Secure software development life cycle is simply the set of processes that aid to build software that is more secure. But the question that is frequently asked raised is, Why bother with secure software development? A lot of that question is loaded in the myths that surround software development such as:

• Security is an IT problem, not the developer’s problem.
• The frameworks and tools that we use provide the security that we need.
• We run tools against the deployed site, and they tell us about issues.
• The site already has HTTPS, so it is secure.
• The application can only be accessed if you are on the network.
• We have backups, so any of the data that is damaged can be restored.

Secure Software Development Lifecycle has aspects that are an extension to Software Development Lifecycles. But it is not a new step that is inserted, instead, it is a cross-cutting concern that requires consideration at all stages of the SDL.

History of Secure Development Lifecycle

The SSDLC is built on top of the Software Development Lifecycle (SDL), and it was accelerated into the software engineering practices in 2004 after Microsoft made it a company-wide mandatory policy in 2004¹. This was in the aftermath of the viruses that worked their way through Microsoft Windows, both consumers and corporate networks. This led to the release of a free book by Microsoft to describe their best practices for building more secure software².

Since then, it has been constantly updated, the latest iteration of it is DevSecOps. But the fundamentals of writing secure software remain the same.

Why is Secure Software Development Lifecycle needed?

The SSDLC is needed to ensure that security is integrated into every phase of software development. This is crucial because security vulnerabilities can lead to serious consequences such as data breaches, loss of customer trust, and legal issues. By incorporating security from the beginning, potential vulnerabilities can be identified and addressed early in the development process, making the final product more secure.

What is Secure Software Development Lifecycle?

The SSDLC is a framework that incorporates security considerations into each phase of the software development lifecycle (SDL). It aims to ensure that security is not an afterthought but is considered throughout the development of software applications.

How does this interact with Software Development Lifecycle?

The SSDLC interacts with the SDL by integrating security considerations into each phase:

• Requirements Gathering: Security requirements are identified along with functional requirements. This could include data protection needs, user access controls, and compliance requirements.
• Planning & Analysis: Potential security risks are assessed, and security measures are planned.
• Design: Security is considered in the design of the software architecture. This could include designing for secure data storage and transmission and ensuring secure user authentication, how users are authorised to perform specific functions.
• Implementation: Secure coding practices are followed to prevent common security vulnerabilities.
• Testing & Integration: Security testing is performed to identify and fix any security issues. This could include penetration testing, vulnerability scanning, and code reviews.
• Deployment & Maintenance: After deployment, the software is regularly updated and patched to address any newly discovered security vulnerabilities.

What are the processes that are outside the Software Development Lifecycle?

Processes that are outside the SDL but are part of the SSDLC include:

• Security Training: Developers are trained in secure coding practices and are kept up to date with the latest security threats and mitigation techniques.
• Incident Response: Procedures are put in place to respond to any security incidents in a timely and effective manner.
• Disaster Recovery Planning: Plans are developed to recover from security incidents such as data breaches or cyber-attacks.

What Secure Software Development Lifecycle is not

The SSDLC is not a one-time process or a quick fix for security issues. It is a continuous process that requires ongoing effort and commitment. It is not about merely adding security features to the software or buying a tool to slap into the development process, but about integrating security into every aspect of the software development process. It is also not a guarantee of absolute security, as new security threats continue to emerge. However, it significantly reduces the risk of security vulnerabilities in the software.

Comments

Today, it is 20 years since SDL became a priority at Microsoft, and it is 18 years since a best practice guide was published for free. Since then, there have been numerous collaborations with industry³, orginisations⁴, government^{5 6}, and insitutions⁷ to improve the security of the applications that we interact with, and the ones that we build.

At this point, if you deliver software to clients, and you do not have a Secure Software Development Lifecycle implemented, you are 20 years behind, and are delivering software that is not fit for purpose. You don’t want to be the organisation that is responsible for writing and delivering insecure client systems.

References

1. Download Microsoft SDL Progress Report from Official Microsoft Download Center ↩︎
2. The-Security-Development-Lifecycle.pdf ↩︎
3. Home – Cyber Threat Alliance ↩︎
4. OWASP Foundation, the Open Source Foundation for Application Security | OWASP Foundation ↩︎
5. Home – National Cybersecurity Alliance (staysafeonline.org) ↩︎
6. Home | Cyber.gov.au ↩︎
7. Home | CSA (cloudsecurityalliance.org) ↩︎