I have long been a fan of Philippe Kruchten's work 4+1 showed a new way to look at software architecture and I still consider it the defining work in the profession due to its simplicity and clarity.Philippe's Tao of the Software Architect is a little known gem, one of my favorite parts:
When the process is lost, there is good practice.
When good practice is lost, there are rules.
When rules are lost, there is ritual.
Ritual is the beginning of chaos.
You can see this play out in infosec over and over again.
We try for Security in SDLC
When that fails, we try for better coding, deployment practices, checklists and tooling
When that fails we update policies
When that fails - chaos.
Of course, it does not always fail, and I think turning this list on its head and working from the bottom up is the way to go for most companies. So many companies start with "we need a Secure SDLC!" No question about it, you definitely do buddy; but first you need to have policies, tooling, coding practices, training, and checklists all in place before that can happen. If you try to go straight for the Secure SDLC you will likely cascade to fail.
There is a lot of ritualistic behavior in infosec - determining priorites based on an auditor spreadsheet or what you did last year, but rituals are not substitute for thinking and pragmatic actions. I recommend that you eschew top down. Good SDLCs are built from the bottom up - with training,supported by tools, and simple to follow checklists and guidelines that make doing the right thing easier.
Hi,
I worked with Philippe when he first came to the US in the early 80's to work at NYU's Courant Institute on the Ada/Ed compiler.
He was a valud colleague then, and I know he later enjoyed great success in his specialty, software engineering. He was at Rational when IBM bought it, but as I recall he soon retired.
thanks,dave shields
Posted by: Daveshields | July 11, 2012 at 01:05 PM
I found this post just after a lunch where the topic of conversation was this exact problem. If only it was BEFORE lunch!
Vote +1000 for Gunnar (and Philippe)!
Posted by: Andrew Van der Stock | July 15, 2012 at 10:36 PM