People with exposure to software development space will very well understand SDLC (Software Development Life Cycle). Still, let’s do a quick recap. The SDLC framework defines the processes used by organizations to build applications/products from inception to decommission. Organization and industry leaders have defined and implemented various SDLC models (like waterfall , agile ,etc ) over the years to fit organization needs. A typical SDLC has the requirements, design and architecture, development, testing, release and maintenance phases.
What Is SecureSDLC and Why Should We Care?
SecureSDLC is an SDLC variant with emphasis on security. Secure SDLC is taking SDLC model and embedding security into every phase starting from requirements. Security is paramount for organizations dealing in and responsible to safeguard the confidentiality, integrity, and availability of organization or user data.
Most organizations and teams tend to push security to the last phase via separate security reviews and tests or as a subset of quality assurance phase. This can be costly and should be avoided, as the cost of issue leakage and fixing in later phases of SDLC and especially on production environment can be enormous.
Security should be inbuilt from inception, starting with requirements management, emphasizing security NFRs. This exercise, when done with right granularity, will be really helpful to plan, measure, and monitor in the later phases for software development.
Build Robust SecureSDLC Governance Model
A well-defined governance model will help reap SSDLC benefits. Here are some of the key aspects to be considered and established:
- Holistic approach to security.
- Identify and establish Security strategy, policies and guidelines.
- Trainings and awareness .
- Identify Security champions.
- Regular Audits ,minimalist on process and high on value.
- Maximize automation via Security as Code.
Moving on, let’s take a deeper look into some of the aspects discussed above.
To start with focus on establishing a holistic approach to security which shouldn’t be limited to SDLC as security is as strong as weakest link so we should optimize the whole. Identify and establish Security strategy, policies and guidelines. Make them loud and visible, thus difficult for any stakeholder to miss or ignore. Don’t miss on the fact that you might have vendors and partners delivering into your product and there are strong chances of open source exposure, so watch that out and accommodate into overall scheme of things.
Many organizations undermine the value of timely and relevant training and fail to utilize the benefits. Please avoid falling into this trap and always have budgets planned for security and other relevant trainings. Most of the time, organizations have the required expertise in-house and should be exercised first, followed by filling up gaps via external experts. Identify Security champions and inspire them to create value for themselves and organization. Motivated individual can do wonders.
Further strengthen SSDLC by incorporating Security into Project management governance model to establish means for regular monitoring and control. Conduct security focused FMEA (Failure Mode and Effects Analysis) and Risk identification and management sessions. Risk management is critical, and if done right, it avoids issues surfacing in later stages. Many organization fail to appreciate the benefits of solid risk management and usually end up doing issue and escalation management, which is mostly counterproductive making people high and dry.
Develop DevSecOps mindset within your organization by taking security and DevOps paradigm to next level i.e DevSecOps. Discover and dissolve silos between Dev, Sec and Ops, if possible, get the security experts involved from day one, right from requirements engineering. Emphasize on threat modeling and security design reviews .It can be extremely difficult at times to have security experts available and deeply involved into all SDLC phases but remember the importance and give best possible efforts.
Put time and effort to identify best suited static and dynamic analysis tools and integrate them into your CI/CD strategy and remember automation is crucial and not a choice. Organization can never scale without robust automation strategy.
Does SSDLC Helps? How? What Are the Tangible Outcomes?
Here are some of obvious benefits:
- Collaboration and great team culture
- with all key functions working together security becomes everyone’s problem
- Cross pollination with increased security awareness and expertise within organization
- Cost of delay can be avoided or minimized. Leakage of Security threats or vulnerabilities to the next inline increases the cost to fix. The relative cost of fixing defect in later stages is always high
- Reduces total cost of ownership
One of Gartner report says “99% of the vulnerabilities exploited by the end of 2020 will still continue to be ones known by security and IT professionals at the time of the incident”. That essentially means first focus on safeguarding what you know i.e the 99% as early as possible , this can be very well achieved by regular PDCA(Plan Do Check Act) cycles and you will eventually fulfill the 1% gap too.