Introduction to Secure Software Development Life Cycle | What is (SSDLC)

INTRODUCTION TO SOFTWARE DEVELOPMENT LIFE CYCLE MODELS

Developing software in today's IT corporate landscape is a complex process that can be broken down into several phases.

These phases can be defined by different methodologies & models utilized by software engineers.

The steps of the development process can be defined as the Software Development Life Cycle (SDLC).

This lifecycle of application development is usually comprised of four to six phases, namely:

  • Planning & requirements
  • Architecture and design
  • Test planning
  • Coding
  • Testing & results
  • Release & maintenance

In addition to this, there are several traditional software development models that engineers utilize for developing software, such as the Waterfall, Agile, Scrum, and DevOps. Each of the aforementioned development models has its pros and cons.

The Waterfall model can be described as a linear, step-by-step, sequential development strategy with a top-down approach and specific goals for each phase, allowing for easier management and departmentalization.

In contrast, Agile is a more collaborative model that has teams build modules in increments after a basic initial design is determined, which is followed by evaluations and more module development.

Scrum is a part of the Agile development model, and describes a particular approach in utilizing the Agile development model.

DevOps seeks to create collaboration among IT silos so that QA teams, software developers and operations admins/engineers work together throughout the SDLC. It is important to note that traditional SDLC models do not include security testing or secure coding into their methodologies or phases.

Because of this, security is often an afterthought among businesses, and even worse, a majority of executives believe that the application security level of their corporation is satisfactory, while only a fraction of developers believe the same.

In addition to this, only 11 percent of developers believe that their organization has a fully-deployed security training program for their personnel. This results in security flaws in many software applications - flaws that are only identified near the end of the software development lifecycle (usually the testing or release phase), if at all, and consequentially are very difficult and expensive to remediate.

As many IT firms do not have a large budget for security, IT security is thus not a top priority, and even worse, many corporations take the approach of simply reacting to security vulnerabilities (as opposed to proactively testing for them) after the application has been developed and flaws have been found - either by personnel, researchers, end-users, or by hackers. For the former (personnel) - since testing usually occurs near the end of the SDLC - costs and timelines often do not allow businesses to go back and remediate the developed software.

Often security flaws that are found late in the SDLC are allowed to stay, since quickly-developed, functional applications are often top priority for the sake of revenue and sales. The alternative is a security "quick fix," which often results in the accumulation of technical debt being added at the end of the development process to partly mitigate security flaws. The result is an insecure product being deployed and sent to end-users.


A perfect analogy can be seen with the car manufacturing industry. At the assembly line, quality assurance checks, performance checks, and safety checks are conducted at every checkpoint in the process.

DevOps seeks to create collaboration among IT silos so that QA teams, software developers and operations admins/engineers work together throughout the SDLC. It is important to note that traditional SDLC models do not include security testing or secure coding into their methodologies or phases.

Deploying software without consistently checking for security flaws at every phase in the SDLC is like sending a new car out to a car dealer for sale without having run any safety checks on it.

THE SECURE SOFTWARE DEVELOPMENT LIFE CYCLE IS AN IMPROVEMENT ON THE TRADITIONAL LIFE CYCLE MODEL

The Secure Software Development Life Cycle (Secure SDLC or SSDLC) is a vast improvement over a traditional lifecycle in that it incorporates security at every stage. The methodology also includes the use of secure coding techniques. Security is not just a periphery goal, but is a core goal that is implemented into the core blueprint and architecture of the software at every step.

This type of SDLC is significant, as it allows for the inclusion of small - but important - security features in the software, as determined on a continuous basis by collaborations between developers, operations admins, and security engineers. Contrasting this approach, traditional SDLCs often wait until the last minute to find security flaws, necessitating a costly overhaul at the end of the project that often never happens.

Password authentication and high risk areas of an application exemplify SSDLC approaches versus traditional approaches. While a traditional approach may wait until the end of the DLC to find that a flaw in the application that can allow for a breach, using threat modeling would discover the flaw early in the DLC to allow engineers to harden the application in certain areas.

Another example is determining password complexity requirements during the requirements gathering phase, as opposed to never considering such security-based necessities until after the application is developed.

TREATING SECURITY AS AN AFTERTHOUGHT IS LESS EFFICIENT AND MORE RISKY

Leaving security testing until the end of the development lifecycle results in a very inefficient application security system since it is often costly and time-consuming to fix security issues after the application has been developed.

Doing this creates a window of opportunity for cyber-criminals to breach an application's defenses by finding vulnerabilities that can allow them to compromise an organization as leaving security testing out of the SDLC often results in security flaws being found but not completely fixed, or it may result in hidden security flaws that exist, not being found at all.

One of the primary issues is that defenders have limited time and resources in their pursuit of discovering vulnerabilities, and so must harden applications as much as possible during development. On the other hand, cyber-criminals often have unlimited time and tools to scan, probe, and penetrate an application in order to exploit it, needing only one security hole to succeed. With the above scenario, attackers would win more times than not, which leaves businesses with the high risk of being subject to data breaches.

Thus, it is necessary for businesses to continually test and securely code their applications using a Secure SDLC. It is also important to note that  attempting to fix security flaws after the software has been developed and deployed may cost 30-100 times more than if it were discovered and fixed during the development stage. Thus, it truly pays off to incorporate security into your corporate SDLC.

SECURE CODING PRACTICES WILL ALWAYS BE SAFER THAN PATCHING OR UPDATING SECURITY UPON RELEASE

"Prevention is better than a cure" applies to software secure coding practices, in that it is better to code security features into an application as opposed to discovering flaws later and having to patch the code in order to enhance security.

Doing the latter presents several problems, such as the whoever finds the security flaw - this may be the end user or a research group, but it may also be a hacker. In this common scenario, by the time the patch is released, a significant amount of damage could already have been done.

An important concept to reiterate is that when utilizing a robust and comprehensive SSDLC model significant high-risk vulnerabilities and potential issues can be easily identified throughout the development lifecycle, such as during the design & planning stages or during the requirements or development stages. This is due to incorporating threat modeling and secure coding techniques.

Secure coding IDE plugins can assist developers by scanning code in order to ensure that no vulnerabilities exist. Integrating such tools and automated scanning programs into developer workstations and into nightly builds can aid with the elimination of critical vulnerabilities long before they reach a production server.

The significant point is that every point in the SSDLC has security at its core, and thus every point in the development process creates a possibility - and opportunity - to find a critical flaw that a traditional SDLC may not discover until it is too late.

WE PLACE THE FOCUS OF SECURITY IN ALL SOFTWARE DEVELOPMENT STAGES

At Cypress, our goal is to help your organization integrate security into all phases of software development.

We begin the Secure Development Lifecycle process by educating developers and executives, while also raising security awareness within organizations.

We are experienced with performing threat modeling, writing security abuse cases, and conducting security tests during the requirements and planning phases. We also utilize automated security scanners during the development and verification phases. We also build and utilize post-production security monitoring systems after release.

In completing the feedback loop between development and operations, our work allows critical security information to become visible to everyone on the project team.