Integrating security into the SDLC

Recently I stumbled upon an article about integrating security into the development lifecycle without adversely affecting the normal development process. The article was written by Gary McGraw, and I found it to be a good read. The article discusses some of the problems with the security process as it pertains to the SDLC, and how to address them. I’ll discuss a few of the notes that I picked up from it.

In his article, Gary McGraw observes three phases of organizational maturity from a security perspective:

  • Organizations that don’t fully understand the security problem
  • Organizations that are in a constant “reactive” mode
  • Organizations that are integrating security best practices into their SDLC

McGraw goes on to describe best practice items that can help improve the security of software. The following outlines the process that a mature organization might follow to ensure more secure software.

  1. Perform a code review using static code review and black box testing tools.
  2. Perform a security architecture review.
  3. Get penetration testing completed.
  4. Attack the application like an actual intruder would (“Risk based security testing”).
  5. Understand the application “Use case” scenarios.
  6. Understand the application “Abuse cases” - how an attacker might use it in the future.
  7. Ensure that traditional security measures are in place for the environment (Firewalls, IDS, monitoring, patching).

Even if all of the above aren’t followed, McGraw points out that the most important things to consider would be performing code and architecture reviews. “I think those are the first two that everybody should be doing today. So if you're only going to do two, do those two.”

In closing McGraw mentions that it is important to get the support of both management and the developers to ensure a successful secure development lifecycle. Combining the support of those involved will help to drive more secure applications.

To read the full article in its entirety, see http://searchappsecurity.techtarget.com/qna/0,289202,sid92_gci1187360,00.html.