A P P L I C AT I O N S E C U R I T Y

Secure Development Lifecycle

Dr. Muhammad Nadeem
dr.nadeem@ieee.org
 2

Contents
• What causes poor security?
• Secure SDLC: The roadmap
• Security considerations during various phases of
SDLC
• Application Security Verification Standard (ASVS)

06/15/2025 Application Security

 3

What causes poor security?

• Software security flaws can be introduced at any
stage of the software development lifecycle,
including:
• Not identifying security requirements up front
• Creating conceptual designs that have logic errors
• Using poor coding practices that introduce technical
vulnerabilities
• Deploying the software improperly
• Introducing flaws during maintenance or updating

06/15/2025 Application Security

 4

Why do we need Secure SDLC?

• Secure software development practices should
be integrated throughout it for three reasons:

• To reduce the number of vulnerabilities in released

software
• To mitigate the potential impact of the exploitation of
undetected or unaddressed vulnerabilities, and
• To address the root causes of vulnerabilities to
prevent future recurrences

06/15/2025 Application Security

 5

Secure SDLC:
The Roadmap
Clearly defined roles and
responsibilities

Adequate software Security

Training
A systematic and structured
concept to Integrate security to
Implement a secure software
every phase of SDLC
development lifecycle

Secure coding standards for all Establish secure coding standards

popular languages are available
Verify with Application Security
Verification Standard (ASVS)
06/15/2025
 6

Secure SDLC

Automated Policy,
Security Secure Design and manual Security Environment regulation, and
requirements Principles code reviews testing hardening compliance

Requirements Design Development Testing Deployment Operations

Risk Secure Penetration Secure 3rd party

Design review
assessment Development testing configuration assessment

06/15/2025 Application Security

 Requirements Design Development Testing Deployment Operations

SECURITY CONSIDERATIONS
DURING REQUIREMENTS STAGE

06/15/2025 Application Security

 8
Requirements Design Development Testing Deployment Operations

Security at Requirements Stage

• Core Security Requirements
- Confidentiality, Integrity, Availability (the CIA triad)
• General (Application) Security Requirements
• Operational Security Requirements

06/15/2025 Application Security

 9
Requirements Design Development Testing Deployment Operations

Security at Requirements Stage

• The functional vs. nonfunctional requirements
• Functional: e.g., the user needs to login to the
system
• Security (nonfunctional) requirements:
- How many failed login attempts are allowed?
- What happens when the max number is reached?
- When does the password expire?
- Can a user reuse a password?
- What needs to be logged?
- Can you list a few more?
06/15/2025 Application Security
 10
Requirements Design Development Testing Deployment Operations

Security at Requirements Stage

• Let’s list some more
- How are the passwords being stored?
- Does password storage use strong hashing?
- Does it use salting/ peppering?
- Do the password storage algorithm comply with
industry standards? (e.g., bcrypt)
- When to use Captcha?

06/15/2025 Application Security

 11
Requirements Design Development Testing Deployment Operations

Security at Requirements Stage

• While listing security requirements, make sure
that
- It is testable
- It is measurable
- It is complete
- It is clear (unambiguous)
- It is consistent with other requirements

06/15/2025 Application Security

 12
Requirements Design Development Testing Deployment Operations

OWASP’s Cheat Sheet Series

06/15/2025 Application Security

 13
Requirements Design Development Testing Deployment Operations

OWASP’s Cheat Sheet Series

e.g., Forgot Password Cheat Sheet

06/15/2025 Application Security

 14
Requirements Design Development Testing Deployment Operations

OWASP’s Cheat Sheet Series

06/15/2025 Application Security

 15
Requirements Design Development Testing Deployment Operations

OWASP’s Cheat Sheet Series

• The ‘Forgot Password Cheat Sheet’
- Gather identity data or security questions
- Verify security questions
- Send a token over a secure channel
- Allow user to change password in existing session
- Log all important activity

06/15/2025 Application Security

 16
Requirements Design Development Testing Deployment Operations

OWASP’s Cheat Sheet Series

• There are 66 cheat sheets available (more to be
added)
• They may help software development team in
various phases including requirements

06/15/2025 Application Security

 17

Automated Policy,
Security Secure Design and manual Security Environment regulation, and
requirements Principles code reviews testing hardening compliance

Requirements Design Development Testing Deployment Operations

Risk Secure Penetration Secure 3rd party

Design review
assessment Development testing configuration assessment

06/15/2025 Application Security

 18
Requirements Design Development Testing Deployment Operations

Security at Requirements Stage

• Risk assessment

06/15/2025 Application Security

 Requirements Design Development Testing Deployment Operations

SECURITY CONSIDERATIONS
DURING SOFTWARE DESIGN STAGE

06/15/2025 Application Security

 20
Requirements Design Development Testing Deployment Operations

Security at Design Stage: Design Principles

• Securing the Weakest Link
• Defense in Depth
• Failing Securely
• Going Least Privilege
• Separation of Privilege
• Economy of Mechanism
• Least Common Mechanism
• Reluctance to Trust
• Complete Mediation
• Psychological Acceptability
06/15/2025 Application Security
 21
Requirements Design Development Testing Deployment Operations

