Secure Development Life Cycle
Having a secure software development life cycle (SDLC) is crucial for organizations across all sectors,primarily due to the fact that it benefits the products and applications to be secure by design. Following weak or no security practices in any organization's software development lifecycle (SDLC) results in insecure and vulnerable code with relatively weak design and architecture.
Increased application security focus makes business sense, not just through avoiding incident costs, but also enabling the business value. It a known fact that resolving vulnerabilities later in the Software Development Life Cycle (SDLC) leads to higher IT spend and business value opportunity cost.
Multiple challenges have been observed by various multiple organizations following Software Development Lifecycle without security as a denominator. Some of the quick facts include:
- According to a security report from Microsoft, about 10% of vulnerabilities disclosed through October 2016 were targeted at Operating Systems (OS) and the other 90% of vulnerabilities targeted at the application layer
- The 2016 IBM Internet Security Systems X-Force report found that only 11% of the all vulnerabilities disclosed in 2008 belong to the top five software vendors (Microsoft, Oracle, IBM, Apple, and Cisco)
- The National Institute of Standards & Technology (NIST) estimates that code fixes performed after release can result in 30 times the cost of fixes performed during the design phase
- In 2016BFSI and ecommerce industriesestimated the average cost of lost business per data breach for a company at $157, including lost business due to customer churn as a result of negative publicity
- NIST estimated that 92% of all security incidents are due to software issues
- Reseach by Cigitial shows that the causes of application security vulnerabilities are almost evenly divided between coding bugs and design flaws
Figure 1Secure Software Development Lifecycle
We have observed multiple instances wherein an application is assessed or audited post production to comply with national and state regulations and industry compliances. By this time, the effort involved for patching the application and rewriting the code repositories (introducing multiple security elements) increases drastically, breaking the existing application stack.
Software Development Life Cycle (SDLC) without any securityconsideration has:
- Requirements which lack adequate risk perceptiveness
- Business requirements missing information sensitivity knowledge
- Development team not equipped with rights security tools and training for protecting against all the unacceptable risks to the organization.
- Lack of comprehensive impact assessment for existing application security vulnerabilities
- Redundant security mitigation solution across applications, but vulnerabilities may not be under control
- Lack of adequate responsiveness to emerging internal and external threats
This immature software security state further leads to vulnerable applications, which may be exploited by malicious users.
Key Characteristics of WeSecureApp methodology includes:
- Modular and Risk Based approach, which targets the most critical needs in a cost effective manner
- Addresses the entirety of the software development and acquisition process
- Integrates security as a critical component at appropriate phases of an organization’s SDLC
- Enhances software development and maintenance processes to provide realistic and consolidated security vulnerabilities identification, reporting and relevant mitigation strategies optimization
- Provides root cause analysis and remediation recommendations to the identified application security vulnerabilities
- Provides threat scenarios and impact assessments for the identified security vulnerabilities to enable businesses prioritize their remediation
- Sustainable and repeatable allowing organizations to leverage improvements into other development teams
Figure 2WeSecureApp Secure Software Development Lifecycle with key activities
Embedding Security in SDLC
WeSecureApp ensures that the corresponding security processes start early, e.g.
- Security requirements are defined along with business requirements (e.g., map how policy and regulatory requirements for access control and data protection will be satisfied).
- Security cost considerations are added to the business case.
- Security requirements comprehensively built in and accounted for in the design stage.
- Milestones and gate reviews should include security requirements sign-offs by business and relevant risk and security team.
- Application security testing (Vulnerability and Penetration Testing) should be performed pre and post production.
- Final sign-off should include the security function.
For custom applications, we follow the approach of secure coding and testing during the development stage / sprints itself (we don’t prefer to wait or rely on post production testing or patching).
WeSecureApp’s view of Effective SSDLC – Secure Software Development Lifecycle
What is SDL?
