Scribd
Upload
123 views

02.2 Security Development Lifecycle

This document discusses the security development lifecycle (SDL) and how it maps to the traditional software development lifecycle (SDLC). It explains that the SDL integrates security practices into each phase of development to produce more secure software. Key phases of the SDL include requirements, design, implementation, testing, and release/response. The document provides examples of how security considerations can be incorporated into each SDLC phase, such as validating user input during development and testing that access controls work as intended. It emphasizes that the SDL should be tailored to an organization's specific SDLC in order to fully integrate security.

Uploaded by

issa.i.shaban
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
123 views

02.2 Security Development Lifecycle

This document discusses the security development lifecycle (SDL) and how it maps to the traditional software development lifecycle (SDLC). It explains that the SDL integrates security practices into each phase of development to produce more secure software. Key phases of the SDL include requirements, design, implementation, testing, and release/response. The document provides examples of how security considerations can be incorporated into each SDLC phase, such as validating user input during development and testing that access controls work as intended. It emphasizes that the SDL should be tailored to an organization's specific SDLC in order to fully integrate security.

Uploaded by

issa.i.shaban
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 17

Princess Sumaya University for Technology The

King Hussein School for Computing Sciences


13434 Secure Software Development

Topic 2: Software Development Lifecycle &


Security Development Lifecycle

Dr. Ahmad Altamimi


Outline
o Software Development Life Cycle (SDLC)
o Popular SDLC Models
o Security Development Lifecycle (SDL)
o Mapping SDL to SDLC
Security Development Lifecycle
(SDL)
Security Development Lifecycle (SDL)
o SDL is a software development process used to reduce software maintenance
costs and increase reliability of software concerning software security related bugs.
o Software development practices are improving by enterprises impacted by
software security defects.
o SDL:
 Helps integrating security and privacy in the organization’s SDLC to assess the current
state and to produce more secure software.
 Reduces the number of security vulnerabilities and privacy problems
 Reduces the severity of the vulnerabilities that remain.
Security Development Lifecycle (SDL)
o Now we had the theory and guidelines on how to build security into the code.
o If the SDL was developed during the time of waterfall, so it is usually portrayed as
a linear process that begins with requirements and ends with the release.
o When the SDL is extended to agile, some security activities get integrated into the
normal sprint schedule, while others are pursued out-of-band.
SDL- Examples
o Microsoft Secure Development Lifecycle (Designed as an integral part of the
software development process at Microsoft in 2004).
o The OWASP SDL (Comprehensive, Lightweight Application Security Process)
o Secure Software Engineering Capability Maturity Model (SSE-CMM)
o The Cigital Software Security Touchpoints model
o The Cisco Secure Development Lifecycle (CSDL)
o Confidentiality, integrity, and availability are the three primary goals that the
industry considers to be of the utmost importance in any SDL.
SDL Phases
o A standard SDL is divided into phases that tie closely into the waterfall approach.
The standard approach to SDL includes:

 Requirements
 Design
 Implementation
 Test
 Release/response.
Mapping SDL to SDLC
Mapping SDL to the SDLC
o SDLs are the key step in the evolution of software security and to build security into
the software development lifecycle.
o Whatever form of SDL you use, you must map it to SDLC to be effective (Each phase
of the SDLC must contribute to the security).
o Ideally, you should secure each phase of the SDLC in the most appropriate manner
for stakeholders present at that stage.
o If security is built into each SDLC phase, then the software has a higher probability
of being secure by default, and later software changes are less likely to compromise
overall security.
Mapping - Example
o Phase 1: Requirements
Identify any security considerations for functional requirements being gathered
 Functional requirement: user needs the ability to verify their contact information before
they are able to renew their membership.
 Security consideration: users should be able to see only their own contact information
and no one else’s.
Mapping - Example
o Phase 2: Design
Translates in-scope requirements into what this should be the actual application.
 Functional design: page should retrieve the user’s name, email, phone, and address
from CUSTOMER_INFO table in the database and display it on screen.
 Security concern: we must verify that the user has a valid session token before
retrieving information from the database. If absent, the user should be redirected to the
login page.
Mapping - Example
o Phase 3: Development
Implement the design, and make sure the code is well-written from the security
perspective. Usually, code reviews are conducted in this phase.
 This may include:
 Using parameterized, read-only SQL queries to read data from the database
 Validating user inputs before processing data contained in them
 Checking open-source libraries for vulnerabilities before using them
Mapping - Example
o Phase 4: Verification
Applications go through a testing cycle to ensure they meet the original design &
requirements.
The application is not deployed unless these tests pass.
Mapping - Example
o Phase 5: Maintenance and Evolution
 Vulnerabilities may be found (from cracker, external penetration tests, or bug
bounty programs) in the code developers wrote or in the underlying open-source
components that comprise an application after it’s been released.
 These vulnerabilities then need to be patched by the development team, a process that
may in some cases require significant rewrites of application functionality.
 Addressing these types of production issues must be planned for and accommodated in
future releases.
Best Practices
Software Security Practices
1. Security requirements & 4. Security Testing
Abuse Cases 5. Penetration Testing
2. Risk Analysis 6. Security Operations
3. Code Reviews

Abuse Risk Code Reviews + Security Penetration Security


Cases Analysis Static Analysis Testing Testing Operations

Requirements Design Coding Testing Maintenance

Throughout this series, we will focus on specific parts.


Cont.
o Abuse Cases: Anti-requirements. What software should not do.
o Risk Analysis: Fix design flaws, not implementation bugs.
o Code Review: Fix implementation bugs, not design flaws.
o Security Testing: Two types of testing:
 Functional: verify security mechanisms.
 Adversarial: verify resistance to attacks generated during risk analysis.
o Penetration Testing: Test software in deployed environment.
o Security Operations: Develop Incident response (What happens when a
vulnerability is reported? How do you communicate with users? How do you send
updates to users?)

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy