Recently Marcus Ranum (a person I greatly admire in information security) spoke at a security conference on how Software Insecurity is Our Biggest Weakness. Specifically, how insecure or poorly coded software, and the vulnerabilities they result in, is the number one risk to information security. This got me thinking about the importance of SDLC (Secure Development Life Cycle). SDLC is the documented processes and standards an organization uses to ensure that developers plan and create secure code from the ground up. The idea being if we can 'bake in' secure code from the beginning, we can dramatically reduce the number of software vulnerabilities and as a result reduce the number/percentage of successful attacks. While I agree SDLC is very important (especially now for web applications and the cloud) my concern is it alone will not solve our security problem. We also need to focus on the human.
The reason is simple. Even once we fix all the vulnerabilities in insecure code, we still have a tremendous weakness, the human. Take a look at Microrsoft. In 2001 Microsoft released Windows XP, an attackers dream. The original release was so insecure you literally could count the estimated life expectancy of a default XP deployment in a matter of seconds (made for great fun deploying honeypots!). Since the days of XP Microsoft has created one of the most mature and well known SDLC's in the security community, in many ways their SDLC process is considered the gold standard. As a result of their SDLC processes, it is now much more difficult for cyber threats to hack into the latest versions of their desktop software. So here we have a technology that has become far more secure, a SDLC success story. As such, we would think the number of compromised systems would have reduced signifigantly, if not eliminated. But that is not the case. A big part of the reason is attackers have shifted their target from just exploiting vulnerabilities in code to exploiting vulnerabilities in humans, with social engineering examples such as rogue anti-virus, malicious attachments in spam, phishing sites, etc. My concern is if we focus only on SLDC we may have the most secure code in the world but cyber threats will continue to bypass technology and exploit the weakest link, human vulnerabilities. In the end I do not believe one or the other are the solution, I believe it is the combination of both. When you think about it SDLC is nothing more then security awareness and education for developers, the goal is to resolve technical vulnerabilities. Awareness programs are similar, however instead of focusing on technical vulnerabilities the goal is to focus on human vulnerabilities.