Secure SDLC | Secure Software Development Life Cycle Procedure

What is SSDLC (Secure Software Development Life Cycle): 

A Secure Software Development Life Cycle (SSDLC) basically refers to a systematic standard security process model that is used by organizations to develop a secure application from inception to release. In other words, it can describe as multi practices performed to add security to the standard SDLC at each phase instead of just focusing on the functionality of the application.

S-SDLC helps the developers to know and understand the security best practices to be applied at each stage of the development life cycle.

Software Development Life Cycle (SDLC):

Software Development Life Cycle (SDLC) is a framework methodology used by the organization that defines the process of developing the software application from the initial to deployment. The different framework phases include planning, creating, testing, releasing, and maintaining the software application. There are different standard SDLC models such as Waterfall, Agile, Spiral, Iterative, Prototype have been utilized by the organizations depending upon their requirements.

Must Read | Detailed Steps & Process Requirements for Vulnerability Assessment & Management Standard Operating Procedure (SOP) | Click Here – Vulnerability Assessment & Management Procedure 

1. Requirements: 

Business requirements are gathered in this phase and will be studied and analyzed in this phase. Prerequisites will be discussed and gathered to start the end goal.

Requirement specification document will be prepared which includes business requirements, functional requirements, client requirements, user requirements, business design document and business document.

To make sure the basic security measures are implemented to develop the software, security related documents and guidelines should be monitored during the requirements phase.

Security Requirements to be shared such as checklist, secure coding standards, Application Security guidelines, etc. and conduct awareness sessions to developers.

For example, below are the security requirements that can be shared with the application team.

• Secure Development
  • Application should follow Secure SDLC methodology and support all security activities.
  • Developers should maintain Secure development environments.
  • Focus on Security of Application containers.
• Secure Coding Standards
  • Developers should follow secure coding standards to avoid vulnerabilities such as OWASP top 10, SANS to 25 software errors, etc.
  • Focus on API Security.
• Access Administration
  • Focus on Security issues related to authentication and authorization.
• Logging and Monitoring
  • Application must be feasible to integrate with logging and monitoring tools
• Secure practices 
  • Secure change control management
  • Code maintenance

2. Planning and Design: 

Based on the requirements, proper analysis will be done to understand the feasibility of the requirements, project timelines, technology selection, human resources, required software and hardware, etc.

A security team should be formed consists of security architects, security officers, security testers to handle all the security related activities with clear roles and responsibilities defined.

A security testing policy should be planned for what, when and what to be tested, what tools are required for the security testing.

During the Design phase of the software application, check all the possible security design implementations. 

Security team should carry out a detailed Security Risk Assessment that includes identification of the security flaws during designing and restricting them into the next phase.  Review all Design documents, System Analysis and Application Architecture review, Privacy Impact Assessment, Threat Modeling and Document Security Control required for the application.

3. Development: 

During the development phase of the application, developers should utilize the Secure Code Analysis Assessment method to access the different properties of software.  This method should use in every code check-in/built to scan the code generated for the security threats.

Automated secure code scanning tools such as Fortify need to be integrated with the build template. Daily scans should be carried out on all the builds and should be examined by the security team for false positives in the generated report. Manual secure code review should also be performed.

4. Testing/Pre-Development: 

During the pre-development or testing phase of the application, DAST, SAST, Vulnerability Assessment & Penetration Testing (VAPT) on application and network, MBSS (Minimum Baseline Security Standards) Compliance Check, Container Security guidelines check, API Security Testing should be carried out to strengthen the code for the security conditions.

Various scanning tools can be utilized such as Burp Suite, HP Web Inspect, Nmap, automated scanners, code scanners, VA Scanners, PT Tools, Compliance Scanners, Kali Linux which helps in the early detection of the security findings in the testing phase.

• Make sure that backend Network security controls such as DMZ, Network firewall, WAF, IDS/IPS are implemented, reviewed. These controls will act as preventive controls and provide security from network security threats.
• Make sure that application is Integrated with SIEM and IDAM (if Internal Application). SEIM control will act as detective control for monitoring the security events. IDAM will help as strong access controls.
• All Security findings are sufficiently remediated and managed such as No open critical, High, medium vulnerabilities open in SAST, DAST, VAPT, MBSS Config, Infra VAPT, API Security, Container config review. These assessments will help us to mitigate  all known security threats.
• As part BCP, DRP-All backup and restore mechanisms are in place. In an unfortunate situation, if any breach/disaster occurs, It will help to restore the operations as quickly as possible.

5. Deployment: 

Once the software application has gone through quality assurance and testing phase, conduct a final security review or re-testing. And integrate other security systems such as SIEM, IAM, etc. After that, the product is ready to deploy and release into production.

The application should be first deployed into a limited sector of the required market prior to being tested in a real business environment.

6. Sanitization and Disposal: 

This stage triggers when the application reaches to shut down phase.

Under this phase, Disposal plan, media Sanitization, Closure of system should be implemented to sanitize, dispose, archive, etc, the information related to the software application. 

Security related activities such as long term storage of cryptographic keys for encrypted data, archiving the hardcopies of federal information, reviewing the legal documents and finally sanitizing the media by destroying the data on the storage.