Secure SDLC

Secure SDLC (S-SDLC) – DevSecOps Road Map – Part -1.

1 Comment / App Development, DevOps, DevSecOps / By

DevOps is fine! Now we got to include the security in the DevOps process. Hence we got DevSecOps. We talked about DevSecOps a lot. But If you want to become an expert in DevSecOps, you need a Road Map to learn. As part of the Road Map to DevSecOps, this is part -1, talking about the Secure Software Development Life Cycle (S-SDLC). Secure SDLC is the process of assuring security activities like Code Review, Penetration Testing, and more in the SDLC framework.

What is Secure SDLC?

In simple words, the Secure Software Development Lifecycle is the process of assuring the Security Activities along with collecting the security requirements parallelly while collecting the usual functional requirements collection process in the SDCL.

So The definition is fine! we need to know what are the security activities and where and when to add it in the SDLC process. Read this article further to understand the activities of the Secure SDLC.

Activates in Secure SDLC.

Along with the Traditional SDLC, we have a couple of activities to be done to ensure Security in SDLC, we will see the Traditional SDLC and the Security Activates involved in each Process of SDLC,

Before that, as a recall, we will see, what are the phases of SDLC.

Software Development Life Cycle
Software Development Life Cycle
  • Initiation
  • Design and Requirement gathering
  • Development
  • Testing and Code Analysis
  • Deployment and Operation

Each phase in the SDLC is having some security process which we will discuss one by one.

Initiation

As we all know, Initiation or planning is the process of defining what we are going to do and why we are going to do it. So, in this, we will see what are the Security processes that are involved in this phase of SDLC.

  • Initial Risk Assessment – Risk assessment, in general, is the process of identifying the hazards and risk factors and Initial Risk assessment is some preliminary Risk Assessments.
  • CIA Matrix Development – Developing confidentiality, Integrity, and Availability Assessment Matrix.

Design and Requirement gathering

After the Initiation, defining the requirements and designing the product architecture is the phase where we have an important Security Activates to be performed. Because here we must define the capturable threats and its definitions with the review for the existing process. The Activates are,

  • Threat Modelling – Structured process of identifying security threats and vulnerabilities and Define Index of each and prioritize the activities to protect the SDLC process.
  • Full Risk Assessment – Full and Formal Risk assessment that will help in the Threat Modelling process.
  • Security Assurance and Functional Requirements – Defining the specification of the developing product in and collecting the assurance and Functional Requirements.
  • Security Testing Plan – We are in the world of Test-Driven Development (TTD) and As it is, we need to plan for Security testing too.

Development

In the Development process, It is important to perform certain Security Activity that are going to help reducing the risk and vulnerabilities. Also, It is important to follow certain Activates that will help automating the Security Analysis process with CICD.

  • Static Code Analysis – Running the Code Analysis before the development to identify the vulnerability defined in previous phases.
  • Security Baseline adaptation – Adopting the minimum-security Controls to protect the system and ensuring the defined CIA Matrix

Testing and Code Analysis

As we all know, Testing is an important pillar of the DevOps process. Similarly, For Security, It is an important phase were testing all the collected Matrix and parameters that are needed to be tested whether the developed product is having enough standard to mitigate the defined vulnerabilities.

  • Code Review – Basic Code review to identify the potential vulnerability in the code of peer.
  • Dynamic Code Analysis – Analyzing the code by executing the software product after developing it.

Deployment and Operation

Deployment and Operational Monstrance is the final and important phase of the Software Development Lifecycle. Also, This phase is potentially exposing the Developed product into the real world where we might have unpredicted threats. Hence, we have the following process to mitigate security.

  • Penetration Testing – Pen-Testing is the process of testing the system including the Network, Web application, and Core Application to find the vulnerabilities
  • Vulnerability Assessment – Reviewing the process of security vulnerability reporting the state of security of the Software product.
  • Monitor Security Baseline – Continuously monitor the Metrix and parameters defined in the Security Baseline defined prior to the Development Phase.

Each process in each phase is not just the theory, every single process will be implemented with the set of tools and application with the defined process and framework. As part of this Road Map to DevSecOps, we will discuss every process discussed in this article in detail with example and exercises.

Conclusion

This article is just the explanation of what is the Secure Software Development Life cycle and the Activates and process involved in each phase of the SDLC. We will soon see structured articles for the roadmap to become the expert in DevSecOps. In our upcoming article, we will discuss more on DevSecOps Maturity modeling (DSOMM), Code Analysis in CICD process, Detailed Penetration Testing process, and more. Stay tuned and subscribe DigitalVarys for more articles and study materials on DevOps, Agile, DevSecOps, and App Development.

1 thought on “Secure SDLC (S-SDLC) – DevSecOps Road Map – Part -1.”

  1. Pingback: Dynamic Analysis DAST with OWASP ZAP and Jenkins - Digital Varys

Leave a Reply