Implementing a Secure Software Development Life Cycle

First, what is SDLC?

The Software Development Lifecycle (SDLC) is a set of practices that make up a framework which standardizes building software applications. The aim is to establish repeatable processes and predictable outcomes from which future projects can benefit. These practices are split into phases/stages:

1. Planning stage

2. Requirement Definition

3. Design stage

4. Development/Build stage

5. Testing

6. Deployment

7. Operations and Maintenance.

Secure SDLC

Secure Software Lifecycle (SSDLC) introduces security as a set of practices across the SDLC which helps discover and reduce vulnerabilities early. By doing this, it facilitates faster development, reduces cost and business risks.

The stages include:

1. Training: It is a process of teaching employees and users about cybersecurity, best practices and regulatory compliance.

2. Secure Requirements: This refers to the functional and non-functional requirements that must be satisfied in order to achieve the ultimatum security attributes of the lifecycle. This purpose of this stage is to:

   1. Plan requirements and analyze project

   2. Conduct risk assessment

   3. Used to reflect the security objectives of the project

   4. It provides a clear roadmap for the developers

Some of the requirements may include: Implementation of input validation, strong session management, strong data protection, strong authentication and password management etc.

3. Secure Design: It is all about threat modelling.

   Threat modelling is a process of identifying vulnerabilities and potential security threats the system must resist

   There are different models that help accomplish this; STRIDE, DREAD, and PASTA.

   The Threat Modelling steps include:

   1. Prepare: What are we building?

   2. Analyze: What can go wrong?

   3. Determine: What can we do?

   4. Validate: Did we do it right?

4. Secure Coding: Linked to software development and testing is the process of scanning, analyzing and reviewing code to ensure vulnerabilities that are found are mitigated and removed. This stage verifies and validates the code itself.

   Code analysis can be carried out via statically or/and dynamically.

5. Secure Deployment: It is used to formalize and automate the deployment process. It makes sure that all configurations are secure and hardened during deployment.

   Secure DevOps involves placing the right security practices and tools in place from the earliest stages of the pipeline.

6. Secure Assessment: This is the process of analyzing the security posture as the lifecycle goes on. It is linked to the Operations and Maintenance of the SDLC.

Why is it important to include security in the lifecycle?

Shifting left means to implement security measures at all stages of the development lifecycle. It is important because it ensures vulnerabilities are caught early by including security processes from the start.