SDL for Apps and Verticals

  • Article

What's one path the SDL (Security Development Life Cycle) can take to amplify impact?  From my perspective, I think the key is specialization for app types and verticals.  I base this on lessons learned from  shaping prescriptive guidance over the years, the market trend for specialization, and what I learned doing competitive assessments. I also know the enormous difference that getting specific can make (for example, our original patterns & practices threat modeling was one-size fits all -- now we shape it based on app type.  This lets us integrate more precise "building codes," patterns, and recommendations.)

Conceptual Framework / Mental Model
Here's a strawman I put together of a conceptual model to paint the possibilities.

SDLForAppsAndVerticals2

App Types
Imagine app-type specific prescriptive guidance, services, tooling, process  ...

  • SDL for Web Applications
  • SDL for Mobile
  • SDL for Web Services
  • SDL for SDL for Smart Clients
    … etc.

Verticals
Imagine SDL for verticals ...

  • SDL for Manufacturing
  • SDL for Financial
  • SDL for Retail
    … etc.

Key Concepts

  • SDL for App Types means specific “building codes” (ASP.NET security guidelines, ADO.NET security guidelines … etc.)
  • SDL for Verticals means industry specific guidance for security requirements (HIPPA, … etc.)
  • SDL for Vertical and App Types can be turned into “Factories”
  • SDL for Verticals and App Types can be turned into “MSF Templates”
  • SDL for Verticals and App Types means “right-sized” services.

Key Assets
My take on what the various parties bring to the table ...

  • patterns & practices.  Expert techniques, guidelines, checklists, patterns, “building codes”, how tos, Factories, Guidance Explorer, Vertical Solutions, Customer Verification, Influencers, MSDN Channel, VSTS channels/hooks.
  • ACE.   Execution / Services Delivery excellence, libraries of threats, attacks, vulnerabilities, countermeasures, Enterprise Threat Modeling Tool.
  • Visual Studio Team System.  Factories, MSF Templates, Code Analysis Rule Sets, Code Analysis Tools, integration of people/process/tools.
  • SDL Team(s).   Process Model, Product Recommendations, Security Engineering excellence

While it requires a bit of coordination and focus in key areas, I think it's both technically feasible and would deliver a ton of customer value.  The sum is better than the parts.  Thoughts?