Secure SDLC – Secure Software Development Life Cycle

Software Development Life Cycle (SDLC) is an organized process of developing a secure application throughout the life of the project. Secure SDLC (SecSDLC) integrates security into the process, resulting in the security requirements being gathered alongside functional requirements, risk analysis being undertaken during the design phase, and security testing happening in parallel with development.

Stages and techniques of Secure SDLC

Secure SDLC contains following stages and techniques required:

SSDLC stageTechniques
Planning and AnalysisAgile
Secure software development policies
Keep security requirements current
Software/System DesignThreat modeling
Secure design requirements
ImplementationConfidentiality, Integrity, Availability
Shift Left security
Code review
Unit testing
TestingSystem testing: back box, white box, fuzzing
Static analysis, dynamic analysis
Structured Exception Handling (SEH)
Test automation
IntegrationEnterprise security policies
Ensure compliance
Integration testing
Encrypting in rest and in transit
DeploymentDevSecOps
Automated CI/CD
Release management flow
MaintenanceLogging and Monitoring
Vulnerability reports
ITSM and SIEM
Automation
Penetration testing

As you can see, the automation is a critical part of any stage of software development. It utilizes scripts to perform tests, deploy application continuously, scripted installations and baseline configuration templates to secure applications during maintenance. Automation significantly decreases change of human error or misconfiguration. Another key aspect of SSDLC is shifting security left, starts thinking about security as soon as possible. Keeping security requirements current and implementing security development policies will significantly increase a resistance of an application to common vulnerabilities.

Appropriate testing methodology will help to protect a system from zero day vulnerability, find security thread on earlier stages of development. And, of course, it must be closely integrated to reporting or SIEM/ITSM system.

SecSDLC principals and best practice

Below is a list of best practice which may significantly increase a system resilience against common security vulnerabilities:

SDLC principalsBest practice
ConfidentialityEnsures that only authorized users can access the data
IntegrityEnsures that the data is not modified or altered without permission
AvailabilityEnsuring that data is available to authorized users when it is needed
Least PrivilegeUsers and processes should be run using the least amount of access necessary to perform a given function
Defense in DepthLayering of security controls is more effective and secure than relying on a single control
Never Trust User InputAny input that is received from a user should undergo input validation prior to allowing it to be utilized by an application
Minimize Attack SurfaceReduce the amount of code used by a program, eliminate unneeded functionality, and require authentication prior to running additional plugins
Create Secure DefaultsDefault installations should include secure configurations instead of requiring an administrator or user to add in additional security
Authenticity and IntegrityApplications should be deployed using code signing to ensure the program is not changed inadvertently or maliciously prior to delivery to an end user
Fail SecurelyApplications should be coded to properly conduct error handling for exceptions in order to fail securely instead of crashing
Fix Security IssuesIf a vulnerability is identified then it should be quickly and correctly patched to remove the vulnerability
Rely on Trusted SDKsSDKs must come from trusted source to ensure no malicious code is being added

Let’s do some example how to apply the principals to some of commons application vulnerabilities.

VulnerabilitiesDescriptionSDLC principals
Insecure ComponentsCode Reuse, Third-party Library, Software Development Kit (SDK)Rely on Trusted SDKs
Fix Security Issues
Insufficient Logging and MonitoringAny program that does not properly record or log detailed enough information for an analyst to perform their jobLogging and monitoring must support your use case and answer who, what, when, where, and how

Fail Securely
Weak of Default ConfigurationsAny program that uses ineffective credentials or configurations, or one in which the defaults have not be changed for security
 Many applications choose to simply run as root or as a local admin
Permissions may be too permissive on files or directories due to weak configurations
Create Secure Defaults
Least Privilege

This is important to choose an appropriate SDLC models which is better for developing secure software in part because their iterative approach makes it easier for changes to occur at any time should vulnerability remediation be necessary. Implementing security first approach and working on smaller chunks of code also means fewer unintended consequences; bugs have less of an impact and are easier to fix. Furthermore, the continuous release cycles of agile models have shifted security left to prevent testing bottlenecks. It should notice, developers now handle much of the security work by reviewing and testing code far earlier in the SDLC.

Remember, the best result is only available with the best tools.

Be an ethical, save your privacy!

subscribe to newsletter

and receive weekly update from our blog

By submitting your information, you're giving us permission to email you. You may unsubscribe at any time.

Leave a Comment

Discover more from #cybertechtalk

Subscribe now to keep reading and get access to the full archive.

Continue reading