Another record breaking security patch released by Microsoft this week. The patch covering 34 vulnerabilities in a variety of Microsoft products is the largest of its kind (so far), breaking the previous record set just a couple of months ago (June).
This is giving us an excellent perspective about the inherent limitations of SDLC as the first and last line of defense when it comes to information security. Microsoft has been investing more than any other software company in SDLC and secure coding within their products in recent years. They went a great deal to improve coding practices as well as incorporate different types of security tests during the software development process. Yet in the past year number of vulnerabilities is on the rise.
IMHO Microsoft has just reached the inherent limits of (real world) software debugging processes. The law of big numbers, applied to lines of code, gives us a non-zero prediction as to the number of software flaws per 1000 LOC (or 10K LOC or whatever unit you choose). There is in fact a mathematical postulate that shows that guarantying the correctness of a general computer program is a non-decisive problem (it cannot be solved in a finite time). In fact there is a point in time in which any increase in QA resources (and time) has a negligible effect over software quality. Nowadays, even the simplest of applications is comprised (either directly or indirectly) of a very large number of LOCs (check out the images size of a "Hello World" application). We can rest assured that any software out there has either known or unknown flaws in it. Using the law of big numbers again one can safely assume that some of these flaws affect information security. This happens, regardless of the effort and resources put into the software production process.
So should we give up on SDLC altogether? Definitively not. Prudent use of SDLC can dramatically improve the quality of software, and the security of the information its processing, to the point where flaws are not interfering with common usage of the software and vulnerabilities are not abounding. However, we should also understand that:
a. we cannot rely on SDLC as the sole line of defense for security purposes and
b. there might be solutions that are most cost and time effective in terms of mitigating security related flaws in applications.
In particular, I believe that investing resources in a web application firewall is much more effective than putting those resources into SDLC. Two main reasons for that, a. we are talking about substantially less money to begin with, and over the years, b. as discussed earlier, eventually you will need a web application firewall to mitigate those vulnerabilities that were not detected during the software production process.
Authors & Topics: