Implementing Security to your SDLC
We’ve touched on the concept of the “S-SDLC” which looks at security as a part of the software development life cycle (SDLC). In this blog we’ll go over four ways you can look to implement security enforcing measures during your SDLC – mainly securing your code.
- Enforced through a third party: Hiring security consultants as a third party to analyze your code and coding practices is often the method that produces the best results as third parties tend to not have a bias and look at the situation subjectively. This is of course dependent on the quality of the consultants hired, but overall it is also the most costly approach.
- In-house Personnel: The next best case would be to utilize your in-house developers, as since they may get the opportunity to analyze their own work there is less of a learning curve if any all. This is a solution that requires effort on the company’s part to ensure appropriate security training is done for their developers so they are able to appropriately sniff out and fix issues, as not all developers may have the appropriate knowledge when it comes to security measures. This solution can be less of a monetary cost than third party consultants, but it does take away a developer’s time that may be better spent working on the actual code.
- Enforcing SDLC best practices: Implementation of coding best practices and secure practices directly into your business’ SDLC is the tied with third party solutions as the best method yet also the most difficult. They can take years to fine tune properly and as a result have an extremely low adoption rate; under 1% of US companies are Capability Maturity Model Integration (CMMI)Level 5 certified.
- Performing Binary level analysis: Attacks come in many forms, but most stem from attackers taking advantage of binary level analysis and finding loopholes. Thus it is a good option to perform your own binary level analysis to ensure loopholes and the likes cannot be taken advantage of. It also is a method that should be performed on tools utilized in your business to ensure malware/viruses are not embedded in the files – tools like IDA from HexRays allow for remote analysis ensuring operating environments are kept separate and safe.