As software becomes more complex, security only becomes more difficult. More lines of code, indeed, bring greater potential for bugs. At least, that’s one side of the debate. “In general, I wholly believe in this axiom, but it doesn’t always have to be true. In fact, there is empirical evidence that better coding practices can more than offset the complexity argument,” Roger Grimes explains in this week’s installation of Security Adviser. That’s where Security Development Lifecycle, SDL for short, comes into play. SDL is a practice that has worked well at Microsoft, continues Grimes, who is a full-time Microsoft employee, and he offers statistics not just to inflame anti-Microsoft zealots, but to promote two points. First, increasing complexity doesn’t have to mean more vulnerabilities and, second, it’s time for developers not using SDL to get on it. “If you want to improve your company’s security programming, teach SDL and build it into the company culture. It might take a little while to get the ship turned around, but once you do, the results are tangible, and they’ll benefit everyone.” Security