January 23, 2019
The software development life cycle abbreviated SDLC, is a term used for the process of developing, altering, maintaining, and replacing a software system. SDLC is comprised of several different phases, including planning, design, building, testing, and deployment. In Secure SDLC, security assurance is practiced within in each developmental phase of the SDLC. Throughout each phase either penetration testing, code review, or architecture analysis is performed to ensure safe practices.
Why is this important?
By implementing these practices a large organization can save money. The longer you wait to fix a bug in your application, the more costly it becomes. Extreme examples are complete breaches. Uber for example: when Uber released they had been breached they were in negotiations to sell to SoftBank. However due to the breach they were appraised at a much lower value, some twenty billion dollars less. Many other examples of this exist: Target, Sony, and The Home Depot have all suffered a data breach.
You may be wondering how does a secure SDLC work? Typically a Secure SDLC is accomplished by accompanying an existing SDLC with secure practice in correlation to each phase. For example, adding a penetration test during the verification phase of the SDLC.
Due to heightened security awareness many industry implementations of a secure SDLC exist. These frameworks help developers produce a more secure solution, which aim to be free of bugs at the time of release. One such framework is the Microsoft Secure Development Lifecycle abbreviated SDL. According to Microsoft, “Microsoft Security Development Lifecycle (SDL) is an industry-leading software security assurance process. A Microsoft-wide initiative and a mandatory policy since 2004, the SDL has played a critical role in embedding security and privacy in Microsoft software and culture. Combining a holistic and practical approach, the SDL introduces security and privacy early and throughout all phases of the development process. It has led Microsoft to measurable and widely-recognized security improvements in flagship products such as Windows Vista and SQL Server. Microsoft is publishing its detailed SDL process guidance to provide transparency on the secure software development process used to develop its products.”  The Open Software Assurance Maturity Model (OpenSAMM) is an OWASP project which guides the integration of security within the SDLC. According to OpenSAMM.org, “The Software Assurance Maturity Model (SAMM) is an open framework to help organizations formulate and implement a strategy for software security that is tailored to the specific risks facing the organization”. Another alternative is Building Security in Maturity Model abbreviated BSIMM. The BSSIM model comprises 116 activities grouped into four domains: Governance, Intelligence, SSDL Touchpoints and Deployment, as stated on their website
How do I use a Secure SDLC in my Agile environment? Working in an agile way means developing small amounts of code blocks which allows for release of updated code much more quickly. Because of this security must be practiced in every step of the process to ensure a sound product is being developed. Starting with the planning phase. While planning out the development, create stories about security. These stories will help the agile team connect the dots, planning out a much less risky application. Following this, Checkmarx.com says, “One of the most important changes to make is making developers responsible for secure development. The security team should still have input and involvement in the planning and later testing phases, but during core development, programmers should be put in charge of security scans and fixing the issues they find. This is a great way to help push security into earlier stages of the software development lifecycle (SDLC), where security issues are best dealt with”.  It’s important to aid your developers with modern security software that can help them in finding potential security concerns. One example of this would be a static code analysis. If the code analysis came back with a bug the developer could fix the code much faster, reducing the overall risk to the organization. The Agile methodology requires constant measurement, in an effort to continuously improve current tools and processes. Its part of what makes Agile a fluid framework of constant change work. An Agile organization is ever improving. In order to keep focused on security the Agile organization must treat security the same as the development of the product. This integration is what creates a secure product. From the applications inception security has been considered. With each iteration of the SDLC a security practice has been applied. In this instance the outcome is an Agile application, written with a secure SDLC in mind.