Professional Documents
Culture Documents
WHITE PAPER
800-721-9177
805-684-6858
TABLE OF CONTENTS
1 Executive Summary
8 Conclusion
To better understand the secure SDLC, we’ll provide a quick description of each of the
above tasks.
The fundamental requirement for any secure SDLC is education and management
commitment as these apply to all phases of the model.
Education
Security education applies to all development project stakeholders. For example, product
marketing needs to learn about the importance of security and the nature of security risk.
This will facilitate defining security requirements in the early phases of development
and also helps them understand the need to incorporate security testing into the project
timeline. Developers, for example, need technical education and training on secure
coding, while the Quality Assurance (QA) team needs to learn how to apply security
testing techniques. Then, farther down the line, the operational IT team would need to
be educated about securing the network and operating system environment.
Management Commitment
Security starts at the top. If executive management is not committed to cultivating a
culture of secure application development, then it is hard to imagine that the additional
investment of a secure SDLC would be considered a priority throughout the organization.
Integrating security into a development project moves the time allocation and some budget
items for security tasks earlier in the process. While this approach is widely accepted
as significantly reducing the security risk of a data breach that could impact business
Secure Software
Development Life
Cycle
REQUIREMENTS PHASE
Communication
Communication in the context of secure SDLC means ensuring that all development
project stakeholders are aware that security is strategic to the business. It is the statement
that adherence to fundamental security best practices, organizational security policies
and application level security requirements is central to the development effort. Early
articulation of the importance of these security principles is a starting point for ensuring
that the project does not lose sight of security.
Security Requirements
In a pre-security oriented development process, the requirements phase captures the
features that need to be included in the application. This is an opportunity to define
what functionality the application will include. In secure SDLC, the requirements phase
is expanded to include any specific security considerations that need to be factored into
the development. This is the opportunity to specify any compliance- or data security-
driven security requirements, as well as any industry-specific best practices that are
relevant to web applications in general, or specific to an industry.
DESIGN PHASE
Secure Architecture
In secure SDLC, secure architecture refers to the design considerations that, when
incorporated as a fundamental building block of a system, minimize the inherent security
risk of an application. These include defense-in-depth, in which there are layers of
security controls implemented such that if one fails there is another layer as a backup.
Other examples are: least-privilege – users are only enabled with the minimum level of
functionality needed for their use; secure by default – the default settings of the system
are secure; minimize attack surface area – expose the minimum number of critical
functions that might be vulnerable to attack; fail secure – if the application should fail, it
does so in a way that does not expose the application to compromise; avoid security-
by-obscurity – there is nothing wrong with minimizing the public knowledge of your
systems, but this is not an appropriate security measure.
Design Review/Assessment
These refer to a similar process, where design review is completed internally and design
assessment is completed by an objective third-party. In either case the goal is the same,
Ship Criteria
Defining specific criteria that must be met before a project is deployed ensures that the
basic security objectives will not be forgotten as the web application project schedule
nears the end. For example, an application may only be allowed to be released if it is free
from vulnerabilities identified during the final Web Application Security Assessment.
Threat Modeling
Threat modeling refers to a methodology used to identify risk in an application.
Understanding risk, including the vectors of attack, the probability of attack and the
potential impact is a cornerstone of secure application development. The ability to
prioritize risk enables the developers to focus their efforts on controls that matter most.
Microsoft has developed two methodologies to implement threat modeling. The first is
STRIDE which is a method for characterizing known threats. This acronym stands for:
S poofing Identity
Tampering With Data
R epudiation
I nformation Disclosure
D enial Of Service
E levation Of Privilege
Microsoft has developed a second methodology known by the acronym DREAD which
is used to create a risk rating that can be used to prioritize risk:
D amage Potential
R eproducibility
E xploitability
A ffected Users
D iscoverability
There are other frameworks for threat modeling; further review of these should provide
some guidelines on implementing this process for your next application.
DEVELOPMENT PHASE
Static Analysis
Static analysis refers to automated code analysis tools that detect security vulnerabilities.
This is essentially a source code review that is automated and can be provided to
developers so they can periodically scan their code as they are developing features and
helps provide near real-time feedback on coding errors.
DEPLOYMENT PHASE
Environment Hardening
This task includes all the steps needed to create a secure environment in which an
application is hosted. For example, robust source code does not reduce the overall
security risk much if one of the servers that it runs on is configured with a default password
that can be guessed by an attacker. Components of environmental hardening include
securing any servers that host the application and databases used in the production
environment, building a secure network environment surrounding the system and ensuring
that all the necessary physical controls are in place.
Security Requirements
This refers to the same requirements discussed in the first phase of development. During
this phase there must be an ongoing process to capture new security requirements as
they emerge. Whether customer driven or due to new regulation, these new requirements
must be communicated to the necessary stakeholders within a project.
Business Impact
of Addressing
Security Early
Figure 2.
Table 1.