O'Reilly logo

Core Software Security by Anmol Misra, James Ransome

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

133
Chapter 5
Design and
Development (A3):
SDL Activities and
Best Practices
The design and development (A3) phase (see Figure 5.1) is when the
end user of your software is foremost in your mind. During this phase
you will do an analysis of policy compliance, create the test plan docu-
mentation, update your threat model if necessary, conduct a design secu-
rity analysis and review, and do a privacy implementation assessment so
you can make informed decisions about how to deploy your software
securely and establish development best practices to detect and remove
security and privacy issues early in the development cycle. You will per-
form static analysis during both the design and development (A3) and
the ship (A4) phases of your SDL . We will provide a detailed description
of static analy sis in the next chapter. You will build the plan for how you
will take your project through the rest of the SDL process, from imple-
mentation, to verification, to release. During the design and development
(A3) phase you establish best practices for this phase using functional and
design specifications.
Figure 5.1 Design and Development (A3): SDL activities and best practices.
Design and Development (A3): SDL Activities and Best Practices 135
5.1 A3 Policy Compliance Analysis
A3 policy compliance analysis is a continuation of the A2 policy compli-
ance review described in Chapter 4. During this phase, any policy that
exists outside the domain of the SDL policy is reviewed. These might
include policies from outside the development organization that set
security and privacy requirements and guidelines to be adhered to when
developing software or applications. Corporate security and privacy poli-
cies will likely instruct designers and developers on what the security and
privacy features need to be and how they must be implemented. Other
policies might focus on third-party and open-source software used as part
of a software product, or on the protection and control of source code and
other intellectual property within and outside the organization. Assuming
the software security group is separate from the centralized information
security group, it is important that both groups collaborate on all policies
and guidelines related to the development and post-release security sup-
port and response of software from that organization. It is also important
to collaborate with the privacy function of your company, whether it is a
centralized group or outside legal counsel.
5.2 Security Test Plan Composition
Testing activities validate the secure implementation of a product, which
reduces the likelihood of security bugs being released and discovered by
customers and/or malicious users. Software assurance and competency
from a security perspective is demonstrated by security testing and the
use of artifacts, reports, and tools. The goal is not to test for insecurity,
but rather to validate the robustness and security of the software products
before making the product available to customers. These security test-
ing methods do find security bugs, especially in products that may not
have undergone critical secure development process changes. The results
of security testing and evaluation may also uncover deficiencies in the
security controls used to protect the software that is under development.
A detailed plan of action and milestone schedule are required to docu-
ment the corrective measures planned to increase the effectiveness of the
security controls and provide the requisite security for the software prior
to its release.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required