O'Reilly logo

Core Software Security by Anmol Misra, James Ransome

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

19
Chapter 2
The Secure
Development Lifecycle
We start this chapter by introducing the concept of overcoming the
challenges of making software secure through the use of a secure
develop ment lifecycle (SDL). There will be further discussions of the
models, methodologies, tools, human talent, and metrics for managing
and overcoming the challenges to make software secure. We will close
with a discussion of the mapping of our SDL with its associated best
practices to a generic software development lifecycle (SDLC), which
will be the subject of the next six chapters, followed by a chapter map-
ping our SDL best practices to several of the most popular software
development methodologies.
There is still a need for better static and dynamic testing tools and a
formalized security methodology integrated into SDLCs that is within
the reach of a majority of software development organizations. In the past
decade or so, the predominant SDL models have been out of reach for all
but the most resource-rich companies. Our goal in this book is to create
a SDL based on leveraged minimal resources and best practices rather
than requiring resources that are out of reach for a majority of software
security teams.
20 Core Software Security
2.1 Overcoming Challenges in
Making Software Secure
As mentioned in Chapter 1, SDLs are the key step in the evolution of
software security and have helped to bring attention to the need to build
security into the software development lifecycle. In the past, software
product stakeholders did not view software security as a high priority. It
was believed that a secure network infrastructure would provide the level
of protection needed against malicious attacks. In recent history, how-
ever, network security alone has proved inadequate against such attacks.
Users have been successful in penetrating valid channels of authentica-
tion through techniques such as Cross-Site Scripting (XSS), Structured
Query Language (SQL) injection, and buffer overflow exploitation. In
such cases system assets were compromised and both data and organi-
zational integrity were damaged. The security industry has tried to solve
software security problems through stopgap measures. First came plat-
form security (OS security), then came network/perimeter security, and
now application security. We do need defense-in-depth to protect our
assets, but fundamentally it is a software security flaw and needs to be
remediated through a SDL approach.
The SDL has as its base components all of the activities and security
controls needed to develop industry and government-compliant and best
practices–hardened software. A knowledgeable staff as well as secure soft-
ware policies and controls is required in order to truly prevent, identify,
and mitigate exploitable vulnerabilities within developed systems.
Not meeting the least of the activities found within the SDL provides
an opportunity for misuse of system assets from both insider and outsider
threats. Security is not simply a network requirement, it is now an infor-
mation technology (IT) requirement, which includes the development of
all software for the intent to distribute, store, and manipulate informa-
tion. Organizations must implement the highest standards of develop-
ment in order to insure the highest quality of products for its customers
and the lives which they protect.
Implementation of a SDL program ensures that security is inherent
in good enterprise software design and development, not an afterthought
included later in production. Taking an SDL approach yields tangible
benefits such as ensuring that all software releases meet minimum security
criteria, and that all stakeholders support and enforce security guidelines.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required