Before we start on the Secure SDLC topic, let's talk a little bit about how the term Software Development Life Cycle should be understood in general. This is a framework that describes the software life cycle. Its purpose is to help businesses build quality application development processes.
The framework itself consists of the usual set of steps - design, deployment, testing, support, and others. However, various models dictate the order in which these steps are passed. Perhaps the best known of these is the waterfall model, where each step starts when the previous one is completed. In this context, the cost of an error at the beginning of a project is quite high, so the model is used on compact and typed tasks with clear terms of reference.
The opposite of the waterfall model is the iterative model. In this case, project development begins with the MVP, which is immediately released to the market. Then, changes are made based on feedback, and the process is repeated. The iterative model is suitable for large tasks with uncertain requirements. It is used by startups and teams that develop innovative projects that can change the usual state of affairs in a particular sector.
A modification of the iterative model is the spiral model. The development steps move in a spiral, but with each new turn, the processes become more complex and expanded, so the model is suitable for risky research initiatives.
Of course, there are also other approaches to development - a lot of publications and literature has been written on this topic. But lately, in the context of building the application life cycle, more and more attention has been paid to information security and compliance.
From SDLC to Secure SDLC
According to
Secure processes not only reduce the risk of hacking but also literally save money. Fixing a bug at the implementation stage costs multiple times as much as a vulnerability discovered during design. According to many estimates, the cost of fixing bugs after a product is released increases over thirtyfold.
There are several models of Secure SDLC, but perhaps one of the best-known is MS SDL. The basics of the concept were formulated twenty years ago by Bill Gates, but since then it has been adjusted to reflect new approaches and technologies. In particular, MS SDL software design implies component-level threat modeling, dynamic code analysis, and phasing testing. All members of the development team are trained in information security and study best practices in this area.
According to reports, Bill Gates' initiative increased the corporation's competitiveness in terms of information security - from 2004 to 2010, the number of vulnerabilities in its applications decreased by almost three orders of magnitude compared to other organizations. Immediately after that, the company decided to release its work under a Creative Commons license, and the MS SDL model became a kind of canon from which other Secure SDLC approaches are derived.
One of them is OpenSAMM. It can be used to assess the current level of maturity of the software development cycle and to outline changes in the security context. According to the concept, the application development process includes twelve components, such as code reviews and security testing, as well as employee literacy and cyber hygiene. Each component is rated on a scale of zero to three, where the number three implies full mastery of information security practices in that area.
Another model for building a Secure SDLC is called BSIMM. It is a case study guide with examples of best practices and mechanisms. Businesses can compare their processes to those of hundreds of companies and adjust goals and objectives based on that. In all, the framework includes more than 120 different methods that cover twelve stages of the application development and deployment lifecycle.
Features of these models
Each of the presented methodologies describes only general steps worth taking to build a secure application development cycle. However, there are subtleties in this regard - for example, the classic MS DLC methodology can perform poorly in agile environments because it imposes strict deadlines on processes within the company. It's also clear that the choice of a particular toolkit will depend on the needs of the organization. The list includes DevSecOps services, pentest solutions, anti-viruses, and firewalls like Anti-DoS + WAF.
Introducing such a toolkit from scratch is quite an expensive undertaking. According to experts, the transition only to the first level in the OpenSAMM coordinates will cost in the region of $90,000. And this is still a conservative estimate since it implies that the company conducts a code review no more than 5-9 days a year. This may be enough for a small project, but within the corporation is unacceptable, plus - will increase the cost of Secure SDLC support.
In general, it is possible to implement the tools yourself and follow the recommendations for secure app development - the documentation on this issue is comprehensive, and the missing facts can be learned from the community members. But it would still require special knowledge and expertise in AppSec.
SSDLC should replace SDLC because data security is one of the fundamental requirements of companies and regulations. In this case, it is not necessary to hire a separate team of staff, there are companies in the market of information security that provide services including adding a layer of security to the software lifecycle.
Service providers can help implement Secure SDLC and save money on it. The cloud will offer static (SAST) and dynamic code analysis (DAST) systems, protection against DDoS web attacks, and compliance with information security regulations.
As a result, cloud solutions provide an opportunity to focus on business tasks, improve application security and implement the Zero Trust security principle for developers.