Generally speaking, a secure SDLC is set up by adding security-related activities to an existing development process. For example, writing security requirements alongside the collection of functional requirements, or performing an architecture risk analysis during the design phase of the SDLC.
Many secure SDLC models have been proposed. Here are a few of them:
MS Security Development Lifecycle (MS SDL): One of the first of its kind, the MS SDL was proposed by Microsoft in association with the phases of a classic SDLC.
NIST 800-64: Provides security considerations within the SDLC. Standards were developed by the National Institute of Standards and Technology to be observed by US federal agencies.
OWASP CLASP (Comprehensive, Lightweight Application Security Process): Simple to implement and based on the MS SDL. It also maps the security activities to roles in an organization.
How do I get started?
If you are a developer or tester, there are definitely some actions that can be taken in your day-to-day activities to move toward a secure SDLC and improve the security posture of your organization, including:
Educate yourself and co-workers on the best secure coding practices and available frameworks for security. Consider security when building/planning for test cases. Use code scanning tools such as Coverity, Code Sight, and AppScan Source.
However, management must be involved in devising a strategic approach for a more significant impact. If you’re a decision-maker interested in implementing a complete SSDLC from scratch, here’s how to get started:
- Perform a gap analysis to determine what activities/policies currently exist in the organization and their effectiveness.
- Set up a software security initiative (SSI) by establishing realistic and achievable goals with defined metrics for success. Processes for security activities should be formalized during SSI setup.
- Invest in hiring and training of employees as well as appropriate tools.
- Use outside help as needed. (contact me!)
Okay let’s go! What is next!
Your organization already has a secure SDLC implemented? Fantastic, well done! There is always room for improvement. One way to determine your standing is by evaluating your program based on how other organizations built their security program and what activities they perform.
I have 10 year experiences in rigorously testing enterprise code in production environments. Contact me if interested!