Friday, August 2, 2013

REVIEW: RVAsec 2012 - Software Security: A Waste of Time?

RVAsec 2012 - Software Security: A Waste of Time?

This is a presentation at a security conference covering the value of the Microsoft SDL.  He shows that some measurements are not necessarily valid, but comes out believing that the Microsoft SDL is definitely worthwhile, whatever the net impact on vulnerabilities, as it is a more proactive approach rather than a reactive one.

He recommends running all freely available fuzzing tools against your system since someone will eventually do that and you may as well catch things before they do.  He recommends reviewing the SANS Top 25 App Security vulnerabilities annual list.  A question is asked at the end about applying the SDL to agile, but he basically says “it’s hard” and “work through things” rather than providing much clear guidance.