Intro to Security in SDLC
- 4. GENERIC APPROACH FOR SECURITY
Secure SDLC
Proactive Approach
security
requirements /
risk and threat
analysis
Design
coding guidelines
/code reviews/
static analysis
Build
Reactive Approach
security testing /
dynamic analysis
vulnerability
scanning / WAF
Test
Production
- 5. SECURE SDLC
Governance
Definition
Risk
Assessment
Review
Penetration
Testing
Security Awareness Trainings
Security
Review
Incident
Response Plan
Response
Code Analysis
Security
Testing
Release
Secure
Architecture
Code Reviews
Verification
Compliance
Analysis
Risk
Assessment
Implementation
Security
Requirements
Design
Requirements
Ensure the Best Practices are integral to the
development program and applied over the
lifecycle of the Application
Incident
Forensics
Security
Monitoring
- 7. PRIMARY BENEFITS
Minimize the costs of the Security related issues
Avoid repetitive security issues
Avoid inconsistent level of the security
Determine activities that pay back faster during
current state of the project
- 8. ORGANIZATION CHALLENGES
An organization’s behavior
changes slowly over time
There is no single recipe
that works for all
organizations
• Changes must be iterative while
working toward long-term goals
• A solution must enable riskbased choices tailored to the
organization
Guidance related to
security activities must be
prescriptive
Overall, must be simple,
well-defined, and
measurable
• A solution must provide enough
details for non-security-people
• Understandable measurement
can be used
8
- 13. ITERATION BASED TEST ONLY APPROACH
• After the backlog of security related
items has been reviewed and
evaluated by Development
Management, a 2-week
Development cycle (iteration) will
address
the highest ranked items
• Upon delivery of completed code,
security
testing is performed both manually
and
using automated testing tools
• Results from manual and automated
scans end up in the same backlog
repository, to be reviewed and
prioritized by Development
Management
- 14. HOW TO GET STARTED
Discovery
Analyze
Current
Practices
Define Goals
Define
Roadmap
Execute
/Oversee
/Adjust
- 17. SOLUTION
Issues Root Cause Analysis
• Tactical Goals: address existing local finding (tool generated)
• Strategic Goals: address security design flaws, prevent issues
reappear in the future
Solution for the Strategic Goals
• Team structure to Addressing and Remediation teams,
achieving Tactical and Strategic Goals correspondingly
• Prioritized roadmap for the Remediation Team
• Security Risk Assessment
• Security Architecture Analysis
• Security Awareness Trainings for the Team
• Roadmap for the Secure SDLC practices adoption
- 18. SOLUTION
Phase 1: 1 – 2 Month
Governance
Definition
Risk
Assessment
Review
Penetration
Testing
Security Awareness Trainings
Security
Review
Incident
Response
Plan
Response
Code
Analysis
Security
Testing
Release
Secure
Architecture
Code
Reviews
Verification
Compliance
Analysis
Risk
Assessment
Implementation
Security
Requirements
FTE Security Analyst
Design
Requirements
Team:
Incident
Forensics
Security
Monitoring
- 19. SOLUTION
Phase 2: 2 – 3 Month
Governance
Definition
Risk
Assessment
Review
Penetration
Testing
Security Awareness Trainings
Security
Review
Incident
Response
Plan
Response
Code
Analysis
Security
Testing
Release
Secure
Architecture
Code
Reviews
Verification
Compliance
Analysis
Risk
Assessment
Implementation
Security
Requirements
Part Time Security Analyst
Design
Requirements
Team:
Incident
Forensics
Security
Monitoring
- 20. VALUE
Approach addressing both Tactical and Strategic Goals
Decrease number of the Security issues on Project
Minimize potential Security issues that might be introduced in the future
Improve Security Expertise/Practices for current Team
Experience Sharing with Client Security Program
POC Remediation Approach for other Products in Client Portfolio
Editor's Notes
- Case of the Security Program Building, Security Remediation Project. Key Challenge is Optimization and prioritizationof the efforts All these activities need to be done by right people, Security Engineer vs. Software Engineer vs. Quality Engineer mindset is different.
- SDLC applicability to the Project Roles. Ownership and contribution
- Presenter for this slide: Jimmy Nix