Importance of Secure SDLC

In Today's world, security has become necessary, and software security is one of the most critical aspects. Many web applications exist in the market to make our lives easier and much more enjoyable. We can pay bills online, chat with friends, shop online or communicate with people worldwide. For many of us, web applications have brought convenience, but these applications' perceptions may differ from person to person. 

"Software security is about making software behave correctly in the presence of a malicious attack."

It protects information and systems from unauthorized access, disclosure, use, disruption, and destruction. These can be represented through the CIA Triad, as shown below:

SLDC

To develop secure applications, Security checks should be made throughout the application project lifecycle, especially when the application deals with critical information and data.

Security Development Life Cycle (SDL) Framework:

SLDC

A Secure Development Life Cycle has 3 main phases, i.e., Planning, Development, and Production, which again consists of other sub-phases.

Planning:

  • Security Training: This is one of the prerequisites. Some basic concepts for building good quality software include secure design, threat modeling, secure coding, security testing, and best practices surrounding privacy.
  • Service and Response Planning: Preparing a security project production service plan and an incident response plan.
  • Product Security Requirement Checklist: Prepare security checkpoints as per business requirements; they are majorly divided into 2 categories internal needs and business requirements(B&FS Domain, E-Commerce, etc.)

Development:

  • Product Security Checklist Review: The security team reviews the identified checklist and development team and does prioritizations based on feasibility and business needs. In this phase security the development team also identifies standard and reusable components.
  • Threat Modeling: Potential threats can be identified and organized/prioritized through the Threat modeling process. Threat modeling provides a systematic analysis of the potential attacker's profile, the most likely attack vectors, the assets most desired by an attacker, and a catalog of potential threats that may arise.
  • Static Code Analysis: Static program analysis is performed without practically executing the programs. It is also called Source Code Analysis. It is an attempt to highlight possible vulnerabilities within 'static' (non-running) source code. Tool– OWASP LAPSE+
  • Vulnerability Scanning: Vulnerability scanning is an automated approach to finding security vulnerabilities in software. These tests can be run as part of vulnerability management by attackers looking to gain unauthorized access.
  • Final Security Review: The Final Security Review (FSR) examines all security activities performed on software before the release. This activity includes examining threat models, tool outputs, and performance against the quality gates and bug bars defined during the requirements phase.

Production:

  • Monitoring and Process Improvement Plan (Training): Once a problem is identified in a production environment; the security team makes sure that the same problem should be addressed in the planning and design phase only. They train resources according to that.

SDL Guidelines in ICT (Information and Communications Technology Industry):

  • Authentication and Password Management:
    • Validate the user with his identity and make sure that he is what he claims to be. Authentication is commonly performed by submitting a username/ID and one or more items of private information that only the user would know.
    • Password management system should be designed to store, organize, and encrypt passwords for online accounts on several devices. It is a better and safer alternative to reusing the same two or three passwords.
  • Session Management:
    • Session management should be implemented as an exchange mechanism that will be used between the user and the web application to share and continuously exchange the session ID.
    • Checking URLs in the restricted areas, checking exposed Session variables, testing the cookie attribute using intercept proxies, etc., are few checkpoints in Session Management testing.
  • Access Control: It should be implemented to ensure that an authenticated user accesses only what they are authorized to and no more.

Vulnerability Scanning Example:

Here is an example of vulnerability scanning. A vulnerability scanner sends special data to your web application – the type of data that a malicious hacker would send, but it does it safely.

  • Vulnerability View: After scanning the web application Checkmarx tool reports 4 "SQL Injection" vulnerabilities.SLDC
  • 2. Result View: This view will show the source code folder, file name, line number, and other details related to other vulnerabilities, which will help development teams to apply fixes at specific locations.SLDC
  • Once development teams apply fixes, they rerun scans and check that vulnerabilities are appropriately fixed or not.

To Conclude, see if your organization already follows Secure SDLC. If not, start now. And if it already does, know that there's always room for improvement! Threats and attacks are evolving every day, and if you are not cautious enough, they may jeopardize your company's reputation and credibility. The best way to keep your software safe from this menace is to implement security measures throughout the development process.

Relevant blog: Oracle EBS Apps Security 

Comments

Post a Comment

Popular posts from this blog

Whitepaper - Mobile Application Testing

With the advent of smartphones, a mobile phone has evolved from being just a communication device to a highly sophisticated business utility equipment. With smartphones no longer remaining a conspicuous consumption, they have become an efficient tool for handling finances, managing mails & agendas, and executing other business functions. Statistics highlight that 1.6 billion smart phones are sold at a rate of 1.8 to 2 million devices a day since 2007, and 1.5 billion smartphones will be shipped in 2016 – a 5.7 percent increase from 2015 – and will reach 1.92 billion by 2020. Download whitepaper - Mobile application testing
Read more

Key Features of Oracle Financial Consolidation & Close Cloud Service (FCCS)

Image
Oracle Financial Consolidation and Close Cloud Service (FCCS) is the newest addition to the Oracle EPM Services . FCCS is a solution to streamline the accounting activities associated with the month-end financial close. FCCS leverages Oracle’s experience with financial processes. This article outlines the key areas of Oracle FCCS: Top Features of FCCS including Integrated Close Analytics and Improved User Experience The FCCS Transparent Close Processes Integrated Workflow Process-concentric Financial Close   FCCS Consolidation & Reporting Process     What Does FCCS Include?   Features of Financial Consolidation & Close Cloud Services Close and Consolidation : Cash flow, Balance sheet, Income statement, Rollovers, Call-to-Actions, and more are automatically calculated. Leverage multi-GAAP driven with full currency support, inter-company eliminations, equity eliminations, adjustments, and applications detailed dat
Read more

Tableau CRM features and Setup guide

Image
What is Tableau CRM? Many enterprises have leveraged Salesforce out-of-the-box reports and dashboards to understand their data and performance for years. However, data size has been increasing rapidly daily; analyzing the data manually has become a bigger challenge; subsequently, analytics have become more critical than ever before. Learn more about Salesforce CRM implemetation   Tableau CRM (Formerly known as Einstein Analytics) was introduced to address this challenge. It's an AI (Artificial intelligence) powered advanced analytics solution which works with any data source. The AI-powered Einstein Discovery, Einstein Analytics apps analyze billions of data combinations and provide predictive insights and prescriptive recommendations to the users. Tableau CRM provides analytic experiences in sales, service, and marketing to quickly take business decisions and actions. This platform is also optimized for mobile use. Why Tableau CRM? The key differences between Tableau C
Read more