Challenges and Opportunities in Implementing a Security Development Lifecycle
No matter the brand of software development “religion” practiced in an organization, adding security practices to the lifecycle presents unique challenges and opportunities. In the words of John Kotter of Harvard, “…transformation is a process, not an event. And it takes years.” Rob is in the midst of a multi-year initiative to roll out a security development lifecycle in his organization, and will share what he has learned along the way. Beginning with security-focused design reviews to address flaws, continuing on to static analysis to address bugs, then strategies for security testing, the goal is to add security along the entire development lifecycle. Underpinning the process changes is a multi-role security training program, with training tailored to individuals’ job tasks. Finally, he will discuss some of the challenges with the energy utility software market, regulation, and emerging standards.
Rob Caldwell is the Chief Security Architect and Principal Engineer for GE Digital Energy Software Solutions (DE-SWS). In this role, Rob provides technical governance and guidance for software security in DE-SWS. DE-SWS develops software products for the energy market, and has development teams located in the United States, Europe, and India. His areas of expertise include threat modeling, secure coding practices, and security training. Rob coaches and mentors a number of individuals in DE-SWS who aspire to work in software security.
Prior to joining GE in Melbourne, FL, Rob worked for five years as a software developer and database administrator for the United Space Alliance at Kennedy Space Center, FL. He joined GE in 2005, and worked as a database administrator and Transmission Management System security lead before moving to his present role.
Rob graduated from the University of Florida (B.S.) and Berry University (M.S.) and holds a Certified Information Systems Security Professional (CISSP) credential from the International Information Systems Security Certification Consortium ((ISC)2). In addition, he is a member of IEEE and the IEEE Computer Society, and the Association for Computing Machinery (ACM).
The seminar series is presented by the Trustworthy Cyber Infrastructure for the Power Grid (TCIPG) Project, an $18 million multi-university research effort whose partner institutions include the University of Illinois at Urbana-Champaign, Arizona State University, Dartmouth, and Washington State University. The TCIPG Project, a successor to the earlier NSF-funded TCIP Center, was founded in 2009 with support from the U.S. Department of Energy and the U.S. Department of Homeland Security. It is housed in the Information Trust Institute, University of Illinois at Urbana-Champaign.