What Is Secure Software Development Lifecycle (Secure SDLC)?
The software development lifecycle (SDLC) is a process for planning, implementing and maintaining software systems that has been around in one form or another for the better part of the last 60 years, but despite its age (or possibly because of it), security is often left out of the SDLC. In the current era of data breaches, ransomware and other cyberthreats, security can no longer be an afterthought.
Despite the perceived overhead that security efforts add to the SDLC, the reality is that the impact from a breach is far more devastating than the effort of getting it right the first time around. But, how do we add security to the already complex business of building software? Like most things, all it takes is strategically introducing best practices to make it part of the development process rather than a bottleneck within it.
Examples of Software Security Efforts
Before we get into how to incorporate security into the SDLC itself, it’s important to understand the types of activities that fall under the umbrella of “security” within a software organization. Here are just a few practices many organizations may already be implementing (or planning to implement) in some form or another. Keep in mind, this list is not exhaustive but is meant to illustrate the types of activities that can be employed to improve software security.
Static analysis is the process of automatically scanning source code for defects and vulnerabilities. This is generally an automated process that identifies known patterns of insecure code within a software project, such as infrastructure as code (IaC) and application code, giving development teams an opportunity to fix issues long before they ever get exposed to an end user.
Similar to static analysis, security scanning is a generally automated process that scans an entire application and its underlying infrastructure for vulnerabilities and misconfigurations. This can be introduced in the form of cross-site scripting analysis, port scanning or container vulnerability scanning (to name a few).
While automated scanning is useful, it’s always beneficial to get a second set of human eyes on any code before releasing it into a production environment. Most development teams already implement code reviews to help catch defects and other logical errors, but with the right security mindset in place, code reviews can provide helpful oversight to ensure less common vulnerabilities don’t get introduced into the codebase as well.
A much more intensive practice, penetration testing involves hiring a cybersecurity professional to test the security of a company’s production infrastructure. A penetration tester may do everything from vulnerability analysis to actual exploit execution, and the process will result in a clear report of the different issues that slipped through any security testing checkpoints.
A newer practice that is similar to (but not the same as) penetration testing, bug bounties encourage users to report vulnerabilities they find themselves (for a reward, of course). Bug bounties are a great way to encourage people to report security issues they find to you rather than exploit them for their own personal gain.
Never underestimate the power of a good education. The world of cybersecurity is always changing, and much of the advice and knowledge that was useful a decade ago no longer applies, just like what we know today will likely not be very valuable a decade from now. Security training can go a long way toward mitigating vulnerabilities at the most common source: human error.
The (Secure) Software Development Lifecycle
Integrating security into the software development lifecycle should look like weaving rather than stacking. There is no “security phase,” but rather a set of best practices and tools that can (and should) be included within the existing phases of the SDLC. From including stakeholders on the security team to using automated tools and promoting education, treating security as an evolution of the process and not just another item to check off the to-do list will make it more sustainable and (more importantly) valuable.
The first phase of the SDLC involves defining exactly what the problem is, what the security requirements are, and also what the definition of “done” looks like. This is the point where all bug reports, feature requests and vulnerability disclosures transition from a ticket to a project. In the context of a secure SDLC, the biggest challenge here is going to be prioritization. Including members of the security organization in the grooming process will ensure there is enough context to gauge the security impact of every new feature or fix that enters into the SDLC.
After identifying the problem, we need to determine what the solution is. This is where we decide what we are going to build. As in the requirements phase, the planning phase should involve input and feedback from the security team to ensure the solution being proposed solves the problem in a way that is as secure as it is valuable to the customer.
With our security requirements in place, it’s now time to determine how we will achieve the designated solution within our application. From a software architecture standpoint, this generally involves designing the solution from end to end. What systems will be affected? Which services will be created or modified? How will users interact with this feature? Just as any design should be reviewed and approved by other members of the engineering team, it should also be reviewed by the security team so that potential vulnerabilities can be identified. For these first three phases, communication is key; otherwise, you run the risk of identifying security issues far too late in the process.
Now it’s time to build the thing. This is where the design gets turned into code and where some of the security practices mentioned above will start to come into play. Static analysis is an easy and cheap solution that can be run on every commit or push, giving development teams near-real-time feedback about the state of the code they are writing.
Once the code is complete and the code review process is triggered, a well-trained team should be on the lookout for both logical issues and potential security problems. Much like product quality, security in a healthy organization is the responsibility of every team member, not just those in the security organization.
- Testing & Deployment
After the code has been written and subsequently reviewed, it’s time to really test it out and then release it into the world. This is where more robust security scanning tools will come into play, allowing for a more in-depth analysis of the security of the application. Depending on the size of the feature and the resources available, this is also a good place to implement manual security testing. As vulnerabilities are found in this way, solutions can be built into existing automated tools to protect against regressions in the future.
Releasing code into the wild is not a “set it and forget it” activity. It needs to be nurtured and cared for if you want to keep it working in tip-top shape. Resources change, bugs happen, and vulnerabilities are discovered every day. While the maintenance phase is generally used to identify and remediate defects in the code, it is also the point at which vulnerabilities will be discovered.
It’s important not to fool yourself into thinking that secure code will always stay secure. From supply chain risks to zero-day exploits, the security landscape is an ever-changing one, and having a process in place to identify and respond to problems as they arise is a critical step when implementing a secure SDLC.
- GoTo 1
Remember, the secure SDLC is a circle, not a line. Once you reach the end, you get to start all over again. Every bug, improvement or vulnerability identified in the testing and maintenance phases will kick off its own requirements phase. Secure software development, as a practice, is a constant cycle of continuous improvement.
Conclusion: Taking Things Further
While there are countless different ways to integrate security into the SDLC that your organization is already following, there are a number of robust specifications that can take your secure SDLC efforts to the next level. As you start to weave security into your own software development process, the resources that follow are great places to look for inspiration and guidance.
The OWASP Software Assurance Maturity Model (SAMM) is the successor to the original OWASP Comprehensive, Lightweight Application Security Process (CLASP). It is a robust model that provides clear guidance for integrating security practices into the software development process, with an emphasis on tailoring security efforts to the appropriate risk profile for an organization.
The NIST Secure Software Development Framework (SSDF) is a set of fundamental secure software development practices based on established best practices from security-minded organizations (including OWASP). It breaks the SDLC into the following four categories, each aimed at improving an organization’s software security posture:
- Prepare the organization: Ensure the people, processes and technologies are prepared to perform secure software development at the organizational level and within individual development teams or projects.
- Protect the software: Protect all components of the software from tampering and unauthorized access.
- Produce well-secured software: Produce well-secured software with minimal security vulnerabilities in its releases.
- Respond to vulnerabilities: Identify residual vulnerabilities in software releases and respond appropriately to address those vulnerabilities and prevent similar vulnerabilities from occurring in the future.