SECURE SOFTWARE DEVELOPMENT LIFE CYCLE
MAKING THE SOFTWARE DEVELOPMENT LIFE CYCLE
THE SOFTWARE DEVELOPMENT PROCESS MUST BE MADE SECURE THROUGHOUT THE ENTIRE LIFE CYCLE
Protecting yourself and your customer base is necessary, and is a goal that is achieved only when using comprehensive security assessments, such as code reviews, that will ensure that your web application's entire attack surface is adequately protected. The effectiveness of a manual, static code review lies in its potential to identify poor coding practices that could introduce high-risk security holes into your web application. From a security perspective, it is important to note that the weakest link of any application is the end-user and its developers - people. Most developers feel that security is simply not addressed during the SDLC. Even more, it has been noted by several reports that developers are often not trained in security methodologies at all, while research shows that 80 percent of cyber-attacks are basic and can be avoided by offering security training to developers. For this reason, a Secure SDLC adds another step at the beginning of the model:
• Security Training - Core Security as well as Specialized and ongoing training for all project team members throughout the project.
The disconnect between developer coding methodologies and secure coding protocols is a significant problem - training all development staff on security protocols - including software engineers, QA testers, product owners - can help to mitigate many of the vulnerabilities that often exist in applications. In addition to staff training, it is imperative that security engineers assist with all stages of the SDLC, such as with security audits, penetration tests, code reviews, etc. It is also necessary to determine and proactively integrate necessary security requirements - centralized security controls - in an appropriate manner, one that results in an efficient security architectural scheme that is easy to manage & review, and one that ensures the completeness of the security controls & the optimal application of those controls. In addition to above, several protocols and tools should be used in order to properly integrate Secure Software Development Life Cycle strategies into current SDLC protocols.
Threat Modeling - which has been described above - architectural risk analysis (determining application vulnerabilities and identifying risks to corporate assets resulting from those issues), and tools such as automated static analysis and automated dynamic analysis should be used. Automated testing tools are invaluable tools that can help to scan the source code (static) for debugging purposes and to ensure that the code meets certain standards. Such automated tools can also aid with scanning and testing applications during run-time (dynamic) in order to debug & test the code's implementation. Secure code review (static) and application penetration tests (dynamic) are two methodologies that should also be used during the entire software DLC & integrated into current workflows in order to ensure that software is built with security in mind from beginning to end.
Code reviews allow security personnel to conduct an in-depth review of the code to ensure that no vulnerabilities are present, while penetration testers seek to actively probe and penetrate an application by bypassing security measures & controls.
THE SOFTWARE DEVELOPMENT PROCESS CAN AND SHOULD BE MADE SECURE THROUGHOUT THE ENTIRE LIFE CYCLE
MAKING THE SDLC MORE SECURE
Much of the problem is the disconnect between security engineers and developers, and the lack of security awareness on an organization level. Many executives are unaware of how insecure their applications are, resulting in a lack of time and direction given to developers to properly remediate security vulnerabilities. According to recent a study 47 percent of software developers have stated that they are given no mandate to remediate security vulnerabilities - 29 percent of security engineers said the same. Furthermore, because most data breaches occur due to flaws in the applications, and application security consumes less than 20 percent of most corporate IT security budgets, many companies do not want to invest in changing the complex code of an application after the development of the app has been completed. For this reason, security needs to be incorporated into every step of the application development life cycle, from beginning to end. This is in stark contrast to many modern workflows, where few developers and security professionals feel that security is adequately addressed during the design and development phases of application development. Analyzing and identifying vulnerabilities - and mitigating them - throughout the entire development life cycle and implementing secure coding and security testing throughout the SDLC are a necessity.
EACH OF THE SOFTWARE DEVELOPMENT LIFE CYCLE PHASES CAN BE OPTIMIZED FOR SECURITY
• Planning and Design - setting forth the blueprint of the application, determining the components that will be translated into modules and functional libraries, etc.
• Development - putting the blueprint into practice (development of the source code) via programming languages.
• Verification and Testing - testing the implementation of the source code for bugs, issues, functionality, performance, etc.
• Release and Maintenance - releasing the application and deploying it into production.
A SECURE SOFTWARE DEVELOPMENT CYCLE CREATES
SAFE SOFTWARE FROM THE GROUND UP
CREATE SAFE SOFTWARE
These all help to establish a Secure SDLC that could potentially save your company millions of dollars.