Why do I need SDL?

The purpose of an application Security Development Lifecycle (SDL) program is to foster a security mindset in the software development culture through repeatable processes, checkpoints, tooling, and training. Developers trained in SDL best practices are more likely to take a proactive position on security rather than a reactive position. We work closely with your software engineers and key stakeholders to craft and implement an SDL program tailored specifically for your company.

SDL is ISO 27034 compliant, technology agnostic, and is designed to be easily incorporated into the existing Software Development Life Cycle (SDLC) whether that be Agile or Waterfall. Experience at Microsoft and many other industry adopters has shown that integration of SDL with the SDLC process leads to significant security gains over practices implemented piecemeal or ad-hoc.

As a consulting member of Microsoft's exclusive SDL Pro Network, Casaba is recognized and endorsed by Microsoft as an industry leader in application security and SDL. Casaba is one of a few select cybersecurity companies with the expertise to deliver and build on all phases of the Security Development Lifecycle. By working closely with both engineers and management, Casaba delivers quantifiable results by cultivating critical security practices at every stage of software development.

How does Casaba approach building an SDL program?

Casaba has a thorough approach to developing an SDL program tailor-made for your company. With years worth of hands-on experience building and managing SDL programs, we leverage the well tested and documented Microsoft SDL Optimization Model, based on Microsoft's over 10 years of SDL pioneering work, as well as the invaluable Building Security In Maturity Model (BSIMM) a scientific study of real SDL programs across a variety of 78 companies in the ISV, Consumer Electronics, and Heatlh Care industries.

We understand that integrating SDL into an existing development environment can be a culture shift that requires presenting SDL concepts and requirements in a very thoughtful and engaging way. Concerns about capacity and resource impact may arise from product owners who understandably do not want to let their ship dates slip. For an SDL program to be successful, those and other concerns will be heard and considered. Casana works across divisional boundaries to evangelize the SDL and educate key stakeholders.

A well-functioning SDL will have product teams asking for it. But to get to that stage, they first need to understand and work with SDL in an opportunistic way that does not create strife. The BSIMM data tells a very clear story - SDL programs that were successful did not mandate road blocks, they invited voluntary participation. Over time, this voluntary participation can turn into an official and high-visibility accreditation process.

Our approach is to work face-to-face with your company's leadership, and in the field with your development staff, through the following four major phases:

  1. Assess
    We begin by understanding your organization and goals by working closely with your CIO or CISO and key stakeholders. Through breakout discussions with subject matter experts, we will perform a maturity assessment to establish a knowledge of the current state of security in your SDLC, relating to the following areas: training, policy, capability, requirements, design, implementation, verification, release, and response. The measuring sticks we use are the Microsoft SDL and the BSIMM.
  2. Identify and Create
    Informed on your organization's current and desired positions within the SDL maturity model, we work to create the requirements and capabilities for your SDL program, including training requirements, bug bars, quality gates, and more. A bulk of the recommendations and guidance are created during this phase, when we work closely with our point of contact and key stakeholders to determine many of the important details for your SDL program to be a success and provide the desired metrics for management visibility.
  3. Evaluate and Plan
    In this pivotal phase we shift to determining what needs to be done to implement the capabilities as outlined. We also prepare an SDL advisory team with defined roles, and select the application pilots which will be used to evaluate the SDL implementation.
  4. Deploy
    In culmination of previous work, we execute the SDL program by guiding a select group of application pilots through the established requirements and processes. This stage is expected to require the most time from your development staff and the most field work from Casaba. To start, development staff should receive training on threat modeling and SDL basics. Following this, Casaba and members from the selected SDL advisory team will guide the pilots through application threat modeling, security testing, and bug triage.

What results will I get?

