O'Reilly logo

Core Software Security by Anmol Misra, James Ransome

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

81
Chapter 4
Architecture (A2):
SDL Activities and
Best Practices
During the second phase of the security development lifecycle, security
considerations are brought into the software development lifecycle to
ensure that all threats, requirements, and potential constraints on func-
tionality and integration are considered (see Figure 4.1). At this stage of
the SDL, security is looked at more in terms of business risks, with inputs
from the software security group and discussions with key stakeholders
in the SDLC. Business requirements are defined in the security terms
of confidentiality, integrity, and availability, and needed privacy con-
trols are discussed for creation, transmission, and personally identifiable
information (PII). SDL policy and other security or privacy compliance
requirements are also identified at this stage of the SDL. This ensures
that security and privacy discussions are performed as part of, rather than
separate from, the SDLC, so that there are solid understandings among
project personnel about business decisions and their risk implications for
the overall development project. A cost analysis for development and sup-
port costs required for security and privacy consistent with business needs
is also done as part of the requirements analysis. As discussed previously,
Figure 4.1 Architecture (A2): SDL activities and best practices.
Architecture (A2): SDL Activities and Best Practices 83
the planning and awareness of security, privacy, and risk management
early in the SDLC through the proper used of an SDL will result in sig-
nificant cost and time savings.
Perhaps the most important, complex, and difficult part of the SDL
starts during this phase of the SDL. As discussed previously, threat
modeling and architectural security analysis typically fall into the domain
of the senior software security architects and requires the most experience
and expertise of any of the tasks within the SDL. Fortunately, tools are
currently available and in the process of being developed that can assist
this phase, and help leverage and scale a skill set that is typically a limited
resource in a software security group.
Additional security training that may be needed for key developers
to understand the current threats and potential exploitations of their
products, as well as training for secure design and coding techniques
specific to the software being developed and for the systems with which
the software will be interacting, are identified at this stage of the SDL.
This enables the developers to work more efficiently with the software
security architects and others from the software security group to create
more secure designs and empower them to address key issues early in the
development processes.
4.1 A2 Policy Compliance Analysis
The purpose of a software security policy is to define what needs to be pro-
tected and how it will be protected, including reviewing and incor porating
policies from outside the SDL that may impact the development process.
These might include policies governing software or applications developed
or applied anywhere in the organization.During this phase, any policy
that exists outside the domain of the SDL policy is reviewed. Corporate
security and privacy policies will likely instruct designers and developers
on what the security and privacy features need to be and how they must
be implemented. Other policies may include those that govern the use
of third-party and open-source software or the protections and control
of source code and other intellectual property within and outside the
organization. Assuming the software security group is separate from the
centralized information security group, it is important that both groups
collaborate on all policies and guidelines related to the development and

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required