I am an experienced software development manager, project manager and CTO focused on hard problems in software development and maintenance, software quality and security. For the last 15 years I have been managing teams building electronic trading platforms for stock exchanges and investment banks around the world. My special interest is how small teams can be most effective at building real software: high-quality, secure systems at the extreme limits of reliability, performance, and adaptability. Jim is a DZone MVB and is not an employee of DZone and has posted 100 posts at DZone. You can read more from them at their website. View Full User Profile
This is sad. No, it's not sad, it's sick. I'm looking for ideas and
clear thinking about secure software maintenance. But I can't find
anything beyond a couple of articles on Software Security in Legacy Systems
by Craig Miller and Carl Weber at Cigital. I met Craig, he did some
consulting work at a startup that I was running. He's a smart guy for
sure. These papers offer some good advice to enterprises looking for
where to start, how to get a handle on securing legacy systems and COTS
packages. They are worth reading. But this is all I can find anywhere.
And that's not good enough.
Most of us who make a career in
software development will spend most of our careers maintaining and
supporting software. If we're lucky, we will work on software that we
had a hand in designing and writing; if we're not so lucky, software
that we inherited from somebody else. Software that we don't understand
and that we need to get control of.
Software maintenance is a
risk management game. Understanding what's important to the business,
trading off today's priorities with the long term view. Dealing with
work that has to be done right now, what's needed for this customer, how
fast can that change be done, what do we need to do to fix this bug.
How much are we spending, and where can we save. And making sure that
we're not sacrificing tomorrow: keeping the team together, keeping them
focused and motivated, helping them moving forward. Keeping technical
debt under control: taking on debt where it makes sense, paying it off
when we can. And making sure that we're are always dealing with what's
important: service levels to customers, reliability, security:
protecting customer data.
There's more to secure software
maintenance than running static analysis checks on the code and an
occasional vulnerability scan and application pen test. And most teams
aren't even doing this.
There's not enough smart people taking on
the problems of how to manage software maintenance properly. And
there's definitely not enough people thinking about software security
and maintenance. Where to start, how much to spend, why, what's
important, what the next steps should be, where do you get the most
return. This has to change. It's too important to too many people.
There's too much money being spent and wasted on doing a poor job at too
many companies. There's too much at stake.
Published at DZone with permission of Jim Bird, author and DZone MVB. (source)
(Note: Opinions expressed in this article and its replies are the opinions of their respective authors and not those of DZone, Inc.)