Understand & Integrate Security in the Software Development Life Cycle (SDLC)
SDLC of course sometimes called software development methodology (SDM) also. Anyway, SDLC refers to all the steps required to develop software and systems from conception through implementation, support, and (ultimately) retirement. These days, one of the most important aspects of cyber security is integrate security in the software development life cycle (SDLC). We know that Software development is a part of the systems development life cycle.
Within the development phase, there are many stages and processes. In software development, secure processes are required during the development phase to produce secure software. So, security during development phases is necessary for overall security.
Development Methodologies
There are many different development methodologies that as part of the development lifecycle. Each model has its own characteristics, pros and cons, SDLC phases, and best use-case scenarios.
Security-centric development models are models that include security issues in all phases.
Let’s take a look at some of these methodologies:
Waterfall
- Linear sequential lifecycle
- Each phase is completed before continuing
- Lacks a formal way to make changes during a cycle
- The project is completed before collecting feedback and starting again
Incremental
- Uses multiple cycles for development like multiple waterfalls
- The entire process can restart at any time as a different phase
- Easy to introduce new requirements
- Delivers incremental updates to the software
Prototyping
Three main models:
- Rapid prototyping uses a quick sample to test the current project
- Evolutionary prototyping uses incremental improvements to design
- Operational prototypes provide incremental improvements but are intended to be used in production
V-shaped
- Based on the waterfall model
- Each phase is complete before continuing
- Allows for verification and validation after each phase
- Does not contain a risk analysis phase
Build and Fix
- Lacks architecture design
- Problems are fixed as they occur
- Lacks a formal feedback cycle
- Reactive instead of proactive
Agile
- Umbrella term for multiple methods
- Highlights efficiency and iterative development
- User status describe what a user does and why
- Prototypes are filtered down to individual features
Spiral
- Continual approach to development
- Performs risk analysis during development
- Future information and requirements are guided into the risk analysis
- Allows for testing early in development
Rapid Application Development
- Uses rapid prototyping
- Designed for quick development
- Analysis and design are quickly demonstrated
Testing and requirements are often revisited
Maturity Models
Organizations that need to understand the quality of their software and systems development processes and practices can benchmark their SDLC by measuring its maturity. There are models available for measuring software and systems development maturity, including:
Capability Maturity Model (CMM)
This model is far the most popular model for measuring software development maturity. The Software Capability Maturity Model (CMM) is a maturity framework for evaluating and improving the software development process. The purpose of CMM is to develop a methodical framework for creating quality software that lets measurable and repeatable results. The CMM describes the principles and practices underlying software process maturity.
There are five maturity levels of the CMM:
- Level 1(Initial): Processes are chaotic and unpredictable, poorly controlled, and reactive
- Level 2(Repeatable): A formal structure provides change control, quality assurance, and testing.
- Level 3 (Defined): Processes and procedures are designed and followed during the project.
- Level 4 (Managed): Processes are characterized for projects, but are still reactive.
- Level 5 (Optimizing): There is a model of continuous improvement for the development cycle.
Software Assurance Maturity Model (SAMM)
This model is an open framework that is geared towards organizations that want to ensure that development projects include security features.
Building Security In Maturity Model (BSIMM)
This model is used to measure the extent to which security is included in software development processes. This model has four areas:
- Governance
- Intelligence
- Secure Software Development Lifecycle (SSDL) Touchpoints
- Deployment
Agile Maturity Model (AMM)
This model is a software process improvement framework for organizations that use Agile software development processes.
Operation and Maintenance
After the development, testing and releasing of product, the next step of the process is to provide operational support and maintenance of the released product.
This phase can include resolving unexpected problems or developing new features to address new requirements.
Change Management
One of the key processes on which to focus for improvement is change management. Change management is discussed in greater detail in Security Operations domain.
This type of management actually is the formal business process that ensures all changes made to a system receive formal review and approval from all stakeholders before implementation.
The change management process has three basic components:
- Request Control: This component offers an organized framework in which users can request modifications, managers can conduct cost/benefit analysis, and developers can prioritize activities.
- Change Control: This process is used by developers to regenerate the situation encountered by the user and analyze the appropriate changes to fix the situation.
- Release Control: Once the changes are settled, they must be approved for release through the release control procedure. A crucial step of the release control process is to ensure that any code which is inserted as a programming aid during the change process such as debugging code and backdoors is removed before releasing the new software to production.