-
-
-
-
URL copied!
What Is a Secure Development Lifecycle?
The secure development lifecycle (SDL) is a set of best practices to support software security and
compliance requirements. It covers every aspect of software development to implement security.
Why is the Secure Development Lifecycle Important?
Why do we need SDL in the world of Cloud Native, DevOps and DevSecOps, where everything moves fast and there is no time to follow a heavyweight process like SDL? Just implement, integrate and automate SAST, DAST, SCA and Pen testing and we should be good on the security side. Right?
It’s not that simple.
It is important to build security from the ground up in today’s complex and changing landscape of threats. SDL provides a framework and best practices to implement security and privacy controls and consideration throughout all phases of the development.
Modern development processes and methodologies have changed the way we build software. However, we must still follow each development step, formally thinking through the requirements, architecture and design, through testing the software, writing test cases and scripts, and so on. These processes are critical. However, implementing them without a foundational process or framework cannot ensure secure software. Instead, it overwhelms the development team who are probably already struggling to meet the release timelines with security bugs to be fixed. So why skip the foundation step ofbuilding secure software?
Microsoft Secure Development Lifecycle
Of the many SDL models, Microsoft Security Development Lifecycle (MS SDL) is the most widely used. It has five capability areas with four levels of maturity. Microsoft published SDL in 2008 and regularly updates it based on their growing experience and new industry trends.
Lessons Learned
At GlobalLogic, we’ve successfully implemented MS SDL in multiple projects, improving the overall security of the related software. Our point of view and takeaways based on the experience we gained from these projects include the following:
It’s Challenging To Get Started
Starting with the SDL can be complex and overwhelming. Teams struggle to implement the basics of SDL mainly because the outcome is challenging to measure at the beginning. Our recommendation is not to fall into the trap of the immediate value add, but to keep following the best practices and have patience.
Plan incremental goals rather than trying to achieve too many things at once. It helps to assess the baseline of the current state so that improvements can be measured.
Avoiding Focusing Only On Security Hygiene
Most of the team only focus on security hygiene (such as OWASP Tops 10) and consider software secure if it takes care of these. But software security goes beyond this. A team must focus on security functionality and ask how a functionality will impact the security; for example, the account lock functionality in case of three or more incorrect login attempts. Some of these can be standard or generic, while others require analysis from the hacker perspective.
Consistency is Key
Security is a continuous process and the team must be consistent in whatever they implement. Do not fall into the trap of one-time achievement mode, as it will create a false sense of security.
Consider the Organization’s Risk Appetite
Not all security risks are equal and not all applications have the same risks. The team must understand the organization’s risk appetite and should try to take care of risk accordingly.
Defined Roles and Responsibilities Help
When most of the team is focused on processes and tools for security, they can miss the importance of roles and responsibilities. It is essential to define clear security roles and responsibilities such as who is the security champion, who is responsible for fixing the security bug, etc.
Skills Training is Ongoing
Make sure that your team understands security and has the required skills. If not, have a strong training plan to bridge the gap. We have seen many teams fail in implementing SDL because of a lack of skills.
Conclusion
These are some of the key learnings and takeaways based on our experience. We will be publishing detailed implementation steps in future papers to help you start and mature your Secure Development Lifecycle.
Top Insights
Best practices for selecting a software engineering partner
SecurityDigital TransformationDevOpsCloudMediaMy Intro to the Amazing Partnership Between the...
Experience DesignPerspectiveCommunicationsMediaTechnologyAdaptive and Intuitive Design: Disrupting Sports Broadcasting
Experience DesignSecurityMobilityDigital TransformationCloudBig Data & AnalyticsMediaLet’s Work Together
Related Content
Enterprise GenAI: The Time to Focus on High-ROI Use Cases is Now
In the relentless pursuit of digital transformation, enterprises are constantly seeking innovative avenues to maintain a competitive edge. Generative Artificial Intelligence (GenAI) stands out as one of the most promising frontiers in this quest. Unlike traditional AI, which primarily focuses on data analysis and interpretation, GenAI has the unique ability to generate new, original content, ideas, and solutions, making it an indispensable tool for businesses across various sectors.
Learn More
DevOps for Customer First Strategy
In the healthcare industry where medical insurance providers are competing with each other to acquire more and more customers, evaluating customers' application to assign a risk level is of prime importance. This helps in formulating the policies and the premium that a customer needs to pay. In order to work on this the insurance companies must share their data which is highly susceptible of being stolen and misused against them by their corporate rivals.
Learn More
Master the skills of QAOps
Recently, the IT world has been experiencing an explosion of different terms related to operations. The good old days—when the global order was defined around a rule of thumb and IT as separate from business—are gone, never to return. Dozens of ‘Ops’ crowded the sphere of software testing: starting with trendy DevOps.
Learn More
The rise of digital cognitive behavioral therapy
In today’s world, more and more people are struggling with depression, anxiety, addiction and a whole range of similar mental health problems. In most of the cases, people are not even aware of the fact that they are fighting with some kind of mental illness. Managing these problems is not an easy task and ignoring these problems calls for unwanted actions and severe consequences, but fortunately we have Cognitive behavioral therapy (CBT) to help people manage their problems by making simple changes in the way they think and behave.
Learn More
Virtual Health Assistant – Transforming Value Based Care
Digital virtual health assistant, also known as virtual health care assistants, are digital platforms that use artificial intelligence (AI) technology to assist individuals manage their health and wellness. These virtual assistants use natural language processing, machine learning and other AI powered technologies to provide a wide range of services.
Learn More
ML – federated learning – Application in life insurance industry
In the healthcare industry where medical insurance providers are competing with each other to acquire more and more customers, evaluating customers' application to assign a risk level is of prime importance. This helps in formulating the policies and the premium that a customer needs to pay. In order to work on this the insurance companies must share their data which is highly susceptible of being stolen and misused against them by their corporate rivals.
Learn More
FinGreen 2.0 : Exploring the role of climate fintech in creating a more sustainable future
There are a number of similar sounding terminologies that a user would come across when exploring a data catalog. In this section we look at the important terms and how they are related to each other.
Learn More
The future of frontend development: Emerging trends and technologies
Let’s start with the history of the Web. It was 1991 when the first web page went live and our lives were changed drastically. Today, millions of people spend hours surfing the internet, making money and investing money, gaining university degrees, listening to music, and watching movies, educational theories, videos, and more.
Learn More
Share this page:
-
-
-
-
URL copied!