S4x14 Video: Matthew Theobald – Applying SDL To Legacy Code

We hear all the time about the lifecycle of ICS software and hardware being measured in decades rather than years. So even if new code goes through a security development lifecycle (SDL), the ICS community has a large amount of legacy code with latent vulnerabilities just waiting to be found.

Matthew Theobald of Schneider Electric describes how they are applying the SDL to legacy code and importantly how they are prioritizing the legacy code that goes through this legacy code. This is an important topic, and it’s great that Matthew and Schneider Electric helped begin this discussion.


S4 veterans may remember that we had Steve Lipner, one of the original authors of Microsoft’s SDL methodology, as an S4x08 keynote.

5 comments to S4x14 Video: Matthew Theobald – Applying SDL To Legacy Code

  • David Nix

    Can we get a copy of the slide show?

  • Dale Peterson

    The video is the official record of S4x14. We do not publish the slides.

  • Matt Gibson

    I think that the idea that ICS will always have a “decades’ long lifecycle will unravel. The pressure to adapt more secure and better performing technology will rise quickly. If accompanied by cheaper unit/function costs and business imperatives, the ICS community will adapt a more deliberate lifecycle strategy as the change management capability matures. Without faster lifecycle iterations, we will not be able to roll out “secure by design” even if it universally existed.

  • bryan owen

    @matt well said.

    Innovation and more agile methods will come quicker where there is high value potential. Less friction for software based systems, higher friction for embedded devices unless a new approach can be found.

  • Joe

    I agree with Matt when he says pressure of opting for improved and more efficient technology is going to rise soon and there is still a lot the ICS community has to find and capitalize on. High-value potential badly needs innovation so that more graceful methods can be discovered and employed.

Leave a Reply