4. GENERIC APPROACH FOR SECURITY
Secure SDLC
Proactive Approach
security
requirements /
risk and threat
analysis
Design
coding guidelines
/code reviews/
static analysis
Build
Reactive Approach
security testing /
dynamic analysis
vulnerability
scanning / WAF
Test
Production
5. SECURE SDLC
Governance
Definition
Risk
Assessment
Review
Penetration
Testing
Security Awareness Trainings
Security
Review
Incident
Response Plan
Response
Code Analysis
Security
Testing
Release
Secure
Architecture
Code Reviews
Verification
Compliance
Analysis
Risk
Assessment
Implementation
Security
Requirements
Design
Requirements
Ensure the Best Practices are integral to the
development program and applied over the
lifecycle of the Application
Incident
Forensics
Security
Monitoring
7. PRIMARY BENEFITS
Minimize the costs of the Security related issues
Avoid repetitive security issues
Avoid inconsistent level of the security
Determine activities that pay back faster during
current state of the project
8. ORGANIZATION CHALLENGES
An organizationâs behavior
changes slowly over time
There is no single recipe
that works for all
organizations
âą Changes must be iterative while
working toward long-term goals
âą A solution must enable riskbased choices tailored to the
organization
Guidance related to
security activities must be
prescriptive
Overall, must be simple,
well-defined, and
measurable
âą A solution must provide enough
details for non-security-people
âą Understandable measurement
can be used
8
13. ITERATION BASED TEST ONLY APPROACH
âą After the backlog of security related
items has been reviewed and
evaluated by Development
Management, a 2-week
Development cycle (iteration) will
address
the highest ranked items
âą Upon delivery of completed code,
security
testing is performed both manually
and
using automated testing tools
âą Results from manual and automated
scans end up in the same backlog
repository, to be reviewed and
prioritized by Development
Management
14. HOW TO GET STARTED
Discovery
Analyze
Current
Practices
Define Goals
Define
Roadmap
Execute
/Oversee
/Adjust
17. SOLUTION
Issues Root Cause Analysis
âą Tactical Goals: address existing local finding (tool generated)
âą Strategic Goals: address security design flaws, prevent issues
reappear in the future
Solution for the Strategic Goals
âą Team structure to Addressing and Remediation teams,
achieving Tactical and Strategic Goals correspondingly
âą Prioritized roadmap for the Remediation Team
âą Security Risk Assessment
âą Security Architecture Analysis
âą Security Awareness Trainings for the Team
âą Roadmap for the Secure SDLC practices adoption
20. VALUE
Approach addressing both Tactical and Strategic Goals
Decrease number of the Security issues on Project
Minimize potential Security issues that might be introduced in the future
Improve Security Expertise/Practices for current Team
Experience Sharing with Client Security Program
POC Remediation Approach for other Products in Client Portfolio
Case of the Security Program Building, Security Remediation Project. Key Challenge is Optimization and prioritizationof the efforts All these activities need to be done by right people, Security Engineer vs. Software Engineer vs. Quality Engineer mindset is different.
SDLC applicability to the Project Roles. Ownership and contribution