This approach integrates security into every stage of the software development process. aiming to address vulnerabilities and reduce the risk of security breaches from design to ongoing maintenance.
It aids organizations in developing secure software by integarting security into the development process. reducing security flaws and ensuring a robust product. Adapting secure SDLC practices to organizational needs and providing regular security training is crucial.
Security requirements
The security requirement phase involves the following key activities:
- Determining the business functionality requirements of the software including associated security requirements in terms of confidentiality, integrity, availability, and authentication, such as logging, password, integration with identity management servers,etc.
- Identifying the data sensitivity (such as personal data,cardholder data, health data.etc) that will be stored, processed. or transmitted by the software, along with corresponding application functions handling the data.
- Perform high-level security risk assessments to determine sections of a project that will require security design reviews before release.
- Establish baseline standars to identify and fix security faults during development.
- Categorize the controls according to physically, procedural, or texhnical means.
- Identify the coding tools, techniques and skills required to develop and test the application.
Secure Design
- Develop an application architectural plan that includes security requirements.
- Classify data according to its sensitivity and define the security controls accordingly.
- Consider the authentication and authorization requirements. sensitive data security and privacy requirements.cryptographic controls,dat retention and deletion timelines.
- After developing an architectural plan, perform an architecture risk analysis.
- Implement a Web Application Firewall(WAF)
Secure Coding
- Consider OWASP Top 10, SANS, PCI-DSS, and other industry-recommended best practices for secure code development.
- Consider platform-specific coding guidelines related to the development platform such as AEM, SFCC, Android, or iOS.
- Only use open-source components, libraries, or third-party codes from trusted sources.
- Create input validation checks to verify malicious data.
- Handle all errors and exceptions securely.
- Create strong authentication, authorization, and session management methods.
- Add cryptographic alogithems and menthods, whereve required.
- Implement security logging and auditing features.
Testing and verification.
- Secure the test environments and protect data used for testing.
- Do not use production or Live data in test scripts.
- restrict access to code repository to authorized people only.
- Perform security vulnerability assessment and penetration test.
Continous Monitoring & Risk Assessment
- Configure and enable server security features along with the secure coding.
- Update the server OS and packages frequently.
- Add security groups to servers.
- Use https requests.
- Use TLS security for internal servers.
Top comments (0)