Most organizations have a well-oiled machine with the sole purpose to create, release, and maintain functional software. However, the increasing concerns and business risks associated with insecure software have brought increased attention to the need to integrate security into the development process. Implementing a proper secure software development life cycle (SSDLC) is important now more than ever.
What is it and why should I care?
A software development life cycle (SDLC) is a framework that defines the process used by organizations to build an application from its inception to its decommission. Over the years, multiple standard SDLC models have been proposed (waterfall, iterative, agile, etc.) and used in various ways to fit individual circumstances. It is however safe to say that in general, SDLCs include the following phases:
- Planning and requirements
- Architecture and design
- Test planning
- Testing and results
- Release and maintenance
In the past, it was common practice to perform security-related activities only as part of testing. This after-the-fact technique usually resulted in a high number of issues discovered too late (or not discovered at all). It is a far better practice to integrate activities across the SDLC to help discover and reduce vulnerabilities early, effectively building security in.
It is in this spirit that the concept of the secure SDLC arises. A secure SDLC process ensures that security assurance activities such as penetration testing, code review, and architecture analysis are an integral part of the development effort. The primary advantages of pursuing a secure SDLC approach are:
- More secure software as security is a continuous concern
- Awareness of security considerations by stakeholders
- Early detection of flaws in the system
- Cost reduction as a result of early detection and resolution of issues
- Overall reduction of intrinsic business risks for the organization
How does it work?
Generally speaking, a secure SDLC is set up by adding security-related activities to an existing development process. For example, writing security requirements alongside the collection of functional requirements, or performing an architecture risk analysis during the design phase of the SDLC.
Many secure SDLC models have been proposed. Here are a few of them:
- MS Security Development Lifecycle (MS SDL): One of the first of its kind, the MS SDL was proposed by Microsoft in association with the phases of a classic SDLC.
- NIST 800-64: Provides security considerations within the SDLC. Standards were developed by the National Institute of Standards and Technology to be observed by US federal agencies.
- OWASP CLASP (Comprehensive, Lightweight Application Security Process): Simple to implement and based on the MS SDL. It also maps the security activities to roles in an organization.
How do I get started?
If you are a developer or tester, there are definitely some actions that can be taken in your day-to-day activities to improve the security posture of your organization, including:
- Educate yourself and co-workers on the best secure coding practices and available frameworks for security.
- Consider security when building/planning for test cases.
- Use code scanning tools such as SecureAssist, Coverity, and AppScan Source.
However, management must be involved in devising a strategic approach for a more significant impact. As a decision-maker interested in implementing a complete SSDLC from scratch, here’s how to get started:
- Perform a gap analysis to determine what activities/policies currently exist in the organization and their effectiveness.
- Set up a software security initiative (SSI) by establishing realistic and achievable goals with defined metrics for success. Processes for security activities should be formalized during SSI setup.
- Invest in hiring and training of employees as well as appropriate tools.
- Use outside help as needed.
I am way ahead of you. What’s next?
Your organization already has a secure SDLC implemented? Fantastic, well done! There is always room for improvement. One way to determine your standing is by comparing it with how other organizations built their security program and what activities they perform. The BSIMM (Building Security In Maturity Model) can help with just that.