Over the last fifteen years, many large software development organizations have adopted Security Development Lifecycle (SDL) processes as effective approaches to delivering secure software. Motivation for SDL comes from the realization that software vulnerabilities can have real impacts – on information security, on organizations' reputations, on customer satisfaction, and on revenues. But what if you don't have 40,000 developers and run a small to medium dev shop?
Fortunately, SDL adoption need not be "only for the rich." While large organizations have the resources to create large teams and customized tools, smaller organizations have the advantage that they can focus an SDL on the specific products, tools, and threats that are relevant to the software they produce. They can also benefit from a wide array of free and affordable resources that can help them address many of the challenges posed by creating and sustaining an SDL program. With management commitment to SDL fundamentals and an investment of resources proportional to the size of the development organization and its products, it's possible for small organizations to build an SDL program and deliver software that customers will find secure.
This briefing will describe some resources that can help smaller organizations create an effective SDL program. It will also outline some secure development concerns that may be especially important to those organizations – such as dependence on software they didn't write – and ways that they can address those concerns.