Most software organizations have well defined processes in place that ensure software is released with quality and on schedule. In recent years due to security threats and hacks a lot of emphasis is being placed in incorporating security in the software development life cycle. Introducing security during software development life cycle can result in cost reduction and reduction of business risks.
Generally speaking SDLC (Software Development Life Cycle) is a framework that defines a number of processes that are taken by an organization to build applications. There are number of proposed models such as Waterfall, Spiral, Agile etc.. but it’s same to assume the following steps generally are followed in any model:
- Requirements gathering
In the past there usual practice would be to focus on security as part of the “Testing” phase by executing methods such as penetration testing or code reviews. However in most cases it has resulted in high number of flaws getting discovered too late or worse not discovered at all. Also the because of the nature of security issues these would require re-coding or redesigning the application resulting in cost and schedule issues.
So how do we change this? The goal of secure software development life cycle is to incorporate security in the early stages. This means starting at the requirements phase where security of the application should be thought out along side the functional requirements. As a developer it becomes your responsibility to educate yourself and your peers to think about security first when coding and define a metrics of success. The senior management should invest in hiring and training employees with appropriate tool and reach out for outside help if required.
Secure Software Development Practices retrieved from http://www.veracode.com/security/secure-development
What Is the Secure Software Development Life Cycle? retrieved from https://www.cigital.com/blog/what-is-the-secure-software-development-lifecycle/