- Services that integrate security as a critical component at appropriate phases of an organization’s software and system development, integration and maintenance processes
- Implementation approach enhances software development and maintenance processes to provide realistic and consolidated security vulnerabilities reporting and relevant mitigation strategies optimization
From a Process Technology and People (PTP) perspective:
Effective Process Characteristics
- Integrates suitably to the organization’s Risk Management Program
- Provides impact analysis and risk measuring procedures for software security vulnerabilities
- Provides procedural enhancements for organizations to react adequately to the emerging internal and external threats
- Lifecycle driven approach for consolidating and tracking of vulnerabilities in new, proposed and implemented software solutions
- Provides procedures to enable development of a comprehensive mitigation plan
Effective Technology Characteristics
- Leverage appropriate toolkits, technologies and methodologies for security assessments on design, source code & software components
- Software vulnerabilities assessments customizable to organization’s changing technology landscape
- Capable of both automated and manual security assessmentsin executing black-box, gray-box and white-box approaches
- Includes threat & vulnerabilities information gathering mechanism pertaining to software developing technologies
- Vulnerabilities tracking and mitigation strategies reporting follow a well defined, consistent and comprehensive approach
Effective People Characteristics
- Appropriate application security awareness training across the development organization
- Independent self assessment procedures at various software development and maintenance check points
- Effective mechanism for communication and escalation of security issues
- Periodical physical space review procedures enabling discovery of potential information leakage
- Procedures to avoid single point of failures
Secure Development Life Cycle (SDL) integrates security as a critical component in appropriate phases of an organization’s systems development, integration, and maintenance processes. Typical SDL activities include application criticality assessment, software development process analysis, risk assessment, security standards definition, security goals definition, threat modeling, mitigation security controls evaluation, source code assessment, application penetration testing, functional constraints validation, and integration strategy.
Key Components to Secure SDLC
Secure Coding Guidelines
Provides technology specific (JEE, WebLogic, Oracle/Sybase) guidelines which will assist the Application development team to be aware of:
- Application security concepts, coding principles & guidelines
- Common application vulnerabilities, root-causes, threats and Countermeasures
- Leading practices in securing applications
- Incorporation of applicable regulations & standards mandating data and application security requirements
- Application security Tools/Techniques
- Secure Coding principles & Guidelines
- Compiler and environmental configuration guidelines
Secure Architecture Standards and Review
Secure Architecture standards focus on designing securely from project initiation to avoid design flaws that are difficult and expensive to correct later. The Architecture review focus on identifying potential weakness in the design. Areas covered in the Secure Architecture Standards and Review include:
- Authentication & Authorization
- Session management
- Secure communications
- Sensitive data management (Privacy of information)
- Parameter validation
- Configuration management
- Database access management
- Exception management
- Audit Log management
- Cache Management, Pooling, and Reuse
- System Calls
Secure Code Standards, Review and Testing
Secure coding focuses on implementing secure coding techniques. It includes:
- Automated review of source code using Static Code Analysis (SCA) tools, coupled with targeted manual code reviews
- Detection and remediation of coding bugs in the application
- Security testing integrated into all aspects of unit and functional testing
- Security specific testing by trained security professionals
- Identification of security vulnerabilities in COTS components associated with the application
- Threat Modeling
- Integrating Misuse and Abuse cases into Use Cases
Web-application Vulnerability testing
Consists of a controlled security test of the web application environment to identify potential external exposures, including Web Services. Web-application testing includes the following:
- Black-box (un-credentialed) and grey-box (credentialed) testing
- Insecure configuration Testing (e.g., missing patches, improper file or directory permissions, default accounts, excessive services, unnecessary coding files)
- Manipulation testing (e.g., Injection flaws, privilege escalation, insecure direct object reference, cross-site scripting, forceful browsing)
- Aggregation Testing (e.g., error messages, support data, legacy code, Developer comments)
- Iteration Testing (e.g., “brute force” techniques can be used for timing attacks or to bypass session/state management)
We understand multiple organizations have highly skilled developers with an exclusion of how to align security practices with their exclusive development skills. WeSecureApp primarily use this opportunity to train and infuscate the developers thought process towards key security area across application / infrastructure / middleware which they should consider towards prior initializing and developing the application.
On the go basis, along with secure coding practices churned towards industry applications and businesses – we would do a comprehensive threat modelling so to identify the key potential weak spots existing as per the design and with periodic secure code review and penetrating testing we would look forward to secure the application end to end.