Most organizations have a well-oiled machine with the sole purpose to create, release, and maintain functional software. However, the increasing concerns and business risks associated with insecure software have brought increased attention to the need to integrate security into the development process. Implementing a proper secure software development life cycle (SSDLC) is important now more than ever.
A software development life cycle (SDLC) is a framework that defines the process used by organizations to build an application from its inception to its decommission. Over the years, multiple standard SDLC models have been proposed (waterfall, iterative, agile, etc.) and used in various ways to fit individual circumstances. It is however safe to say that in general, SDLCs include the following phases:
In the past, it was common practice to perform security-related activities only as part of testing. This after-the-fact technique usually resulted in a high number of issues discovered too late (or not discovered at all). It is a far better practice to integrate activities across the SDLC to help discover and reduce vulnerabilities early, effectively building security in.
It is in this spirit that the concept of the secure SDLC arises. A secure SDLC process ensures that security assurance activities such as penetration testing, code review, and architecture analysis are an integral part of the development effort. The primary advantages of pursuing a secure SDLC approach are:
Generally speaking, a secure SDLC is set up by adding security-related activities to an existing development process. For example, writing security requirements alongside the collection of functional requirements, or performing an architecture risk analysis during the design phase of the SDLC.
Many secure SDLC models have been proposed. Here are a few of them:
If you are a developer or tester, there are definitely some actions that can be taken in your day-to-day activities to improve the security posture of your organization, including:
However, management must be involved in devising a strategic approach for a more significant impact. As a decision-maker interested in implementing a complete SSDLC from scratch, here’s how to get started:
Your organization already has a secure SDLC implemented? Fantastic, well done! There is always room for improvement. One way to determine your standing is by comparing it with how other organizations built their security program and what activities they perform. The BSIMM (Building Security In Maturity Model) can help with just that.