Secure Design Principles

• Securing the Weakest Link
- Total security of a system is equal to its weakest point!
- Attackers are more likely to attack a weak spot in a
software system than to penetrate a heavily fortified
component

• Defense in Depth
- Multilayered security approach
- Geographical and technical diversity
- For example, input validation at frond end, business logic,
and back end.
06/15/2025 Application Security
 22
Requirements Design Development Testing Deployment Operations

Secure Design Principles

• Resiliency [or Failing Securely]
- Application must not disclose any
data if it fails
- Fail safe vs. fail secure
- No single point of failure
- Examples:
- Overly descriptive error messages
should only be visible to developers
- Application crashed and didn’t close
the log files properly, what will
happen?
06/15/2025 Application Security
 23
Requirements Design Development Testing Deployment Operations

Secure Design Principles

• Going Least Privilege
- Role-based access control
- Specific action requires a subject’s access rights be
augmented, extra rights should be relinquished
immediately upon completion of the action
- Zero trust model, need-to-know principle, run-time
privileges

06/15/2025 Application Security

 24
Requirements Design Development Testing Deployment Operations

Secure Design Principles

• Separation of Privilege [or segregation of duties]
- System should not grant permission based upon a
single condition. Sensitive operations should require
the cooperation of more than one check.
- Example: Split knowledge
- An accountant initiates a large transaction which must then
be approved by a manager. None of them can process the
transaction alone!
- Similarly, access to sensitive data/operations should
require more than one check

06/15/2025 Application Security

 25
Requirements Design Development Testing Deployment Operations

Secure Design Principles

• Economy of Mechanism
- Always remember the inverse
relation between security and
accessibility
- Security mechanism should
be as simple as possible
- Examples: Single Sign-On
(SSO), password vaults

06/15/2025 Application Security

 26
Requirements Design Development Testing Deployment Operations

Secure Design Principles

• Least Common Mechanism
- Avoid the situation where errors of the mechanism while
accessing one resource allow compromise of all resources
accessible by the mechanism (avoid sharing!)

- Separate machines, separate networks, virtual machines

can help fulfill this principle and avoid cross‐
contamination

- Achieve isolation where possible; e.g., avoid a shared

authentication key for more than one services.
06/15/2025 Application Security
 27
Requirements Design Development Testing Deployment Operations

Secure Design Principles

• Reluctance to Trust
- Developers should assume that the environment in which
their system resides is insecure

- When building an application, software engineers should

anticipate malformed input from unknown users. Even if
users are known, they are susceptible to social engineering
attacks, making them potential threats to a system.

- For example, authentication needed every time you access

a sensitive resource.
06/15/2025 Application Security
 28
Requirements Design Development Testing Deployment Operations

Secure Design Principles

• Complete Mediation

- All accesses to entities must

be checked to ensure if they
are allowed (e.g., Reverse Security Check
Proxy, explained later)
Access through
controlled object
- Fool‐proof method to identify
the source of every request Controlled process

06/15/2025 Application Security

 29
Requirements Design Development Testing Deployment Operations

Secure Design Principles

• Psychological Acceptability
- Security mechanisms should not make the resource
more difficult to access for legitimate users
- Examples:
- Password complexity
- Password less authentication
- Screen layouts
- CAPTCHA

06/15/2025 Application Security

 30
Requirements Design Development Testing Deployment Operations

Other Design Considerations

• Use of logging framework
• Example: Log4J for java platform

• What needs to be logged?

• Use of design patterns for security

06/15/2025 Application Security

 31

Automated Policy,
Security Secure Design and manual Security Environment regulation, and
requirements Principles code reviews testing hardening compliance

Requirements Design Development Testing Deployment Operations

Risk Secure Penetration Secure 3rd party

Design review
assessment Development testing configuration assessment

Development Secure coding Secure coding

environment practices standards

06/15/2025 Application Security

 Requirements Design Development Testing Deployment Operations

SECURITY CONSIDERATIONS
DURING DEVELOPMENT STAGE

06/15/2025 Application Security

 33
Requirements Design Development Testing Deployment Operations

Fixing the problems at development stage

• IDE plug-ins for secure development
- Resharper for VS.NET
- SpotBugs (or FindBugs) for Eclipse IDE
- JDeodorant for flagging architectural level flaws

