Cisco’s Ed Paradise on centrality of secure development lifecycle

We believe that the right way to secure systems is to build security in through appropriate security engineering processes at the right time – and not to “patch it on” later – and we are very glad Cisco agrees:

“In 2013, we made internal compliance with the Cisco SDL process a stop-ship-grade requirement for all new Cisco products and development projects. As we make our way through 2014, we are building on this commitment, holding our teams accountable and training stakeholders to understand the importance of Cisco SDL process, adoption, and compliance.” – Ed Paradise, Cisco Systems

Cisco’s SDL is described here and here is a nice video introduction.

At JUMPSEC we use and recommend the BSIMM Software Security Framework as a starting point for defining organisation-specific SDLs.