Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

11/15/2018
10:30 AM
Brian Rutledge
Brian Rutledge
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

From Reactive to Proactive: Security as the Bedrock of the SDLC

Secure code development should be a priority, not an afterthought, and adopting the software development life cycle process is a great way to start.

The increasing dependence on software in every aspect of our lives makes us more vulnerable to cybercrime. Not only are breaches getting more ingenious and frequent, but they are also getting more expensive in terms of cost and damage to reputation. The average cost of a data breach is $3.86 million, up 6.4% from last year. Even more unnerving: 60% of small companies go out of business within six months of an attack.

Organizations are actively responding to the rising threats — $1 trillion is expected to be spent globally on cybersecurity from 2017 through 2021, according to Cybersecurity Ventures. However, for cybersecurity to successfully thwart attacks, we need to be proactive in patching code as it is developed rather than being reactive and fixing it after deployment. What's required is a multipronged strategy with security built in, in a sustainable manner from the first line of code.

The secure software development life cycle (SDLC) process is gaining ground as an effective methodology to do precisely that by integrating activities such as penetration testing, code review, and architecture analysis into the SDLC.

What Is a Secure SDLC?
Here is a quick visual snapshot of the Secure SDLC:

Why Is the Secure SDLC a Necessity? 
Vulnerabilities that creep into software because of minor kinks and overlooked aspects can be successfully dealt with only when security becomes a continuous concern. The Secure SDLC does that — and more. Here are three key areas where the Secure SDLC shines.

#1 Creates a Security-focused Culture
The Secure SDLC provides a practical framework to realize a security-focused culture.

#2 Mitigates Risks
Baking security in from requirements gathering and design leads to more predictable deployments, fewer rollbacks, and higher customer satisfaction.

#3 Cost Benefits
It is
almost 100 times more expensive to fix security flaws in deployed software than during the requirements stage, thus reducing a project's overall expense.

Tips to Implement the Secure SDLC

Select a Secure SDLC Model
The first step to implementing the Secure SDLC is picking a model. Here are some commonly used models:

Get Buy-in, Train, and Champion
After finalizing your methodology, the next step is to get buy-in, train, and champion. As with the adoption of any other organizationwide process change, for it to be a success, the triad of executive buy-in, companywide training and dedicated security champions are a must.

While stakeholder buy-in is needed to drive change across the various teams, developer, tester, and analyst buy-in is critical for Secure SDLC, too, because it fundamentally alters the way they develop, test, and analyze. Those three groups need to fully grasp the benefits of including security and testing right from the nascent stages. Architects, developers, testers, and analysts must be trained to maintain a security-focused "privacy by design" (a GDPR requirement) mentality/development process that infuses security from the time requirements are gathered. Some ways include:

● Architects and analysts need to perform architecture reviews and threat modeling. Using tools like the OWASP Top Ten, they must understand critical web application security risks. Decisions about the design and app infrastructure — technology, frameworks, and languages — need to be made with regulatory considerations and possible vulnerabilities in mind.

● Developers should add security code testing and security plug-ins to their daily coding routine/IDE. They need to adopt secure coding standards, static code analysis, and unit testing along with peer code reviews during the development stage. Checks should be put in place to update software, libraries, and tools on a regular basis to address vulnerabilities.

● Quality analysts need to thoroughly execute test plans with the help of automated testing tools and perform penetration testing on the final product.

● While the Secure SDLC can be kick-started with security champions, a dedicated software security group is a must for a sustainable implementation. It is an effective way to educate, assess, and enforce established security measures across the organization.

Building a Culture of Security
Secure code development should be a priority, not an afterthought. The benefits are significant and well worth the additional time and effort. Building a culture of security with the help of tools, processes, and training, is the strongest offense against the onslaught of malware, spyware, viruses, worms, Trojans, adware, and ransomware.

Related Content:

 

Black Hat Europe returns to London Dec. 3-6, 2018, with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Brian Rutledge is a Certified Information Systems Security Professional (CISSP) in the cybersecurity industry for more than 20 years. He's currently the security and compliance engineer at Spanning, driving all audit compliance initiatives and managing the company's overall ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
chloedigitalmaelstrom
50%
50%
chloedigitalmaelstrom,
User Rank: Strategist
4/5/2019 | 5:15:14 PM
Secure SDLC: My Company's Experience

This article provides really clear insight as to why the "security" aspect of the Secure Software Development Life Cycle is so crucial to the overall process. Our tech advisory business has been utilizing this life cycle with our customers for the past several years and it has consistently yielded great results. Following this life cycle proved to be so effective with our clients that we began offering it as one of our main services under the umbrella of our Security pillar:  https://www.digitalmaelstrom.net/security/secure-software-development-lifecycle-ssdlc/ .

Digital Maelstrom specifies in the Agile model of Secure SDLC - approaching the process as a continuous loop of security, rather than a one-time ordeal. I'm curious to see whether other software developers have utilized the Waterfall or Iterative Methods of SSDLC and how successful their results have been.

COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/9/2020
Omdia Research Launches Page on Dark Reading
Tim Wilson, Editor in Chief, Dark Reading 7/9/2020
4 Security Tips as the July 15 Tax-Day Extension Draws Near
Shane Buckley, President & Chief Operating Officer, Gigamon,  7/10/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15105
PUBLISHED: 2020-07-10
Django Two-Factor Authentication before 1.12, stores the user's password in clear text in the user session (base64-encoded). The password is stored in the session when the user submits their username and password, and is removed once they complete authentication by entering a two-factor authenticati...
CVE-2020-11061
PUBLISHED: 2020-07-10
In Bareos Director less than or equal to 16.2.10, 17.2.9, 18.2.8, and 19.2.7, a heap overflow allows a malicious client to corrupt the director's memory via oversized digest strings sent during initialization of a verify job. Disabling verify jobs mitigates the problem. This issue is also patched in...
CVE-2020-4042
PUBLISHED: 2020-07-10
Bareos before version 19.2.8 and earlier allows a malicious client to communicate with the director without knowledge of the shared secret if the director allows client initiated connection and connects to the client itself. The malicious client can replay the Bareos director's cram-md5 challenge to...
CVE-2020-11081
PUBLISHED: 2020-07-10
osquery before version 4.4.0 enables a priviledge escalation vulnerability. If a Window system is configured with a PATH that contains a user-writable directory then a local user may write a zlib1.dll DLL, which osquery will attempt to load. Since osquery runs with elevated privileges this enables l...
CVE-2020-6114
PUBLISHED: 2020-07-10
An exploitable SQL injection vulnerability exists in the Admin Reports functionality of Glacies IceHRM v26.6.0.OS (Commit bb274de1751ffb9d09482fd2538f9950a94c510a) . A specially crafted HTTP request can cause SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerabi...