Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

11/15/2018
10:30 AM
Brian Rutledge
Brian Rutledge
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

From Reactive to Proactive: Security as the Bedrock of the SDLC

Secure code development should be a priority, not an afterthought, and adopting the software development life cycle process is a great way to start.

The increasing dependence on software in every aspect of our lives makes us more vulnerable to cybercrime. Not only are breaches getting more ingenious and frequent, but they are also getting more expensive in terms of cost and damage to reputation. The average cost of a data breach is $3.86 million, up 6.4% from last year. Even more unnerving: 60% of small companies go out of business within six months of an attack.

Organizations are actively responding to the rising threats — $1 trillion is expected to be spent globally on cybersecurity from 2017 through 2021, according to Cybersecurity Ventures. However, for cybersecurity to successfully thwart attacks, we need to be proactive in patching code as it is developed rather than being reactive and fixing it after deployment. What's required is a multipronged strategy with security built in, in a sustainable manner from the first line of code.

The secure software development life cycle (SDLC) process is gaining ground as an effective methodology to do precisely that by integrating activities such as penetration testing, code review, and architecture analysis into the SDLC.

What Is a Secure SDLC?
Here is a quick visual snapshot of the Secure SDLC:

Why Is the Secure SDLC a Necessity? 
Vulnerabilities that creep into software because of minor kinks and overlooked aspects can be successfully dealt with only when security becomes a continuous concern. The Secure SDLC does that — and more. Here are three key areas where the Secure SDLC shines.

#1 Creates a Security-focused Culture
The Secure SDLC provides a practical framework to realize a security-focused culture.

#2 Mitigates Risks
Baking security in from requirements gathering and design leads to more predictable deployments, fewer rollbacks, and higher customer satisfaction.

#3 Cost Benefits
It is
almost 100 times more expensive to fix security flaws in deployed software than during the requirements stage, thus reducing a project's overall expense.

Tips to Implement the Secure SDLC

Select a Secure SDLC Model
The first step to implementing the Secure SDLC is picking a model. Here are some commonly used models:

Get Buy-in, Train, and Champion
After finalizing your methodology, the next step is to get buy-in, train, and champion. As with the adoption of any other organizationwide process change, for it to be a success, the triad of executive buy-in, companywide training and dedicated security champions are a must.

While stakeholder buy-in is needed to drive change across the various teams, developer, tester, and analyst buy-in is critical for Secure SDLC, too, because it fundamentally alters the way they develop, test, and analyze. Those three groups need to fully grasp the benefits of including security and testing right from the nascent stages. Architects, developers, testers, and analysts must be trained to maintain a security-focused "privacy by design" (a GDPR requirement) mentality/development process that infuses security from the time requirements are gathered. Some ways include:

● Architects and analysts need to perform architecture reviews and threat modeling. Using tools like the OWASP Top Ten, they must understand critical web application security risks. Decisions about the design and app infrastructure — technology, frameworks, and languages — need to be made with regulatory considerations and possible vulnerabilities in mind.

● Developers should add security code testing and security plug-ins to their daily coding routine/IDE. They need to adopt secure coding standards, static code analysis, and unit testing along with peer code reviews during the development stage. Checks should be put in place to update software, libraries, and tools on a regular basis to address vulnerabilities.

● Quality analysts need to thoroughly execute test plans with the help of automated testing tools and perform penetration testing on the final product.

● While the Secure SDLC can be kick-started with security champions, a dedicated software security group is a must for a sustainable implementation. It is an effective way to educate, assess, and enforce established security measures across the organization.

Building a Culture of Security
Secure code development should be a priority, not an afterthought. The benefits are significant and well worth the additional time and effort. Building a culture of security with the help of tools, processes, and training, is the strongest offense against the onslaught of malware, spyware, viruses, worms, Trojans, adware, and ransomware.

Related Content:

 

Black Hat Europe returns to London Dec. 3-6, 2018, with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Brian Rutledge is a Certified Information Systems Security Professional (CISSP) in the cybersecurity industry for more than 20 years. He's currently the security and compliance engineer at Spanning, driving all audit compliance initiatives and managing the company's overall ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
chloedigitalmaelstrom
50%
50%
chloedigitalmaelstrom,
User Rank: Strategist
4/5/2019 | 5:15:14 PM
Secure SDLC: My Company's Experience

This article provides really clear insight as to why the "security" aspect of the Secure Software Development Life Cycle is so crucial to the overall process. Our tech advisory business has been utilizing this life cycle with our customers for the past several years and it has consistently yielded great results. Following this life cycle proved to be so effective with our clients that we began offering it as one of our main services under the umbrella of our Security pillar:  https://www.digitalmaelstrom.net/security/secure-software-development-lifecycle-ssdlc/ .

Digital Maelstrom specifies in the Agile model of Secure SDLC - approaching the process as a continuous loop of security, rather than a one-time ordeal. I'm curious to see whether other software developers have utilized the Waterfall or Iterative Methods of SSDLC and how successful their results have been.

Look Beyond the 'Big 5' in Cyberattacks
Robert Lemos, Contributing Writer,  11/25/2020
Why Vulnerable Code Is Shipped Knowingly
Chris Eng, Chief Research Officer, Veracode,  11/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: I think the boss is bing watching '70s TV shows again!
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-26250
PUBLISHED: 2020-12-01
OAuthenticator is an OAuth login mechanism for JupyterHub. In oauthenticator from version 0.12.0 and before 0.12.2, the deprecated (in jupyterhub 1.2) configuration `Authenticator.whitelist`, which should be transparently mapped to `Authenticator.allowed_users` with a warning, is instead ignored by ...
CVE-2020-28576
PUBLISHED: 2020-12-01
An improper access control information disclosure vulnerability in Trend Micro Apex One and OfficeScan XG SP1 could allow an unauthenticated user to connect to the product server and reveal version and build information.
CVE-2020-28577
PUBLISHED: 2020-12-01
An improper access control information disclosure vulnerability in Trend Micro Apex One and OfficeScan XG SP1 could allow an unauthenticated user to connect to the product server and reveal server hostname and db names.
CVE-2020-28582
PUBLISHED: 2020-12-01
An improper access control information disclosure vulnerability in Trend Micro Apex One and OfficeScan XG SP1 could allow an unauthenticated user to connect to the product server and reveal number of managed agents.
CVE-2020-28583
PUBLISHED: 2020-12-01
An improper access control information disclosure vulnerability in Trend Micro Apex One and OfficeScan XG SP1 could allow an unauthenticated user to connect to the product server and reveal version, build and patch information.