06/15/2025 Application Security

 34
Requirements Design Development Testing Deployment Operations

SpotBugs (previously known as FindBugs)

06/15/2025 Application Security

 35
Requirements Design Development Testing Deployment Operations

SpotBugs

06/15/2025 Application Security

 36
Requirements Design Development Testing Deployment Operations

Secure Coding Practices

• OWASP’s
checklist for
secure coding

06/15/2025 Application Security 36

 37
Requirements Design Development Testing Deployment Operations

Secure Coding Practices

• OWASP’s secure coding practices available for
- Input validation
- Output encoding
- Authentication and password management
- Session management
- Access control
- Cryptographic practices
- Error handling and logging
and more…

06/15/2025 Application Security

 38
Requirements Design Development Testing Deployment Operations

Secure Coding Practices

06/15/2025 Application Security

 39
Requirements Design Development Testing Deployment Operations

Secure Coding Standards

• SEI provides
coding
secure
standards
for
• C,
• C++,
• Android,
• Java, and
• Pearl
06/15/2025 Application Security 39
 40
Requirements Design Development Testing Deployment Operations

Secure Coding Standards

06/15/2025 Application Security

 41
Requirements Design Development Testing Deployment Operations

Secure Coding Standards

FIO04-J. Release resources when they are no

longer needed
(Common violation in database connectivity)

06/15/2025 Application Security

 42
Requirements Design Development Testing Deployment Operations

Secure Coding Standards

06/15/2025 Application Security

 43
Requirements Design Development Testing Deployment Operations

Secure Coding Standards

06/15/2025 Application Security

 44
Requirements Design Development Testing Deployment Operations

Secure Coding Standards

06/15/2025 Application Security

 45
Requirements Design Development Testing Deployment Operations

Secure Coding Standards

06/15/2025 Application Security

 46
Requirements Design Development Testing Deployment Operations

Conducting a Code Review

• Automated (static analysis) vs. manual code
reviews

06/15/2025 Application Security

 47
Requirements Design Development Testing Deployment Operations

Integrating Static Analysis into the SDLC

• Commercial tools
- HP Fortify
- AppScan (previously owned by IBM)
- SonarQube

• Open-source tools
- SpotBugs (previously known as FindBugs)
- Many others

06/15/2025 Application Security

 48
Requirements Design Development Testing Deployment Operations

False positives and negative

Code repository
V1 V4 V1

V2
V1
V3 V3
V3 Vx Example of False Positive

V4 V2 Example of False Negative

……

…
Static analysis
Vn

Vx

V4 Vn
Application Security
 49

Automated Policy,
Security Secure Design and manual Security Environment regulation, and
requirements Principles code reviews testing hardening compliance

Requirements Design Development Testing Deployment Operations

Risk Secure Penetration Secure 3rd party

Design review
assessment Development testing configuration assessment

06/15/2025 Application Security

 50
Requirements Design Development Testing Deployment Operations

SECURITY CONSIDERATIONS
DURING TESTING STAGE

06/15/2025 Application Security

 51
Requirements Design Development Testing Deployment Operations

Security Testing
• Security test cases
• Abuse cases
- Document scenarios that must not occur
- Think like an attacker

06/15/2025 Application Security

 52
Requirements Design Development Testing Deployment Operations

Security Testing
• Security test cases
1. Check for SQL injection attacks.
2. Secure pages should use the HTTPS protocol.
3. Page crash should not reveal application or server info.
4. Escape special characters in the input.
5. Error messages should not reveal any sensitive information.
6. All credentials should be transferred over an encrypted channel.
7. Test password security and password policy enforcement.
8. Check application logout functionality.
9. Check for Brute Force Attacks.
10. Cookie information should be stored in encrypted format only.

Comprehensive list available at

https://www.softwaretestinghelp.com/sample-test-cases-testing-web-desktop-applications/

06/15/2025 Application Security

 53
Requirements Design Development Testing Deployment Operations

Security Testing
• Abuse cases
- examples

06/15/2025 Application Security

 54
Requirements Design Development Testing Deployment Operations

Hunting for Vulnerabilities

1. Reconnaissance
2. Build Vulnerability Hypothesis
- (e.g., I got this form, I think I can inject code)
3. Test Hypothesis
4. Develop Exploit
5. Profit (bounty)/ Protect the World

06/15/2025 Application Security

 55
Requirements Design Development Testing Deployment Operations

What is (manual) code review?

• A process of examining written code [by another
programmer]
• Purpose: highlight mistakes
• Bugs
• Design flaws
• Deviation from coding conventions etc.

