Security after the SDLC

The Software Development Life Cycle (SDLC) is a well established and well thought out concept.  There are books and experts and cool slides galore that talk about it and how security should fit into it.  The problem that I see is that the process as most people think about it isn’t cyclical enough.

Most of the treatment of the subject shows the process ends on acceptance of the product.  This means that it is in general use, the major bugs that will be fixed have been and the users are active with the application.  This status remains until the application is either revised or retired.  You can’t live that way anymore.  If you have an application that is waiting for a revision in the future or making its way to retirement, I would be willing to bet that it has already outlived any security analysis done during its construction.  How many new threats exist today that weren’t around when existing applications were being developed.  How many measures were taken as fully adequate just a year ago that we now see still leave us in the lurch against a determined attack?

If you have an application in production that hasn’t been revised for security in some time you may want to at least take a mental inventory.  The C levels in your company won’t understand that your application was secure when you released it.  They will only see that it was not secure when it was attacked.