Thursday, 29 March 2012

SDLs Identify Security Debt - The Need for Risk Management and Cost Consideration

We published a free / paid for (your choice) eBooklet on software security debt earlier this month. We've previously posted another extract from the paper on 'The Value in Measuring Security Debt'. What follows is an another extract (1 of 20 pages) discussing the correlation between SDLs and security debt discovery and the general rise in debt through the lifetime of a project. 

Secure Development Life Cycles Identify Debt
It’s important to understand the relationship between an SDL and security debt. The precursor to an SDL is security mindfulness. Security mindfulness is where a formal SDL may not be deployed throughout the organisation, but assurance processes or security related activities do occur at the different phases of development or testing. These activities will then likely mature into a full SDL.

When adopting an SDL the benefits of identifying vulnerabilities earlier in the lifecycle will be seen for new development. However, when SDL or security mindfulness activities are applied to both new and old development there will prolonged periods of implementation debt discovery.

As these activities increase, the likelihood is that the volume of issues found in software will quickly start to outpace the resources available to resolve them on a per release or per product basis. The reason for the acceleration in the discovery of security issues can be numerous, however, likely drivers include:

  • Increased manual code coverage.
  • Increased use of static code analysis.
  • Increased use of automated security testing (fuzzing).
  • Development and testing team knowledge and awareness of security issues enabling identification.
  • Root cause analysis and variation identification based on publicly disclosed flaws.

As a result of this increase in the volume of issues and the associated resource constraints, organisations tend to focus only on the most severe issues. Over time, a mountain of security debt starts to grow fuelled by the volume of lower impact issues. However, while individual issues may be risk rated at a certain severity level, the same is not true for combinations of issues. That is to say, a number of distinct lower impact issues when combined or chained together, can carry equal impact to a single higher rated issue. While the complexity related to discovery and exploitation is greater, the ultimate impact can be the same. SDLs today do not adequately deal with this scenario of aggregating lower severity issues to understand impact.

The Rise of Security Debt
Whilst it’s tempting to think that the risk of security debt is not significantly different from that of technical debt  (we cover technical debt in the paper) there are important differences to consider. These differences stem from the fact that the impact on both vendor and users if this debt is discovered and exercised compared to technical debt is typically greater.

As the challenges of software security have become more widely understood, methodologies to identify and address these challenges have been developed (similar methodologies have also been developed to address software quality). The processes and procedures to improve software security typically manifest themselves as an SDL in one guise or another. While an SDL is a useful set of methodologies and processes for identifying, resolving or mitigating security exposures within software development, they are not without small print. 

The reality is that SDLs are variable in their application, coverage and cost, coupled with the challenge of actually addressing the issues once identified. At every stage of an SDL when an issue is discovered there is a risk, cost, time and benefit analysis for that version of the software product. The generally accepted wisdom is that identifying, mitigating or resolving a security weakness earlier in the life cycle is cheaper, is in Recx’s opinion valid. However attempting to do so is not without any associated cost. This fact is sometimes lost in the SDL rhetoric and needs to be kept in mind.

So that's it for this extract, if you're interested in read more such as the types of debt events we encourage you to read the paper.

No comments:

Post a Comment