COMMENTARY | CYBEREYE
Has secure software development reached its limits?
At least one security vendor says SDLC has reached a point of dimishing returns
- By William Jackson
- Nov 04, 2009
The goal of any quality assurance program is to produce products without flaws. The goal of software development life cycle (SDLC) programs is to eliminate flaws in software, particularly those that result in security vulnerabilities.
Like most goals, that is an ideal that probably is unachievable. Because humans are involved in the process, “it is impossible to create flawless software,” said Amichai Shulman, chief technology officer of Imperva. “Some of those flaws will create vulnerabilities.”
What kinds of results can we reasonably expect from SDLC? It can reduce vulnerabilities significantly, Shulman said, but there is a limit to the amount of potential improvement. Some large vendors, such as Microsoft and Oracle, which have invested heavily in the process and have mature life cycle processes in place, might be reaching that limit.
“They have reached a plateau now,” he said. “They have reached the point of diminishing returns.”
That means that future investment in SDLC programs will produce only insignificant improvements in quality. In other words, we’re stuck with buggy software.
A disclaimer: Imperva makes database and Web application firewalls that can help protect against vulnerabilities until bugs have been patched, so the company has an interest here.
But the reality of buggy software should not come as a surprise. Microsoft recently had its largest monthly patch release ever, and Oracle recently released patches for three database vulnerabilities that each scored 10 on a 10-point scale for severity. Still, the concept of a point of diminishing returns in software development is disturbing. Software is not perfect, but it has been improving. And it has been comforting to think that it would get even better.
SDLC, which can also stand for Systems Development Life Cycle, is a formal approach to development intended to ensure that software and systems work as intended, do it well, and do not do anything unexpected. It is generally considered a best practice, and the National Institute of Standards and Technology, in the most recent release of Special Publication 800-64, titled “Security Considerations in the System Development Life Cycle,” said “early integration of security in the SDLC enables agencies to maximize return on investment in their security programs through:
- Early identification and mitigation of security vulnerabilities and misconfigurations, resulting in lower cost of security control implementation and vulnerability mitigation.
- Awareness of potential engineering challenges caused by mandatory security controls.
- Identification of shared security services and reuse of security strategies and tools to reduce development cost and schedule while improving security posture through proven methods and techniques.
- Facilitation of informed executive decision-making through comprehensive risk management in a timely manner."
Shulman does not dispute the value of SDLC. “It is worthwhile and valuable as long as you understand its limitations,” he said. And it is important to remember that most developers are not mature in this area and probably have a lot of benefit yet to realize from implementing SDLC before they hit the wall — or at least the point of diminishing returns.
But if Shulman is correct, robust Patch Tuesdays are likely to be a fact of life for a long while.
William Jackson is freelance writer and the author of the CyberEye blog.