SDL Trickle Down Theory

  • Article

I just read a new article over in CSO-Online about our VP of Trustworthy Computing at Microsoft, Scott Charney.

In it, they refer to him as the "Axe Man" and his ability to stop products from rolling out due to security concerns

Since Charney joined Microsoft, on five occasions vice presidents in charge of products have disagreed with his no-ship order, Charney said recently to a group of reporters at Microsoft's headquarters in Redmond, Washington. Craig Mundie, chief research and strategy officer at Microsoft, was called to settle the disputes, and each time he sustained Charney's no-ship order.

I think the article unfairly characterizes Scott as an "AxeMan", as there are a large number of people and processes at Microsoft that can hold up, delay, or even cause a project to be canceled.

What is important about the article, however, is its exemplification on the critical need to have management understanding, sponsorship and backing of the SDL if it is to succeed. For instance, what if Scott didn't have Craig's backing in the disagreements described above? There is a good chance that the product managers might have pushed forward, and the SDL wouldn't have been worth the paper it was printed on.

In many organizations I visit to talk about Threat Modeling and the SDL, I find myself speaking to software project managers, or, even technical developers and sys admins!. While this is great, it's the wrong audience. The foundation for successfully implementing SDL in any organization has to start with executive management, and their promise to support a hold-up of a roll-out if certain types if security problems are found with a product (see appendix N of the Microsoft SDL for tips on establishing a "bug bar" which can help with this)

Too often, I see the SDL being talked about in terms of a technical process, for developers and testers. As with any initiative, without executive backing, chances for success are low. The SDL has to start with management sponsorship and backing and then 'trickle down" to project managers, developers, testers and admins if it is to succeed.