An expected and efficient software development lifecycle (SDLC) is essential for delivering modern web applications on time, within scope and within budget. Building app lifecycle security is no easy task, so let’s see how you can incorporate best application security practices to create a secure software development lifecycle.
Your information will be kept private.
Evolution of the software development lifecycle
In the pre-Internet age, the software development process usually had a clear start and end, progressing linearly and moving products from one isolated phase to another. This traditional waterfall approach means monolithic releases that took months or even years to deliver. It was also an unconditional one-way process to return to an earlier stage, making it most difficult to make changes. This inflexibility has meant that if business requirements have changed during the long app development process, the final product may become obsolete already upon release.
To make the software development cycle less rigid, iterative and cumulative SDLC methodologies have been developed to enable software delivery and adjustment more frequently. Although these still tended to follow the overall waterfall model of different stages, the software functionality was developed in smaller batches and delivered to the customer gradually instead of delaying everything until the full project scope was ready. This made it possible to gradually add functionality while re-examining customer requirements in each iteration and adjusting the product as needed.
The iterative and cumulative approach has culminated in modern agile methodologies with continuous integration and continuous deployment (CI / CD). Software development no longer has a completion state but is understood as an ongoing process that is repeated as often as necessary. Because the resulting functionality is provided in smaller chunks instead of a monolithic deployment edition, the DevOps approach is commonly used to make deployment and maintenance an integral part of the development process.
Security in various SDLC models
At Waterfall and its development cycles, all tests were pushed solely to the testing phase, which included manual security checks. This meant handing in code for testing, running tests, troubleshooting and then handing over to the deployment phase – a slow and inflexible process. As development methods evolved and accelerated by building more automation in construction and testing pipelines, the dedicated security testing phase became a major bottleneck.
At the same time, the importance of application security has increased. In the pre-network era, software security was not a major concern, as most applications had no remote connectivity and tended to be quite special products. As businesses began to move to the cloud and web applications became the basis of complete business models, it was suddenly necessary to keep them secure while shortening release cycles to deliver more value faster.
This was when agile development with DevOps really took off, enabling relatively small software development teams to deliver and deploy large and complex applications thanks to extensive automation. While this opened up massive business opportunities, it also expanded the potential attack surface and left the usual security checks of applications even further behind. Even today, application security still takes the back seat to publish schedules, with our research showing that up to 70% of development organizations skip at least a few security steps as deadlines approach.
SDLC vs. SDLC Secure
The modern SDLC is a conduit that can not afford to stop and wait for security. The only viable way to build secure software is therefore to build security at every stage of the cycle from start to release – thus creating secure SDLC (SSDLC). The diagram below shows a simple overview of adding security to the development process.
You can think of building a secure SDLC as adding a layer of security insulation to the exposed SDLC pipe. Each phase of the SDLC has matching security considerations that need to be directly understood in the tools and workflows used in that phase. As a rough guide, here’s what you need to consider to add security practices to all stages of SDLC:
- Requirements: The software requirements defined at the design stage should now also include security requirements alongside business requirements, performance and functionality. Security risk analysis and assessment are a key part of this.
- Design: Secure design is fast becoming a necessity to avoid downstream security issues (and now even has its own OWASP Top 10 category). Typical actions at the design stage can be frame selection, architecture analysis and threat modeling.
- Development: Adherence to secure coding guidelines and reference to security as a crucial aspect of code quality during coding and code reviews are two prerequisites for secure development. Because web development is largely dependent on open source packages, it also means keeping an eye on directory security and other dependencies.
- Testing: In the DevOps pipeline, security testing is not limited to the QLC phase of the SDLC. It can start with static analysis at the code level and continue with dynamic testing until and including production. Importantly, repair must be considered an integral part of testing to ensure both security and workflow efficiency.
- Deployment: Secure code is just one aspect of application security assurance – you also need to configure and maintain a secure configuration, perform security assessments, and run periodic security checks to keep up with the latest threats. This can include vulnerability scanning, intrusion testing, red staff, bug rewards program, etc.
In real life, building your own secure SDLC process can be much more complicated, but you can take existing guidelines such as NIST’s cyber security framework as a starting point – see our post on cyber security frameworks in web application security to learn more.
Application security testing in agile piping
Ideally, deep security should be instilled at every stage in the design, development and operation of software by building a shared security awareness supported by effective tools and processes. Meanwhile, in the real world, many organizations are struggling to systematically run any kind of application security testing, not to mention finding the right cyber security talent to make it work. The weak point is automation – DevOps cornerstone but high order for traditional security checks.
Without a separate testing phase or sometimes even a dedicated security team, the responsibility for running the tests, interpreting the results and coordinating the rehabilitation passes to the security tools themselves. – And the software developers who work with them. Because they feed results directly to an automated pipeline, security testing products need to minimize false alarms and still find security issues that need to be addressed. This is where static code analysis tools (SAST) can struggle – while they are technically easy to build the workflow of development, they often need a lot of fine-tuning to bring down the number of positive results to a manageable level. By definition, they are also restricted to checking the source code, so they can not find security vulnerabilities while running.
Dynamic Security Testing (DAST) provides wider coverage by testing an entire running application environment. Modern DAST solutions such as Netsparker by Invicti have been specially designed with SDLC integration in mind, overcoming a major limitation of previous generation DAST tools. Combining out-of-the-box with popular problem trackers and CI / CD platforms, Netsparker uses proof-based scanning to automatically detect and confirm up to 94% of vulnerabilities directly without the risk of false alarms. Depending on where you are in the AppSec maturity model, you can use Netsparker in several stages of SDLC pipeline for maximum coverage and integrate it with your existing security solutions.
Is SSDLC the same as DevSecOps?
As you read all this, you may be wondering about the difference between SSDLC and DevSecOps (or SecDevOps, for that matter). If one is about adding security to SDLC and the other to DevOps, is it not really the same nowadays, behind the marketing buzzwords?
In a sense, it is a theory and a practice. SDLC is a high-level abstract model of the software development process, while DevOps is one way to make this process work in a agile environment with limited resources. Similarly, DevSecOps is one way to build security into DevOps to implement SSDLC in practice. There are many ways to get there, but all of them need at least a quality DAST solution to serve as the automated and agile equivalent of a traditional security testing team.
For more information on building security in your SDLC, see our white paper: Why You Need DAST in Your SDLC
Stay up to date on web security trends
Your information will be kept private.
.