Feb 10, 2016
Security best practices can be the first thing to slip when your developer team is up against tight deadlines. By integrating security measures into each stage of the software development lifecycle (SDLC) your organisation will save time and money in the long run: it is 30x more expensive to fix a vulnerability during post-production than during the design, requirement identification and architecture stages.
Securing the Software Development Lifecycle
As you plan out the scope of your project, it’s important to keep in mind common threats and vulnerabilities that you may need to protect against during development. Resources like the OWASP Top 10 provide insight on the most critical web application security risks and will be useful to consult during your planning.
2) Requirements and Analysis
In this phase analysts consider the requirements and goals of the application, as well as possible problems. It is vital that you consider security during these early stages of the SDLC to guard against common vulnerabilities. By solving these vulnerabilities earlier in the development process you will save your team time and money compared with remedying them later.When you make decisions about the technology, frameworks and languages you will use you will be able to identify any particular vulnerabilities that your chosen technology is susceptible to, which will help you make informed security decisions during design and development.
3) Architecture and Design
Having identified particular vulnerabilities in your technology choices, you can follow specific architecture and design guidelines to combat those vulnerabilities. By addressing these vulnerabilities in the design stage, you prevent those vulnerabilities from making it into your software during development.You may find that your project managers and architects will benefit from role-specific security training on threat modelling and architecture risk analysis, which will improve security during this phase of the SDLC.
Most of the vulnerabilities that make it into finished applications can be detected and remediated early-on in the software development lifecycle. By ensuring that you adopt secure coding standards, you can defend against the most common, critical vulnerabilities (such as risks identified during the requirements and analysis stage, and by the OWASP Top 10).The development phase is when code reviews typically occur; as well as reviewing code to ensure it has the features and functions specified, developers should be trained to look for vulnerabilities in their code. Pair programming is particularly useful for securing the development stage of the SDLC as it creates an ongoing review process, rather than reviewing code at set intervals when vulnerabilities may be more ingrained in your code.
If you are aware of common vulnerabilities and security risks, during the testing phase you can ensure that specific tests are run to simulate those types of attacks.Testing tools can be programmed to look for clues in your code that point to vulnerabilities – things your developers may not have spotted during their code reviews. Static and dynamic testing tools can be huge assets in the fight for improved application security, but only if they’re used effectively. It’s essential to train your software engineers to use them properly – allowing them to weed out the false positives, and identify the real threats.
6) Deployment / Implementation
It’s vital that you remember that your testing environment is different to the real world: even after all your testing, unexpected errors or vulnerabilities can crop up during deployment that you hadn’t anticipated.One of the biggest risks is misconfiguration during deployment. To protect against this, you should have a dedicated member of staff overseeing deployment who is responsible for checking for any configuration errors to mitigate the risk.
Your software will require regular maintenance and updating, to keep up with changes to common technology, integrations with new tools, and emerging vulnerabilities. When you make any changes you will need to conduct ongoing code reviews to ensure that your changes haven’t introduced any new vulnerabilities to your code, and keep your software secure.Stop vulnerabilities at the source, and discover how to roll out an effective application security training program. Download your free whitepaper below.