The need for a higher level of attention to security in applications is something that we must unfortunately deal with. Finding a set of developers with an intrinsic knowledge of security is much like looking for a taxi cab when it’s raining. You know they exist but you don’t know where to find them. That’s why you need a framework for creating the right kinds of security awareness, knowledge, and discipline.
If you wanted to find an example of an organization who clearly exemplified the problem a few years ago and one which had made great advancements in the area of security, the best example may be Microsoft. Microsoft was once the favorite target for hackers and the media, Microsoft is making progress towards becoming the most secure products available.
The Security Development Lifecycle is a look at how Microsoft has made this transformation with specific guidance on what to do, how to do it, and what the impacts are. Asides within the text highlight items that worked well for Microsoft but may not work well for your organization – and techniques that were expected to be greatly helpful but were not.
The book is amazingly insightful in terms of its view of the problem. There’s no bravado about having all the answers nor is there any concrete feel to these are the only answers. It’s a good discussion about what has worked in practice. The authors clearly believe that new types of security vulnerabilities raise their heads as new attempts are taken by security researchers to break the software that we produce.
While the details of individual lines of code are not thoroughly covered, the core concepts are explained well and with enough detail that you can develop your own coding practices which are inline with the overall security strategy.
This is a must read for architects and development team leaders who are concerned with the security of their code. It’s a great read for those developers who have an interest in leading a development team at some point.