What’s one path the SDL (Security Development Life Cycle) can take to amplify impact? From my perspective, I think the key is specialization for app types and verticals. I base this on lessons learned from shaping prescriptive guidance over the years, the market trend for specialization, and what I learned doing competitive assessments. I also know the enormous difference that getting specific can make (for example, our original patterns & practices threat modeling was one-size fits all — now we shape it based on app type. This lets us integrate more precise “building codes,” patterns, and recommendations.)
Conceptual Framework / Mental Model
Here’s a strawman I put together of a conceptual model to paint the possibilities.
Imagine app-type specific prescriptive guidance, services, tooling, process …
- SDL for Web Applications
- SDL for Mobile
- SDL for Web Services
- SDL for SDL for Smart Clients
Imagine SDL for verticals …
- SDL for Manufacturing
- SDL for Financial
- SDL for Retail
- SDL for App Types means specific “building codes” (ASP.NET security guidelines, ADO.NET security guidelines … etc.)
- SDL for Verticals means industry specific guidance for security requirements (HIPPA, … etc.)
- SDL for Vertical and App Types can be turned into “Factories”
- SDL for Verticals and App Types can be turned into “MSF Templates”
- SDL for Verticals and App Types means “right-sized” services.
My take on what the various parties bring to the table …
- patterns & practices. Expert techniques, guidelines, checklists, patterns, “building codes”, how tos, Factories, Guidance Explorer, Vertical Solutions, Customer Verification, Influencers, MSDN Channel, VSTS channels/hooks.
- ACE. Execution / Services Delivery excellence, libraries of threats, attacks, vulnerabilities, countermeasures, Enterprise Threat Modeling Tool.
- Visual Studio Team System. Factories, MSF Templates, Code Analysis Rule Sets, Code Analysis Tools, integration of people/process/tools.
- SDL Team(s). Process Model, Product Recommendations, Security Engineering excellence
While it requires a bit of coordination and focus in key areas, I think it’s both technically feasible and would deliver a ton of customer value. The sum is better than the parts. Thoughts?