A while ago, the only thing that mattered when it came to software development was that functional software was deployed in the stipulated time. There was not much emphasis on software security.
Software applications were only checked for security flaws in the testing stage before being deployed to production.
However, the increased sophistication in the attack methods used by hackers over the years has rendered this old method of software development inadequate. It is no longer viable. Did you know that there is a cyber attack happening every 39 seconds?
This has forced developers and companies to re-evaluate how they approach software security. And, the answer has been to implement the Secure Software Development Lifecycle (S-SDLC).
What is the Secure Software Development Lifecycle (S-SDLC)
S-SDLC is a new approach to the existing software development framework where security is integrated into every stage of the software development life cycle starting from the requirements gathering stage to the deployment and maintenance of the application.
The new method comes with several advantages over the traditional method.
Major Benefits of Using the Secure Software Development Life Cycle
- It produces more secure software – That’s the whole point of it, right? In the S-SDLC, security measures are being taken at every development stage which helps identify and cover vulnerabilities that may have been missed if the software was only being tested for flaws once.
- Cost reduction – According to the Systems Sciences Institute at IBM, it’s 6x more costly to fix a security flaw discovered during software implementation than one identified during design. Which makes sense because the former will need major rewrites to the already completed code.
- Helps developers stick to release deadlines – The problem with testing for vulnerabilities in the testing stage is that you never know what you will find. If it’s a major flaw that demands you change the existing code then that could interfere with the set release deadline. However, with S-SDLC security has already been addressed even before you reach the testing stage.
- Everybody is involved in the application security – The task of securing the software does not only fall on the developer but rather, on everyone invested in the software.
The 6 Main Stages of Secure Software Development Life Cycle
On the surface level, there is no difference between S-SDLC and the traditional SDLC. They all follow the same basic steps. These are:
- Requirements gathering
- Design and architecture
- Test planning
- Deployment and Maintenance
These are the same basic steps you will find in almost every other software development method including the iterative and the more recent agile software development model. The steps are derived from the waterfall model which was among the earliest software development models.
The difference comes in the activities that happen at every stage.
We are now going to take a deeper look into the S-SDLC methodology but, the truth is that we can’t exhaustively cover the activities at every stage. This is because software development is a dynamic process that differs with every organization and the particular software that is being developed.
1. Requirements gathering
This is one of the most critical stages of the software development life cycle. It lays a foundation upon which the software is built. The senior engineers, representatives from various company departments, domain experts, and all stakeholders collaborate to come up with the terms of the project.
In this stage, the labor and material costs for the project are decided as well as the timetable for completion. Other activities in this stage include defining the scope and expected behavior of the software based on the feedback from customers, surveys, developers, sales reps, and all other stakeholders.
And then to integrate security into the process, the involved parties have to perform a risk assessment and come up with the security requirements for the software.
For instance, they need to outline the type of cryptography to use to protect the application’s user data.
2. Design and Architecture
This stage involves transforming the gathered requirements into a blueprint that developers can follow during the development phase. The standard process is that the architect comes up with different models which will then be reviewed by the stakeholders to determine the most viable.
But, with S-SDLC this is not where it ends. The architect also needs to review the design to identify vulnerable points that hackers could exploit.
For example, if the software requires that users log in to access information the design has to have a provision that checks if the user has a valid session token before they can access any data.
3. Test Planning
This is the stage where the developer defines the requirements needed to implement software testing such as the testing strategy, the test environment, frequency of tests, and resources needed.
The developer also has to factor in possible hurdles to the testing process.
This is the stage where the programming of the application begins. In alignment with the S-SDLC model, the developer has to make sure that they are following coding best practices as set by the organization and program-specific tools.
If the developer is modifying third-party components rather than starting the code from scratch they need to check these components for existing vulnerabilities.
An example of a secure coding guideline to follow is to use parameterized SQL queries to protect the software against SQL injection vulnerability.
This is the stage where developers test the application to make sure it is performing as required before putting it in production. In alignment with the S-SDLC, the developer also has to test the application for security vulnerabilities.
6. Deployment and Maintenance
At this point, the application has ticked all the performance and security boxes and is ready to be implemented.
However, it’s still possible that some vulnerabilities were missed in the other stages and so, the application should regularly be checked for vulnerabilities. This could be done by employing ethical hackers or bug bounty programs that encourage users to find a vulnerability in the software in exchange for a reward.
There you have it, the secure software development lifecycle defined. However, what we have discussed here are just the basics. To understand and be able to produce secure software, you will need to go the extra mile.
I’m talking about familiarizing yourself with all the best coding practices and researching the existing S-SDLC frameworks. A good place to start is the Microsoft Security Development Lifecycle or the recently published S-SDLC framework by NIST.