Fix it before you find out it's broken: Integrating security into your SDLC

tacoma-narrows-bridge-401bb546f41f3309d4f99d07e6c8acba03e5fb4b-s6-c30.jpg

 

There is no doubt that Static and Dynamic security testing are an important part of securing your software, but equally important are the steps you take before you start testing your application. If you are responsible for application security in your organization, this blog post will cover some basic steps you can implement in your Software Development Lifecycle (SDLC).  Keep in mind there is no one-size-fits-all solution to integrating security into software development, you may need to tweak some of these to work with the maturity level of your organization’s SDLC.

 

1. Get involved as early as possible.

 

Most of the application development in your organization is likely requested by a business unit or project team trying to solve a problem or meet specific business needs.  Getting involved in these early discussions about ideas and concepts for applications is no easy feat, but can have huge benefits to application security.  Your involvement can help the business unit/product team understand what is required to secure their application(s).  You’ll benefit by knowing in advance about what applications are in the development pipeline, being able to prioritize your involvement in these development projects and start to gather some information to threat model the application.

 

2. Communicate the security requirements.

 

When the project team starts putting together the application requirements necessary to support the business unit’s request, this is your opportunity to include security requirements.  Security requirements (secure development guidelines), should provide guidelines to the project team on the security controls that are needed to protect the application.  Ideally, your organization has an Application Security Standard or Policy that includes secure development guidelines, who is responsible for implementing them and which vulnerabilities must be fixed before the application can be released.  At a minimum, you should have a set of secure development guidelines that you communicate to the development team.  Establishing security guidelines with the teams developing the application early on will prevent costly and time consuming rework down the road to fix vulnerabilities.

 

3. Review the Architecture (Threat Model if you have time).

 

No matter how mature your SDLC process is, someone (usually an Architect or Developer) will need to design the technical components of the application to fulfill the requirements.  Setting up a review session to discuss the architecture of the application will improve your understanding of how the application works and help you refine the security requirements.  You should also use these meetings to make sure critical security mechanism like: authentication, authorization, encryption and access controls are included in the design.  Architectural vulnerabilities are not only costly to fix, but are also difficult to retrofit into your application after it is in production.  Catching these vulnerabilities during the design process is much better than finding out you have architecture vulnerabilities after development is complete and you’ve started testing your application.

 

If you can integrate these 3 steps into your SDLC, you’ll improve the security of your application, and save your organization money, time and frustration by being involved early.

 

 

About HP Fortify on Demand

HP Fortify on Demand is a cloud-based application security testing solution. We perform multiple types of manual and automated security testing, including: web assessments, mobile application assessments, thick client testing, ERP testing, and more. We do this both statically and dynamically, both in the cloud and on premise. 

Tags: infosec| SDLC
Leave a Comment

We encourage you to share your comments on this post. Comments are moderated and will be reviewed
and posted as promptly as possible during regular business hours

To ensure your comment is published, be sure to follow the Community Guidelines.

Be sure to enter a unique name. You can't reuse a name that's already in use.
Be sure to enter a unique email address. You can't reuse an email address that's already in use.
Type the characters you see in the picture above.Type the words you hear.
Search
Showing results for 
Search instead for 
Do you mean 
About the Author


Follow Us
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.