Secure Software Development Lifecycle (SSDLC)

The classic software development life cycle (SDLC) does not include a security analysis of the product being developed. As a result, security is not considered until the testing stage or after the release. This significantly increases the cost of detecting and eliminating vulnerabilities. To overcome the disadvantage, an extended version of SDLC called SSDLC has been developed.

Stages of SSDLC

The purpose of SSDLC is to supplement the software lifecycle stages with processes for detecting and eliminating vulnerabilities. This helps detect and resolve security issues long before the software is deployed. The following is a brief description of these changes for each stage.

Collecting and analyzing requirements

In addition to the basic software development requirements, security requirements are also collected at this stage by analyzing potential threats. Here are a few examples of such requirements:

• providing identification and authentication;
• ensuring protection against unauthorized access;
• establishing a process for logging events and errors;
• ensuring quality control of data entering the system.

Risk analysis and planning

This stage includes the analysis of security risks and attack surfaces. A threat model is created based on the security requirements gathered at the previous stage.

Design/Prototyping

The system design is based on the threat model developed at the previous stage.

Development

At this stage, developers pay great attention to code quality in terms of security. To do so, they:

• check software vulnerability lists such as CWE and OWASP Top 10;
• use static application security testing (SAST) solutions;
• analyze dependencies for vulnerabilities using software composition analysis (SCA) tools;
• perform additional code reviews to detect missed security weaknesses, etc.

Note. The PVS-Studio static code analyzer detects not only common errors but also security vulnerabilities in code, serving as both an SCA solution and a SAST solution.

Testing

At this stage, additional types of testing are introduced, such as:

• penetration testing;
• testing by simulated hacker attacks;
• fault tolerance testing (fuzz testing is the practice of entering random or obviously false data to cause a system to fail).

Deployment

A security assessment and software security audit are performed just before the deployment.

Maintenance

Even if you take a responsible approach to security at the previous stages, some vulnerabilities may escape your attention and make it into the release. Also, even after the release, previously unknown vulnerabilities may be discovered not only in your code but also in the code of your software dependencies. Such vulnerabilities are called "zero-day vulnerabilities". Therefore, it is necessary to continue monitoring and promptly eliminating new vulnerabilities throughout the entire support period of the software.

88

0

0

0

SHARE

We can email you a selection of our best articles once a month