Chapter 3
Security Assessment
(A1): SDL Activities
and Best Practices
In this chapter, we will introduce the reader to the first phase of our secu-
rity development lifecycle. This phase (A1) is called Security Assessment.
We will describe different activities within this phase, why it is important,
and then walk the reader through key success factors, deliverables, and
metrics from this phase.
Security Assessment (A1) is the first phase of our SDL (see Figure 3.1).
This is the phase where the project team identifies the product risk profile
and the needed SDL activities; in some SDLs it is called the discovery
phase. An initial project outline for security milestones and controls is
developed and integrated into the development project schedule to allow
proper planning as changes occur. Throughout this phase, four principal
questions should be addressed to determine what is required to ensure the
security of the software:
1. How critical is the software to meeting the customers’ mission?
2. What security objectives are required by the software [e.g., confiden-
tiality, integrity, and availability (CIA), as described in Chapter 1]?
Figure 3.1 Security Assessment (A1): SDL activities and best practices.
Security Assessment (A1): SDL Activities and Best Practices 63
3. What regulations and policies are applicable in determining what is
to be protected?
4. What threats are possible in the environment where the software will
be operating?
During the initial kick-off meeting, all key stakeholders should
discuss, identify, and have a common understanding of the security
privacy implications, considerations, and requirements. The initial set of
key security milestones, including time frames or development triggers
that signal a security step is approaching, are also outlined in these
discussions to enable the developers to plan security requirements and
asso ciated constraints into the project. It also reminds project leaders that
many decisions being made have security implications that should be
weighed appropriately as the project continues. These discussions should
also include the identification of all sources of security requirements,
including relevant laws, regulations, and standards.
Privacy, often neglected as part of the SDL in the past, is assessed at
this phase as well. The Privacy Impact Assessment (PIA) process evalu-
ates issues and privacy impact rating related to the privacy of personally
identi fiable information in the software and will be initiated during this
stage of the development process.
3.1 Software Security Team Is Looped in Early
SDLCs typically have formalized kick-off meetings, and it is impor-
tant that the software security team is included, to ensure that secu-
rity is a key element of the SDLC and is built into the process. An
in- person or live web conference meeting will give attendees and stake-
holders an important opportunity to gauge understanding and aware-
ness. Bringing the security team into the development process early is
the most cost-effective way to enable risk identification, planning, and
mitigation. Early identification and mitigation of security vulnerabilities
and misconfigurations will result in lower cost of security control imple-
mentation and vulnerability mitigation; provide awareness of poten-
tial engineering challenges caused by mandatory security controls; and
identification of shared security services and reuse of security strate gies
and tools to reduce development cost while improving security posture

Get Core Software Security now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.