Maryna Mahfoudhi, CGI Federal

Maryna Mahfoudhi

Senior Consultant

Lidija Salvaggio, CGI Federal

Lidija Salvaggio

Senior Consultant

Most companies and government agencies have a software development lifecycle (SDLC) methodology in place that helps them streamline their development process. However, the SDLC is less effective without security integrated throughout the lifecycle, no matter which strategy you use – Waterfall, Agile or DevOps. A secure software development lifecycle (SSDLC) framework defines the entire development process to build a software product, while integrating security at all stages – requirements, design, development, testing and release.

The five stages of SSDLC

Different organizations take different approaches to defining and naming the phases of secure software development, but broadly, they include:

Requirements Phase – Once the client and stakeholders compile the requirements for any new functionality, you should conduct a risk assessment to identify early security considerations that may impact the applications. This crucial phase sets the foundation for the rest of the process.

Design Phase – From the security point of view, this step of SSDLC covers best practices on how to implement previously identified requirements. In this phase, you should create a threat model that includes security mitigation strategies and test plans for the development phase. This phase will also identify acceptable versus unacceptable security results.

Development Phase – Here, the work from the previous two phases comes to reality. The focus now shifts to secure coding best practices and developer security awareness training programs. As you develop new application features, integrate static code analysis (SCA) into the build process. You should also evaluate third-party open-source components for vulnerabilities during this phase.

Testing Phase – Once the application development is completed, more comprehensive security testing begins. This includes security assessment strategies, such as dynamic application security testing (DAST), static application security testing (SAST) and API security testing.  This facilitates the identification of any security issues before an application is released into production.

Release Phase – This last step of SSDLC process covers the maintenance and enhancement of the system. It includes continuous monitoring and patching, routine scans of third party libraries, external independent penetration testing and similar post-deployment activities.

Why move to SSDLC?

Older software development methodologies, Waterfall in particular, put security-related activities at the end of the development lifecycle.. As a result, developers would not be able to find defects and security vulnerabilities until the applications were deployed in production, or worse, not at all.

To sum it up, security plays an important role in every phase of software development. According to Gartner Group, “the cost of removing an application security vulnerability during the design phase ranges from 30-60 times less than if removed during production.” In other words, the earlier the security gets integrated into development, the more money can be saved in the long run. The graph below shows the increasing cost of detecting and eliminating software bugs later in the development process; this becomes most costly during post production release.

The Secure SDLC is an example of the “shift-left” approach, which emphasizes the importance of integrating security into SDLC as early as possible. SSDLC helps reduce security risks, and organizations should leverage the Secure SDLC approach to ensure they build resilient software   able to withstand the sophisticated cyberattacks that target applications nowadays. Failing to do so increases the risk of creating vulnerabilities in the software under development.

For more information, please reach out to securityengineering@cgifederal.com.

For more cybersecurity information and insight, visit Protecting America’s Assets.

 

About these authors

Maryna Mahfoudhi, CGI Federal

Maryna Mahfoudhi

Senior Consultant

Maryna leads a team of security engineers within CGI Federal’s Security Assurance and Governance practice.

Lidija Salvaggio, CGI Federal

Lidija Salvaggio

Senior Consultant

Lidija specializes in application security, third party software security analysis and secure coding practices.