• Code review is conducted before the code becomes part

of product
• Should be conducted regularly
06/15/2025 Application Security
 56
Requirements Design Development Testing Deployment Operations

Code review workflow

06/15/2025 Application Security

 57
Requirements Design Development Testing Deployment Operations

Tools for efficient communication in

manual code reviews
• ReviewBoard
• Developed by MIT
• Supported languages: Java, Python
• www.reviewboard.org

• Short intro in a video below,

• https://www.youtube.com/watch?v=YkoHgxOQtRI

06/15/2025 Application Security

 58
Requirements Design Development Testing Deployment Operations

Tools for efficient communication in

manual code reviews
• ReviewBoard

06/15/2025 Application Security 58

 59
Requirements Design Development Testing Deployment Operations

Tools for efficient communication in

manual code reviews (cont.)
• Upsource
• Supported languages: Java
• Commercial tool, developed by JetBrains
• https://www.jetbrains.com/upsource/

06/15/2025 Application Security

 60
Requirements Design Development Testing Deployment Operations

Security Testing
• Automated unit testing to save time and
resources
• e.g., JUnit for Java platform

• OWASP’s Testing Guide v 4.0

• Web Application Penetration Testing

06/15/2025 Application Security

 61
Footprinting

Penetration Testing Scanning

• White box Enumeration

• Grey box Gaining Access

• Black box
Escalating Privilege

Pilfering

Covering Tracks

Creating Back Doors

Denial of Service
06/15/2025
 62

Automated Policy,
Security Secure Design and manual Security Environment regulation, and
requirements Principles code reviews testing hardening compliance

Requirements Design Development Testing Deployment Operations

Risk Secure Penetration Secure 3rd party

Design review
assessment Development testing configuration assessment

06/15/2025 Application Security

 63
Requirements Design Development Testing Deployment Operations

SECURITY CONSIDERATIONS
DURING DEPLOYMENT STAGE

06/15/2025 Application Security

 64
Requirements Design Development Testing Deployment Operations

Security during deployment stage

• Environment hardening
• Security policies
• Firewalls

06/15/2025 Application Security

 65
Requirements Design Development Testing Deployment Operations

Security during deployment stage

• Environment hardening
- Goal is to reduce attack surface
- Audit existing systems
- Create a strategy for hardening
- Patch vulnerabilities immediately

06/15/2025 Application Security

 66
Requirements Design Development Testing Deployment Operations

Security during deployment stage

• Benefits of environment hardening
- Enhanced system functionality
- Significantly improved security
- Simplified compliance and auditability

06/15/2025 Application Security

 67
Requirements Design Development Testing Deployment Operations

Security during deployment stage

• Environment hardening
- Network hardening
- Server hardening
- Application hardening
- Database hardening
- Operating system hardening

06/15/2025 Application Security

 68
Requirements Design Development Testing Deployment Operations

Security during deployment stage

• Environment hardening
- Network hardening
- Properly configure firewall and other devices
- Block unused ports
- Disable or remove unnecessary protocols and services
- Implement ACLs
- Encrypt traffic

06/15/2025 Application Security

 69
Requirements Design Development Testing Deployment Operations

Security during deployment stage

• Web Application Firewall (or a reverse proxy)
must be used to deploy the application.

06/15/2025 Application Security

 70
Requirements Design Development Testing Deployment Operations

Security during deployment stage

• Configure securely

06/15/2025 Application Security

 71

Automated Policy,
Security Secure Design and manual Security Environment regulation, and
requirements Principles code reviews testing hardening compliance

Requirements Design Development Testing Deployment Operations

Risk Secure Penetration Secure 3rd party

Design review
assessment Development testing configuration assessment

06/15/2025 Application Security

 72
Requirements Design Development Testing Deployment Operations

SECURITY CONSIDERATIONS
DURING OPERATIONS STAGE

06/15/2025 Application Security

 73
Requirements Design Development Testing Deployment Operations

Security during operations

• Compliance e.g., PCI-DSS
• Regulatory requirements
• Anti-piracy
• Security assessment by 3rd party

06/15/2025 Application Security

 74
Requirements Design Development Testing Deployment Operations

Security during operations

• OWASP’s Application Security Verification Standard (ASVS)
• Provides three levels of verification
• L1
- Application achieves L1 if it defends against vulnerabilities that are easy to
discover (applicable to all software applications)
• L2
- Application achieves L2 if it defends against most of the risks associated
with software today (applicable to critical business applications)
• L3
- Application achieves L3 if it defends against advanced application security
vulnerabilities, (applicable to military, health and safety, critical
infrastructure)

06/15/2025 Application Security

 75
Requirements Design Development Testing Deployment Operations

Security during operations

• Incident handling mechanism must be in place
• Acknowledge vulnerabilities and have a
mechanism to fix them in place (vulnerability
management)
• “Security through obscurity” does not work

06/15/2025 Application Security

 dr.nadeem@ieee.org

06/15/2025 Application Security