セキュアSDLC 101

Learn about the phases of the SDLC, how to build security into the SDLC, and how to take an existing SDLC to the next level of secure SDLC.

Digital transformation has spread across all industry sectors and now every company is in the software business. Whether you’re selling directly to customers or running your business, you need to ensure profitability by increasing software reliability while delivering the speed and agility you need to stay competitive in the marketplace.

However, many organizations lag behind when it comes to building security into their software development lifecycle (SDLC). Many development teams still tend to see security as a bottleneck, a problem that forces them to rework code they thought they were done, a perception that prevents them from bringing useful new features to market.

But poorly secured software exposes businesses to greater and greater risk. Even the latest useful features won’t protect you or your customers if your product is open to abuse by hackers. Security must be built in by developing secure software processes that enable rather than prevent high-quality, high-security products from entering the market.

SDLC security for safe business operations

Constant reports of data breaches and supply chain attacks show that compromised software can have a devastating impact on your business. As software risk becomes more directly linked to business risk, risks must be prioritized and managed proactively. To manage risk and remove friction from an organization’s digital transformation (DX) efforts, an application security program must “shift everywhere.” This requires moving security into a series of processes and tools, and building it into all stages of the application development process, rather than addressing it late in the development process. Your security program is most effective with tools and solutions that work seamlessly into your development toolchain and workflow.

The SDLC is an established framework that defines the process an organization uses to develop applications, from inception to retirement. Over the years , many SDLC models have emerged , from waterfall and iterative to more recent agile and CI/CD , with each new model tending to increase the speed and frequency of deployments.

An SDLC typically has the following phases:

• Planning and requirements definition
• architecture and design
• Test Plan
• coding
• test and results
• release and maintenance

Early SDLC systems performed security-related activities only during the testing phase, which limited time and often exposed insecure code. This led to the introduction of a “shift left” process to align security activities with development. It evolved into the concept of “Shift Everywhere” that is incorporated into all stages.

If bugs are discovered in the post-SDLC process, the cost of fixing them is high. When bugs are discovered late in the development lifecycle, developers have to stop what they’re doing and review code they may have written weeks ago. Furthermore, if a bug is brought into production and then found, the code will be reverted to the beginning of the SDLC . At this point the domino effect begins, where one bug fix cascades into another code change. So, if a bug fix is ​​deferred until later in the SDLC, it not only increases the cost of fixing it, but it also delays other code changes, which can increase the cost even further.

Integrating security testing into all stages of the SDLC to detect and mitigate vulnerabilities early and embedding security from the coding stage yields far greater benefits, saving time and money. Security assurance activities include architectural analysis during the design phase, code reviews during the coding and build phases , and penetration testing prior to release .

The secure SDLC approach has the following main advantages:

• Enhanced software security.
• Increased stakeholder awareness of security considerations.
• Early detection of design flaws before coding.
• Reduce costs through early detection and resolution of defects.
• Reduced overall business risk inherent in the organization.

How secure SDLC works

In general, a secure SDLC should integrate security testing and other activities into your existing development process. Examples include creating security requirements in parallel with functional requirements, and performing architectural risk analysis during the design phase of the SDLC.

There are many secure SDLC models in use, but one of the best known is the Microsoft Security Development Lifecycle (MS SDL) . This model presents 12 practices that organizations can adopt to improve their software security. There is also the Secure Software Development Framework published by the National Institute of Standards and Technology (NIST). This framework focuses on security-related processes that organizations can integrate into their existing SDLC.

how to get started

As a developer or tester, you can move to a secure SDLC and improve your organization’s security by:

• Learn and teach your colleagues about secure coding best practices and available security frameworks.
• Conduct an architecture risk analysis at the start .
• Consider security when planning/creating test cases.
• Use code scanning tools for static analysis , dynamic analysis , and interactive application security testing .

To move beyond the basics

Beyond these fundamentals, managers must devise strategic approaches to achieve greater impact. For decision makers interested in implementing a complete secure SDLC from scratch, start with:

• Conduct a gap analysis to identify the activities and policies that currently exist in the organization and their effectiveness.
• Develop a Software Security Program (SSP) or Software Security Initiative (SSI) by defining realistic and achievable goals and success metrics .
• Formalize the process of security activities within the SSI.
• Invest in developer secure coding training and the right tools.
• Use outside assistance as needed.

what to do

Is your organization already following a secure SDLC? There is always room for improvement. Evaluate your security program in comparison to other organizations. The Building Security In Maturity Model (BSIMM) is here to help. Over the last decade, the BSIMM has tracked security activity at over 100 organizations. Since each organization and SDLC is different, the BSIMM does not prescribe what to do. But that observational model tells you what other companies are doing in your own industry: what worked and what didn’t.

This post was published on January 21, 2016 and was updated on November 21, 2022.