O'Reilly logo

Core Software Security by Anmol Misra, James Ransome

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

199
Chapter 7
Ship (A5): SDL Activities
and Best Practices
Now that you have reached the last phase of the software development
lifecycle, you need to ensure that the software is secure and that privacy
issues have been addressed to a level at which the software is acceptable
for release and ready to ship. Software security and privacy requirements
should have come from initial phases and been refined throughout the
cycle. In this chapter, we will take you through the last stage of policy
compliance review, followed by the final vulnerability scan, pre-release
penetration testing, open-source licensing review, and the final security
and privacy reviews (see Figure 7.1).
As discussed in SDL Phases (A1)–(A4), SDL policy compliance covers
all projects that have meaningful security and privacy risks and is analyzed
in each phase and updated to cover new threats and practices. In the final
policy compliance review, the SDL policy will be reviewed to ensure that
the policy provides specific requirements based on different development
criteria, such as product type, code type, and platform.
A vulnerability scan will look for any remaining vulnerabilities in your
software and associated systems and report potential exposures. This pro-
cess is usually automated, and it will typically be run by somebody in
Figure 7.1 Ship (A5): SDL activities and best practices.
Ship (A5): SDL Activities and Best Practices 201
your own organization. In contrast, a penetration test actually exploits
weaknesses in the architecture of your systems and requires various levels
of expertise within your scope of the software and associated systems you
are testing. A seasoned security individual or team that is part of a third
party to provide an independent point of view, high-level or specialized
external expertise, and “another set of eyes” typically conducts the testing.
During the final phase of the SDL security review of the software
being assessed, all of the security activities performed during the process,
including threat models, tools outputs, and performance against require-
ments defined early in the process will be assessed to determine whether
the software product is ready for release and shipping. We will discuss the
three options that can occur as part of this process.
It is essential to be in compliance with applicable open-source require-
ments to avoid costly and time-consuming litigation. The two primary
areas that need to be of concern for those managing the SDL where open
source software is used as part of the product or solution are license com-
pliance and security.
The privacy requirements must be satisfied before the software can
be released. Privacy requirement verification is typically verified concur-
rently with the final security review and in many cases is now considered
part of the same process.
7.1 A5 Policy Compliance Analysis
As discussed for SDL Phases (A1)–(A4), SDL policy compliance covers
all projects that have meaningful security and privacy risks and is analyzed
in each phase and updated to cover new threats and practices. Specifically,
activities and standards in the policy have been refreshed in each SDL
phase, and have incorporated lessons learned from root-cause analysis of
security incidents, adapted to the changing threat environment, and will
have resulted in tools and technique improvements. During the subse-
quent phases, SDL policy compliance has been tracked and, if needed,
exceptions have been issued for high-risk projects. From the beginning
of the SDL process, the SDL policy has formally defined which projects
qualify for SDL mandates and what the requirements are for compliance.
This policy has become a significant part in the governance of the SDL
process in that it:

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required