Secure Development: More than „just“ code!


I just read an interesting post by Michael Howard (Security is bigger than finding and fixing bugs). He refers to a statement Google seem to have made on its development practices (Google shares its security secrets):

In order to keep its products safe, Google has adopted a philosophy of 'security as a cultural value'. The programme includes mandatory security training for developers, a set of in-house security libraries, and code reviews both by Google developers and outside security researchers.

This reminds me of the days back at University: I learned a hell lot about Software Engineering, Data Modeling and stuff like that. Well, I learned about programming as well (up until I was able to look at Niklaus Wirth's Modula-2 compiler – but this is a different story). And then I started my first job in the industry – and all of a sudden I had to learn that there nobody actually cared about a design. Just write the code! Nobody "had time to do a design on paper, this is just a waste of time". Did it work? Not really.

Now, we are coming to security and what do we do: Look at the code. Look for security vulnerabilities in the code. What about the design? What about the threat models? This drives me nuts: Why are we not ready to learn from…

  1. … the past
  2. … the learning others went through?

I know that our Security Development Lifecycle is pretty successful which can be shown by a lot of different metrics – Michael gives a few in his blog. Additionally, we are working with SafeCode to share the experience and learn from others. Why do other companies not join in?

Roger

Comments (0)

Skip to main content