SDL at any maturity level helps to protect customers, innovate efficiently, and stay ahead of competitors. At the Advanced or Dynamic levels, a fully integrated SDL program has proven ROI for adopters which:

  • Manages compliance with standards such as HIPAA and PCIDSS
  • Simplifies the onboarding process for developers
  • Scales security practices across divisions
  • Moves security practices from a reactive to a proactive position
  • Quantifies risk and achievements
  • Enables visibility for executive leadership

Casaba is committed to making this transition as painless as possible for your company. We will compile regular reports detailing your progress through the program, prominent strengths and weaknesses, and milestones to aim for next.

Additionally, adopting SDL will allow leadership, key stakeholders, investors, and the public to trust your commitment to secure development practices. The presence of a strong SDL program can also be a strong deterrent to potential attackers.

A strong SDL program cultivates standardized channels for thorough process documentation and communication between groups, enabling efficiency without compromising secure practices. This good communication and process documentation will allow you to quantify your risks and take appropriate action before the risk turns into a vulnerability. Casaba specializes in making sure you have the capabilities and resources to enumerate and mitigate your risks before it's too late.

What kind of metrics will I get?

The first set of metrics will be the scorecards describing your organization's SDL maturity level. Even if you don't have an official SDL program, you may likely have at least a few of the pieces in place.

Some of the most valuable metrics will become available as artifacts of the working SDL program, including:

  • An application inventory with data classifications.
  • A record of risk questionnaires for each of your applications.
  • Threat models for each application.
  • Bug tracking metrics, capturing security cause, effect, and impact.
  • A record of accredited final security review signoffs.

The initial report will detail the initial state of security in your company, and contrast it with the SDL maturity level desired. The report will then lay out a comprehensive roadmap detailing the most important weaknesses, and the steps needed to address them.

From this point forward, there will be regular reports describing the progress that has been made toward the goal. These reports will describe both important milestones that have been met since the last report, and the steps necessary to meet future milestones. Both BSIMM6 and MSDL scorecards (as shown in the Sample Scorecards below) will be provided, giving clear, concise checklists of progress toward your goal in all areas of the SDL program.

Microsoft SDL Sample Scorecard

Microsoft established an security-industry benchmark when they released a working SDL framework as a public offering in 2008. The scorecard below represents a slightly modified version of the Microsoft Simplified SDL. It measures 52 specific capabilities across 5 phases of the SDLC. Our first goal in working with you is to get you to a maturity level represented here - all "standard" SDL capabilities are implemented (those highlighted in green), meaning you have an industry-standard SDL program in place. The items highlighted in red represent higher maturity levels which you may get to over time.

BSIMM6 Sample Scorecard

The BSIMM6 study looked at 78 organizations across many industries, and gathered data about their SDL program maturity levels to learn about the variations in SDL implementations as well as the common ground. The BSIMM captures metrics on 112 capabilities across 12 practice areas, providing a more granular view when compared to the Microsoft SDL scorecard. The BSIMM measures for capability across 3 SDL maturity levels, and the sample scorecard below illustrates a company who has implemented all 40 capabilities in the first of three maturity levels. The items in red represent capabilities in higher maturity levels which the company has not yet reached.

Casaba prides itself on providing the most thorough, transparent reports possible for executive management. The metrics provided will cover progress through the program, areas where improvement is needed, and important milestones to aim for.

How long will it take?

The average amount of time the 78 companies in BSIMM6 had practiced software security was 4 years, with the youngest being less than a year, the oldest over 15 years. How long it takes to get all the parts of a basic SDL in place depends on the size of the organization, divisional barriers, and the culture.

For an organization with hundreds of engineers and dozens to hundreds of software projects, it might take 6 months to stand up a standardized SDL program that has graduated a handful of pilot applications. After that it could be 18-24 months before the entire organization has embraced your SDL program as a daily practice, and subsequent years will be spent advancing its maturity.

As evidenced by the BSIMM data, two requirements are certain for an SDL program to be healthy and well-functioning:

  1. The SDL program has the full support of executive management.
  2. A central Software Security Group (SSG) is in place to own, evangelize, and guide the SDL program.

How long it takes to get SDL off the ground largely depends on these two factors. Get in touch with us today to learn more.