The Security Development Lifecycle (SDL) is a software development process that helps developers build more secure software and address security compliance requirements while reducing development cost. The SDL is composed of proven security practices that work in development organizations regardless of their size or platform. It consists of multiple phases in which core software assurance activities are defined. Computer crime poses a significant threat to every organization, large or small. By adopting the SDL, development organizations will:
• Reduce risk and improve trust by making software inherently more secure and protecting sensitive information. Read the MidAmerican SDL Chronicles for an insight on how the SDL improved the software security of MidAmerican Energy by reducing the number of high-level threats from 14,000 to less than 100 within 273 days.
• Reduce the total cost of development and generate a positive ROI by finding and eliminating vulnerabilities early in the development process:
o Analyst reports (Forrester Consulting's State of Application Security and Aberdeen Group's Security and the Software Development Lifecycle: Secure at the Source) have demonstrated that adopting prescriptive and holistic secure software development processes like the SDL generates a positive Return on Investment. More specifically, Aberdeen Group's independent report estimated that organizations implementing structured programs for security development realized a very strong 4.0-times return on their annual investments in applications security.
o According to the National Institute of Standards and Technology (NIST), eliminating vulnerabilities in the design phase of the software development process can cost thirty (30) times less than fixing them post release.
• Improve the efficiency of compliance activities. By aligning governance, risk, or compliance activities with SDL security practices, organizations may improve the efficiency of their compliance activities and further improve the ROI of their application security investments. For more information read the SDL and HIPAA Security Rule whitepaper as well as the SDL and PCI DSS/PA-DSS Compliance Activity whitepaper