What can secure software development learn from Shakespeare, Roosevelt and Nehru?

Do you know what William Shakespeare, Eleanor Roosevelt and Jawaharlal Nehru have in common with the data security expert community (and possibly you)?

The Security Development Conference that’s just been held in Washington D.C. provides the answer. 

But why has there been a conference dealing with security in the application development process at all? Isn’t it sufficient to guard the perimeters of your IT environment with firewalls, IPSs and the like to keep the bad guys out?

Unfortunately, it isn’t anymore.

The classic fortress model doesn’t keep up anymore with the rise of mobile devices and wireless data links. Consequently, there’s an increasing focus on the applications themselves as gateways for intruders. All too often, buffer overflows, privilege escalations, cryptographic weaknesses and other exposures paved the way for successful attacks. To mitigate them, the software development process itself needs to change.

Conference host Microsoft, who was something of a burnt child in this area, changed its security course some 10 years ago. They pioneered the Security Development Lifecycle (SDL), a holistic process that complements the classic Software Development Lifecycle (SDLC) with security-oriented elements in all its phases.

In fact, it is not sufficient to simply turn on some switches (e.g. for Data Execution Prevention and Address Space Layout Randomization) in the application build process to activate security. The most important switch that need to be flipped is the security awareness switch in the heads of all participants in the SDLC.

Building security in is an intrinsic process rather than just a complement, and needs to be absorbed by all stakeholders from PMs over development and QA staff to tech supporters and development management. 

Many companies, including Sophos, have adopted such a process since.

Sophos has development sites worldwide that are following both classic and agile SDLCs. And we understood that there cannot be a “one size fits all” implementation of the SDL for all sites. Rather, we developed a common set of high-level guidelines called the Sophos SDL (SSDL) that branch into individual incarnations per site and/or business unit.

Experts from all Sophos sites meet regularly and coordinate further SSDL activities with the goal to maintain a comparable level of code security across the company.

Instruments like Threat Modeling, source code reviews and security-oriented testing found their way into development. But importantly, we needed to learn to think like black hats to prevent attacks on our already existing applications. 

Therefore, all Sophos development and QA engineers underwent a dedicated SDL training where we achieved profound insights into the minds of the attackers, and also how to design, code and test our software in order to defend against them.

And, this is where I can explain the link with Shakespeare, Eleanor Roosevelt, and Nehru.

Microsoft’s Shawn Hernan provided the following excellent metaphor in one of the conference talks:

William Shakespeare wrote, “What is past is prologue.” (attack patterns repeat).

Eleanor Roosevelt stated, “Learn from the mistakes of others. You can’t live long enough to make them all yourself.”

Finally, Jawaharlal Nehru said, “Let us be a little humble; let us think that the truth may not perhaps be entirely with us.”

Of course, you can’t expect the process to yield results within only a few months. Nevertheless, in a long term, you as our customer should see a growing resilience of our software against attacks, which will also increase your ROI.

Eventually, the SSDL is an investment that all of us will benefit from.