Craftsmanship
Software Factory
How to integrate security into the development lifecycle?
31 Jul 2019
by
Sylvain Chery
In most cases, project intrusion tests are done at the end, and quite often, returns are not positive. Modifications are then necessary, which leads to delays in the production of the application. The integration of security into the agile development cycle is fairly recent. However, it helps to strengthen applications during the development phase by making early corrections that are usually and chronically managed at the end of the race.
But where to put security in development?
- In the business requirement?
- In risk analysis?
- In the architecture
- ...
In any case, the concept of security must be a component for all projects and involved throughout the development cycle: we talk about SSDLC.
- Analysis
- Design
- Implementation
- Or still in maintenance
This implementation is achieved through various points and areas for improvement: for example, in the Continuous Integration Platform (PIC), the security tests will naturally be added to the quality tests. At each iteration, the security status of the project is checked in order to determine the possible vulnerabilities.
What is SSDLC?
The SSDLC is the acronym for the Secure Software Develpment Life Cycle. It is a continuous process containing different axes and steps to ensure and increase the security level of an application. There are two types of SSDLC: in an application created by a team or in a commercial software.
Today, the development process can be secured by a team in each of the steps:
- 1. Design
- 2. Implementation and unit testing
- 3. Integration of tests
- 4. Business testing
- 5. External security audit
- 6. Fixing issues
- 7. End of sprint
In this case, security testing is not planned at the end of the development cycle by the security team but throughout the entire development process. This vision allows to join the philosophy DevOps where releases are possible every day if needed. The concept of security must follow all the process of setting up a project. Security thinking from the beginning of the project helps prevent problems such as the Ashley Madison case and data leakage.
OpenSAMM
OpenSAMM - Open Software Assurance Maturity Model is open source framework for formulating and implementing strategies for application security. OpenSAMM is based on 4 safety axes:
- Governance: project definition and team security
- Construction: in the development architecture
- Check: security tests from a SysOps
- Deploy point of view: vulnerabilities detected and exploited
Conclusion
Developers know how to code well but are less efficient in terms of security and vice versa. In order to know if an application is secure or not and in view of a more efficient work, it is important that these two worlds communicate and exchange.
OpenSAMM allows:
- To evaluate the application security practices of an organization
- To build a balanced security program in the form of well-defined iterations
- To concretely demonstrate the improvements in the framework of a security assurance program
- To define and measure security-related activities within an organization
Each organization can establish its maturity level:
The message is that security must come early in the development cycle. This approach allows much more flexibility and therefore agility in the project by including each stakeholder from the beginning.
Do you need help integrating security into your development process?