We hear all the time about the lifecycle of ICS software and hardware being measured in decades rather than years. So even if new code goes through a security development lifecycle (SDL), the ICS community has a large amount of legacy code with latent vulnerabilities just waiting to be found.
Matthew Theobald of Schneider Electric describes how they are applying the SDL to legacy code and importantly how they are prioritizing the legacy code that goes through this legacy code. This is an important topic, and it’s great that Matthew and Schneider Electric helped begin this discussion.
S4 veterans may remember that we had Steve Lipner, one of the original authors of Microsoft’s SDL methodology, as an S4x08 keynote.