Checkmarx Named a Leader in Gartner Magic Quadrant for Application Security Testing

AppSec 101: The Secure Software Development Life Cycle

Due to the growing demand for robust applications, the secure Software Development Life Cycle methodology is gaining momentum all over the world. Its effectiveness in combating vulnerabilities has made it mandatory in many organizations. The objective of this article is to introduce the user to the basics of the secure Software Development Life Cycle (also known as sSDLC).


Before we cover the various steps of development in the Secure Software Development Life Cycle, it’s important to understand why a SDLC is needed in the first place. I will then present an overview of secure Software Development Life Cycle and why it’s becoming so helpful in developing safe web and mobile applications.


This article is written keeping in mind CISOs, project managers, program managers, architects and developers interested in improving the security standards of the applications developed by their organizations. It is intended to be a starter for people who want to integrate security into their existing software development processes. First we’ll understand the various phases of the SDLC. Then we’ll look into the importance of having a secure SDLC.


A brief overview of Software Development Life Cycle (SDLC).


Software Development Life Cycle (SDLC) is the process which is followed to develop a software product. It is a structured way of building software applications. Most organizations have a process in place for developing software. This development process is typically customized based on the organization’s requirements and frameworks.


Knowledge about the SDLC is very important for anyone who wants to know what a Secure Software Development Life Cycle is. The following are some of the major steps which are common throughout the SDLC process. Here is a graphic representation of a sample Software Development Life Cycle:


Software Development Life Cycle

Requirements Gathering – A Software Requirement Specification (SRS) is a document that records expected behavior of the system or software which is to be developed.


Design – Software design is the blueprint of the system, which once completed is provided to developers for development. Based on the components in design, they are translated into software modules/functions/libraries, etc… and these pieces together form a software system.


Coding – Here the blueprint of the software is turned to reality by developing the source code of the entire application. Time taken to complete the development depends on the size of the application and number of programmers involved.


Testing – Once the application development is completed, it is tested for various issues like functionality, performance, and so on. This is to ensure that the application is performing as expected. If there are any issues, these issues are fixed before/after going to production depending on the nature of issue and the urgency to go live for the application.


Deployment – Once the application is ready to go live, it is deployed on a production server. If it is developed for a client, the deployment happens in a client premise or data center where there client wants to get the application installed.


What is secure Software Development Life Cycle (sSDLC)?


The secure Software Development Life Cycle stresses on incorporating security into the Software Life Cycle (SLC). Every phase of sSDLC will stress security – over and above the existing set of activities. Incorporating secure Software Development Life Cycle into an organization’s framework has many benefits to ensure a secure product.


The Traditional Approach


Organizations traditionally perform security assessment of applications after they are developed and then fix issues. Common methods involve Dynamic Application Security Testing (DAST) and Pen Testing. Patching software in this way can help, but it’s a costlier approach because the vulnerabilities are detected in the latter stages of development.


This cycle of Testing – Patching – Re-testing runs into multiple iterations and can be avoided to a great extent by addressing issues earlier in the Software Life Cycle (SLC). Not only is this approach ineffective, it’s also time and resource consuming. This is where the sSDLC security approach brings the desired change.


Software Development Life Cycle (sSDLC).


Necessity is the mother of invention”, the old saying goes. This is applicable to the sSDLC philosophy. There were days when organizations were just interested in developing applications and selling it to the client, while forgetting about rest of the complexities. But those times are long gone. The security threat landscape has changed drastically.


There are people out there whose only intention is to break into computer systems and networks to damage them, whether it is for fun or profit. These are either novice hackers who are looking for a shortcut to fame or groups of malicious attackers who work silently on the wire. This cybercrime results in massive losses and extensive damage for the victims.


The hackers can break into an organizations network through various routes and one such route is the application host. If the applications are vulnerable, it can lead to serious consequences. There’s bad press and stock crashes due to such incidents, especially if these are financial organizations such as banks and brokers – that’s where the money is!


<<< 10 Tips To Keep Your Software Ahead Of The Hackers >>>

However, this does not eliminate the risk for non-financial organizations, as pretty much every avenue to generate money is targeted. Cyber-criminal gangs can siphon off money directly. However if it is not possible straight away, they even go to extent of threatening and extortion. Every organization is afraid of bad press as it can have direct impact on the stock price and sometimes extortion techniques can lead organizations to cough up serious money to save themselves.


As evident in the aforementioned examples, there are many possible scenarios. But one thing which undeniably happens is that cybercrime costs organizations a lot of money.


This is where the secure Software Development Life Cycle comes into the picture. While DAST and Penetration Testing help the cause, having a process like sSDLC can help organizations in addressing security issues in a much more cost-efficient manner. Identifying security issues earlier in the development life cycle reduces expenses significantly.


The secure Software Development Life Cycle explained.


Now that we know what exactly an Software Development Life Cycle is, let’s explore the idea behind creating a secure Software Development Life Cycle. The above sections have touched up on what it is and why it is required, however they do not explain what things are covered in each phase.


While this is by no means a full list of activities that can be performed, the idea here is to familiarize the reader with the concept of having a secure Software Development Life Cycle. It should be noted that each organization calibrates SDLC and sSDLC according to their needs; hence there is no silver bullet solution here. That being said, let’s get into the details.


The following is a graphic representation of a sample secure Software Development Life Cycle Process:


Secure Software Development Life Cycle

Each phase of the sample secure Software Development Life Cycle (SDLC) is mapped with security activities, as demonstrated in the figure above and as explained below:


Requirements: Security Requirements, Setting up Phase Gates, Risk Assessment.
Design: Identify Design Security Requirements, Architecture & Design Reviewing, Threat Modeling.
Coding: Coding Best Practices, Performing of Static Code Analysis (SCA).
Testing: Vulnerability Assessment, Fuzzing.

Deployment: Server Configuration Review, Network Configuration Review.


You may find certain activities like Training, Incident Response, etc… missing. It all depends on the scope of the program and the aim with which it is implemented.


If the security implementation is being rolled out for entire organization, having all the activities makes sense. However, if only one department of the company is proactively interested in improving the security stature of their applications, many of these activities may not be relevant or needed. Hence, activities like Incident response can be dropped in such cases.


Summing it up..


Secure SDLC programs can have multiple Stake Holders – some of them can be in Senior Management while some of them can even be at root level (developers). It is imperative to communicate with these stake holders for the success of the program. Stake holders will differ from organization to organization based on the development approach they follow.


Developing supporting policies and procedures is also an integral part of the implementation process. To implement a secure Software Development Life Cycle, we may also have to update some of the existing policies and procedures and in certain cases we might also have to create new policies and procedures – if they are missing.


Last but not the least the organization needs to measure the success of the implementation..


It’s necessary to understand the current stature of the sSDLC Program, re-evaluate and calibrate it on a need to need basis. Measuring the program’s success helps in comparing the current posture of our program with a benchmarked posture, thus allowing to determine the future course of action.


Some of the sections above are explained very briefly; however they have been mentioned for the sake of completeness.


About the author: Albert Fruz (@albertfruz) is a Security Researcher for the InfoSec Institute, an IT Security training company. His areas of interest lie in SIEM, malware analysis, investigating security incidents, ISO 27001 audits and the hardening of various devices.Editor’s note: The opinions expressed in this article are solely those of the contributor, and do not necessarily reflect those of Checkmarx.


Jump to Category