Applying Security in your SDLC

The current trend with Software Development is to go through the stages of the Development Life Cycle and then only once everything is complete is a security audit performed. This as touched on in the previous blog “Reducing your costs during the SDLC” is a much more costly approach. This is where the concept of the S-SDLC comes into play, as in current times the amount of outside attackers looking to exploit your system has vastly increased. The S-SDLC aims to apply security as part of the life cycle at earlier stages to better mitigate issues that can be propagated through the rest of the stages if not caught early.

Fig 1. A sample S-SDLC process

The S-SDLC involves mapping security measures into each of the stages of the normal SDLC.

• Requirements Gathering
  • Security Requirements
  • Setting up Phase Gates
  • Risk Assessment
• Design
  • Identify Design Requirements from security perspective
  • Architecture & Design Reviews
  • Threat Modeling
• Coding
  • Coding Best Practices
  • Perform Static Analysis
• Testing
  • Vulnerability Assessment
  • Fuzzing
• Deployment
  • Server Configuration Review
  • Network Configuration Review

Although the above is not a perfect solution in terms of what is available or should be utilized during the SDLC as they may vary from case to case depending on the type of software being developed and what may suit it best.

The S-SDLC efforts can and should be measured to better understand how the overall process of software development is working for the organization. Comparing test reports during each of the stages throughout the development cycle to other reports through time can yield results in the form of increases/decreases in “fixes-to-be-done”, better turnaround rates on applications (while comparing the aforementioned increase or decreases of fixes needed).

If you have any inquiry or questions, feel free to contact E-SPIN for solution, product and project requirements.