Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

11/15/2018
10:30 AM
Brian Rutledge
Brian Rutledge
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

From Reactive to Proactive: Security as the Bedrock of the SDLC

Secure code development should be a priority, not an afterthought, and adopting the software development life cycle process is a great way to start.

The increasing dependence on software in every aspect of our lives makes us more vulnerable to cybercrime. Not only are breaches getting more ingenious and frequent, but they are also getting more expensive in terms of cost and damage to reputation. The average cost of a data breach is $3.86 million, up 6.4% from last year. Even more unnerving: 60% of small companies go out of business within six months of an attack.

Organizations are actively responding to the rising threats — $1 trillion is expected to be spent globally on cybersecurity from 2017 through 2021, according to Cybersecurity Ventures. However, for cybersecurity to successfully thwart attacks, we need to be proactive in patching code as it is developed rather than being reactive and fixing it after deployment. What's required is a multipronged strategy with security built in, in a sustainable manner from the first line of code.

The secure software development life cycle (SDLC) process is gaining ground as an effective methodology to do precisely that by integrating activities such as penetration testing, code review, and architecture analysis into the SDLC.

What Is a Secure SDLC?
Here is a quick visual snapshot of the Secure SDLC:

Image Source: Brian Rutledge
Image Source: Brian Rutledge

Why Is the Secure SDLC a Necessity? 
Vulnerabilities that creep into software because of minor kinks and overlooked aspects can be successfully dealt with only when security becomes a continuous concern. The Secure SDLC does that — and more. Here are three key areas where the Secure SDLC shines.

#1 Creates a Security-focused Culture
The Secure SDLC provides a practical framework to realize a security-focused culture.

#2 Mitigates Risks
Baking security in from requirements gathering and design leads to more predictable deployments, fewer rollbacks, and higher customer satisfaction.

#3 Cost Benefits
It is almost 100 times more expensive to fix security flaws in deployed software than during the requirements stage, thus reducing a project's overall expense.

Tips to Implement the Secure SDLC

Select a Secure SDLC Model
The first step to implementing the Secure SDLC is picking a model. Here are some commonly used models:

Get Buy-in, Train, and Champion
After finalizing your methodology, the next step is to get buy-in, train, and champion. As with the adoption of any other organizationwide process change, for it to be a success, the triad of executive buy-in, companywide training and dedicated security champions are a must.

While stakeholder buy-in is needed to drive change across the various teams, developer, tester, and analyst buy-in is critical for Secure SDLC, too, because it fundamentally alters the way they develop, test, and analyze. Those three groups need to fully grasp the benefits of including security and testing right from the nascent stages. Architects, developers, testers, and analysts must be trained to maintain a security-focused "privacy by design" (a GDPR requirement) mentality/development process that infuses security from the time requirements are gathered. Some ways include:

● Architects and analysts need to perform architecture reviews and threat modeling. Using tools like the OWASP Top Ten, they must understand critical web application security risks. Decisions about the design and app infrastructure — technology, frameworks, and languages — need to be made with regulatory considerations and possible vulnerabilities in mind.

● Developers should add security code testing and security plug-ins to their daily coding routine/IDE. They need to adopt secure coding standards, static code analysis, and unit testing along with peer code reviews during the development stage. Checks should be put in place to update software, libraries, and tools on a regular basis to address vulnerabilities.

● Quality analysts need to thoroughly execute test plans with the help of automated testing tools and perform penetration testing on the final product.

● While the Secure SDLC can be kick-started with security champions, a dedicated software security group is a must for a sustainable implementation. It is an effective way to educate, assess, and enforce established security measures across the organization.

Building a Culture of Security
Secure code development should be a priority, not an afterthought. The benefits are significant and well worth the additional time and effort. Building a culture of security with the help of tools, processes, and training, is the strongest offense against the onslaught of malware, spyware, viruses, worms, Trojans, adware, and ransomware.

Related Content:

 

Black Hat Europe returns to London Dec. 3-6, 2018, with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Brian Rutledge is a Certified Information Systems Security Professional (CISSP) in the cybersecurity industry for more than 20 years. He's currently the security and compliance engineer at Spanning, driving all audit compliance initiatives and managing the company's overall ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
chloedigitalmaelstrom
50%
50%
chloedigitalmaelstrom,
User Rank: Strategist
4/5/2019 | 5:15:14 PM
Secure SDLC: My Company's Experience

This article provides really clear insight as to why the "security" aspect of the Secure Software Development Life Cycle is so crucial to the overall process. Our tech advisory business has been utilizing this life cycle with our customers for the past several years and it has consistently yielded great results. Following this life cycle proved to be so effective with our clients that we began offering it as one of our main services under the umbrella of our Security pillar:  https://www.digitalmaelstrom.net/security/secure-software-development-lifecycle-ssdlc/ .

Digital Maelstrom specifies in the Agile model of Secure SDLC - approaching the process as a continuous loop of security, rather than a one-time ordeal. I'm curious to see whether other software developers have utilized the Waterfall or Iterative Methods of SSDLC and how successful their results have been.

4 Tips to Run Fast in the Face of Digital Transformation
Shane Buckley, President & Chief Operating Officer, Gigamon,  12/9/2019
US Sets $5 Million Bounty For Russian Hacker Behind Zeus Banking Thefts
Jai Vijayan, Contributing Writer,  12/5/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Our Endpoint Protection system is a little outdated... 
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-4245
PUBLISHED: 2019-12-11
Orca has arbitrary code execution due to insecure Python module load
CVE-2013-4593
PUBLISHED: 2019-12-11
RubyGem omniauth-facebook has an access token security vulnerability
CVE-2013-6495
PUBLISHED: 2019-12-11
JBossWeb Bayeux has reflected XSS
CVE-2013-7370
PUBLISHED: 2019-12-11
node-connect before 2.8.2 has cross site scripting in methodOverride Middleware
CVE-2019-18935
PUBLISHED: 2019-12-11
Progress Telerik UI for ASP.NET AJAX through 2019.3.1023 contains a .NET deserialization vulnerability in the RadAsyncUpload function. This is exploitable when the encryption keys are known due to the presence of CVE-2017-11317 or CVE-2017-11357, or other means. Exploitation can result in remote cod...