Baking Security Into the Development Lifecycle
Updated: Nov 1
Application security is not new. In fact, it has been around since the early 2000s and in a similar environment, where code-red, nimda, and other viruses were causing global havoc. Securing the software development lifecycle was initially a Microsoft initiative developed as a result of the growing number and impact of vulnerabilities in its products and code nimda, and other viruses were causing global havoc. Securing the software development lifecycle was initially a Microsoft initiative developed as a result of the growing number and impact of vulnerabilities in its products and code. The model has significantly evolved since, though the principles remain the same: catch security bugs early on in the development cycle to cut your costs of repairing them. The damage that may be caused to customers and vendors alike will be reduced. What is the SDLC, SSDLC, or SDL? It stands for Secure Development Lifecycle, which is the way you apply security to the lifecycle of developing a product or a system. In order to apply or “bake” security into the development lifecycle, you will need to consider the type of methodology you want to use for development. For example, whether it is Waterfall or Scrum, you need to apply the same principles, but in different methods. It is also very dependent upon the risk appetite of the organization as a whole, particularly as it applies to the specific system. The risk appetite will define how many resources should be invested into this process, as it can be quite cumbersome in terms of development and security professional resources for any R&D effort. A Secure Development Lifecycle can be applied to each stage of development. Let’s start with a Waterfall example. For every stage of the cycle, you need to apply a specific security activity.
At the initial stage, when the project is in its inception, perform security threat modeling, which will be done at the stage when the product is merely a series of boxes and arrows.
Following that, you have the design phase, where you can apply security design templates that will allow you to make sure that no security controls have been “mistakenly” forgotten in the process. You can find a link to free secure design templates here.
Once the code has been developed, or while it is in the process of being developed, you can perform code reviews.
When the system is complete, after it has been tested and is stable and ready to go live, you can perform penetration testing on the application level.
Before going live to production, you need to validate secure configuration and maintenance to make sure that while the system is online, when it encounters a new vulnerability or threat, it will be handled appropriately and the risks of exploitation will be reduced.
Some of these steps can save the company a lot of money when performed properly at the correct time, and their benefits are huge to improving the overall security of the system as well as properly estimating and handling the timelines of the project delivery.
One of the simplest examples to demonstrate the actual value of incorporating security will be in the design phase. A security design issue that you only discover later in the deployment phase may be very difficult to fix. It may require a complete makeover of the system, or it means that the system will go live with a known issue that is only partially addressed or completely unaddressed.
Secure design review, when done appropriately, should only take several hours to several days depending on the complexity of the system and the risks associated with it, but its benefits are huge. This activity cannot be performed by just anyone. You will need a professional security consultant to do that, someone with an understanding of the technology side and the requirements from architecture, infrastructure, code, and the associated threats. The next step will be performing secure source code reviews on the code being developed. This can be done by an automated tool or a security consultant, though hiring an expert using an automated tool will yield the best results for the time spent. The output of code review tools for security usually requires an expert to interpret and decide on the best approach to the solution. It may not be easy for just any developer to understand the output, as many of the attack vectors and vulnerabilities associated are outside the day-to-day operations of coding, so you may require an expert to help resolve false positives, understand their impacts, and understand where false negatives can exist, e.g. issues an automated tool it's unable to identify. You should consider the best value for the time invested. Next, you will have penetration testing, when the perfect scenario will be on a system running on pre-production or staging environments and is ready to be deployed. Penetration testing should be done by a dedicated team of people with the skillset, understanding, and experience to perform it well. When the system is ready to be deployed, you need to perform what is called secure deployment. That means removing all redundant and unnecessary interfaces, configuration files, backups, and hardening the server and system configurations to make sure that the production environment is robust for this stage. You can also apply SDLC to Scrum, for faster-moving development cycles. In this case, you will need to have a security person as part of the Sprint team and decide on the key activities they will need to perform for every Sprint, depending on the scope of the specific Sprint. In any case, and independently of your chosen development methodology, the steps are the same. You will need to review the design and code, test, and securely deploy the application. Alternatively, when working in Scrum methodology, you can have a security Sprint every few Sprints, where security is the primary focus. Again, you need to make sure that the significant issues such as design and threat modeling issues have been understood and handled early on to reduce the total cost of the project and significant architectural changes in later stages of development. The key point to understand here is that “baking” security into the development lifecycle cannot be a developer decision or even a security decision (though it can be your initiative). This must come from management, or R&D management because these processes take effort off development and put them into security. What happens is when you take these resources out of R&D for developing new functionalities and into security? You may run into a problem where you’re facing a strict timeline for a project and security is holding it back (as is the case when something critical pops up). In these cases, you run into the problem of not meeting the deadline, and if management does not support the process, then things will be left behind, unhandled. Having the management on board with this process is key in whatever development methodology you use. Another thing to consider is that you will have to have a dedicated security consultant (or internal employee) who understands development, code, security, and the business.
Komodo Consulting is a high-end cybersecurity firm specializing in Penetration Testing, Red-Team Exercises, and Application Security.
Have a query? Get a 30 minute Free Consultation. Talk to a cybersecurity expert.
Like in this blog post: https://www.komodosec.com/post/the-top-7-advanced-cloud-security-challenges