going over the network can be
placed within an encrypted tunnel (usually, TLS). Rarely, previous to the
instantiation of a strong SDL program, do teams respond in a holistic
manner, acknowledging the range of tasks that must receive attention,
from design through testing. And that is precisely the problem that work-
ing with the SDL is supposed to address: holistic, built-in security, soup
to nuts, end to end.
Because security is often presented as a matrix of tasks, teams may see
the large number of tasks and become overwhelmed as a result. Time and
again, we have heard team leads and development managers ask, “What
do I have to do?” Since the answer to that question really should depend
on the type of project at hand, the security architect may answer, “Well,
that depends.” This answer is not very satisfying to people who have made
a practice out of timely and orderly software delivery: product managers,
project managers, technical leads, and development managers.
Then, the security person will be asked, “What is the minimum set of
activities that my project will have?” Requesting a minimum task set is cer-
tainly a relevant and worthy question. The answer, “Well, that depends,”
is once again not at all satisfying. We realized that having the security
architect as the sole arbiter of what must be done too often makes a mys-
tery of the entire process. Planning becomes more difficult. Yet again,
security is seen as a hindrance and an obstacle, not as one of the required
deliverables that must be a part of production software.
After much trial and error over many years, on divergent develop-
ment groups operating within multiple enterprise organizations, we
have crystallized a set of questions that can be easily answered by pro-
ject managers, architects, technical and engineering leads, and/or product
managers. These people typically have the understanding to assess the