Whether you use Agile, Waterfall, or something in between, building security into your software development life cycle (SDLC) can improve efficiency and reduce cost—if it’s done the right way. This checklist will guide you throughout the development journey to assure that you’re integrating security into each of the seven SDLC artifacts.
1. Add security to my plotline when defining stories and requirements.
- Express security requirements naturally to ensure they’re schedulable and testable just like anything else.
- Avoid purely technical stories when possible. Stories that actually impact the users are more likely to get prioritized and delivered.
2. Fix the common mistakes in code.
- Tune the tool. No tool runs at its best in a default configuration.
- Perform a manual follow-up to arrange the results and aid the developer.
- Let insight guide training. Base topics for one-on-one training or broader group efforts on the most common issues teams encounter.
- SAST as you type with a lightweight tool that checks code while the developer works.
3. Cover a wide variety of input and situations during unit tests.
- Address security concerns with the same level of care as functional issues. Some security tests may fit best within the context of a variety of considerations, while others may be best suited as stand-alone testing modules.
4. Combine and test individual software modules as a group during integration testing.
- QA teams work with security testers to provide test data and procedures for that hard-to-reach business logic.
- Perform fuzz testing to uncover how unexpected inputs cross modular boundaries.
- Scope DAST to an individual module to discover additional vulnerabilities.
5. Expose software to normal usage scenarios and unexpected events during UAT.
- Test for unusual conditions to ensure that no security bugs exist that could hamper the business logic of the product.
- Tour the software to test some of the more creative ways an attacker might consider.
- Implement DAST during UAT to find runtime and environment issues.
- Perform Interactive Application Security Testing (IAST) to produce better results than SAST or DAST alone.
6. Integrate development and operations activities to improve productivity and collaboration.
- Fail the build if security tests don’t pass as a way to guarantee that security is treated with the same level of importance as business requirements.
- Integrate security into continuous delivery by expressing the security controls in an automatically deployable format.
7. Identify security issues that are a product of code, production, and environment configuration during post-deployment and live testing.
- Schedule security scanning to make sure that any newly discovered security issues in frameworks are identified.
- Scan the planning infrastructure to confirm that all modules have been patched to protect against newly discovered threats.
- Implement a bug bounty program to triage and investigate issues reported by users.
- Develop an incident response plan to certify that teams know what needs to be done when a security incident occurs.
- Implement a threat intelligence program so teams can proactively respond to newly discovered security issues affecting applications and platforms.
- Perform continuous monitoring to gain insight into the types of traffic a given application is receiving and metrics to help identify patterns of malicious users. Based on this data, network controls can be implemented to rate, limit, or block offending IP addresses.
When implementing security into the various artifacts of the SDLC, it’s important to conduct these activities with purpose. Beyond fielding tactical situations and challenges, ask yourself where each activity fits into the overall program. For more information about adding security measures to each of the seven artifacts, download the essential guide to building security into your SDLC: