Industry Standard Secure Development Methodologies and Maturity Models

The activities we’ve discussed in this chapter are a good foundation for building your own secure development methodology. However, when you’re ready to move to the next level, it would be worth your while to take a closer look at some of the industry standard secure development programs. These programs include (but are not limited to) Microsoft’s Security Development Lifecycle (SDL), OWASP’s Comprehensive Lightweight Application Security Process (CLASP), the Software Assurance Maturity Model (SAMM), and the Building Security In Maturity Model (BSIMM).

The Microsoft Security Development Lifecycle (SDL)

The year 2001 was difficult for Microsoft security. In July of that year, the Code Red worm hit the Internet, attacking and defacing millions of web sites through a vulnerability in the Microsoft Internet Information Server (IIS) web server. This attack was followed only two weeks later by the Code Red II worm, and then the Nimda worm after that. At this point, John Pescatore, Vice President and Research Fellow for the Gartner technology analyst firm, recommended that companies migrate off the IIS web server and onto its competitor Apache immediately. Pescatore compared running IIS to owning a finicky car, saying “If you got hit by Nimda, you’ve proven you can’t keep up with the security problems of IIS. It’s like a car: don’t buy a Fiat u....