O'Reilly logo

Core Software Security by Anmol Misra, James Ransome

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

351
Appendix
Key Success Factors,
Deliverables, and
Metrics for Each Phase
of Our SDL Model
In Chapters 3 through 7, we have outlined key success factors, deliverables,
and metrics that should be captured as part of our Security Development
Lifecycle (SDL) model. In Chapter 8, the SDL post-release phase, we out-
line the key deliverables and metrics. The key success factors, deliverables,
and metrics are not set in stone and may need to be tweaked as you map
the SDL to your own Software Development Lifecycle (SDLC). In this
Appendix, we have summarized (in tabular form for your quick reference)
the key success factors, deliverables, and metrics that we have outlined in
Chapters 3 through 8.
Table A.1 Key Success Factors for Each Phase of the SDL
Phase Key Success Factor Description
Security Assessment (A1): SDL
Activities and Best Practices
1. Accuracy of planned SDL activities All SDL activities are accurately identified.
2. Product risk profile Management understands the true cost of developing the product.
3. Accuracy of threat profile Mitigating steps and countermeasures are in place for the product
to be successful in its environment.
4. Coverage of relevant regulations,
certifications, and compliance
frameworks
All applicable legal and compliance aspects are covered.
5. Coverage of security objectives
needed for software
“Must have” security objectives are met.
Architecture (A2): SDL Activities
and Best Practices
1. Identification of business
requirements and risks
Mapping of business requirements and risks defined in terms of
CIA
2. Effective threat modeling Identifying threats for the software
3. Effective architectural threat analysis Analysis of threats to the software and probability of threat
materializing
4. Effective risk mitigation strategy Risk acceptance, tolerance, and mitigation plan per business
requirements
5. Accuracy of DFDs Data flow diagrams used during threat modeling
Design and Development (A3):
SDL Activities and Best Practices
1. Comprehensive security test plan Mapping types of security testing required at different stages of
SDLC
2. Effective threat modeling Identifying threats to the software
3. Design security analysis Analysis of threats to various software components
4. Privacy implementation assessment Effort required for implementation of privacy-related controls
based on assessment
5. Policy compliance review (updates) Updates for policy compliance as related to Phase 3
Design and Development (A4):
SDL Activities and Best Practices
1. Security test case execution Coverage of all relevant test cases
2. Security testing Completion of all types of security testing and remediation of
problems found
3. Privacy validation and remediation Effectiveness of privacy-related controls and remediation of any
issues found
4. Policy compliance review Updates for policy compliance as related to Phase 4
Ship (A5): SDL Activities and
Best Practices
1. Policy compliance analysis Final review of security and compliance requirements during
development process
2. Vulnerability scanning Scanning software stack for identifying security issues
3. Penetration testing Exploiting any/all security issues on software stack
4. Open-source licensing review Final review of open-source software used in the stack
5. Final security review Final review of compliance against all security requirements
identified during SDL cycle
6. Final privacy review Final review of compliance against all privacy requirements
identified during SDL cycle
7. Customer engagement framework Framework that defines process for sharing security related
information with customers
Table A.2 Deliverables for Each Phase of the SDL
Phase Deliverable Goal
Security Assessment (A1): SDL
Activities and Best Practices
Product risk profile Estimate actual cost of the product.
SDL project outline Map SDL to development schedule.
Applicable laws and regulations Obtain formal sign-off from stakeholders on applicable laws.
Threat profile Guide SDL activities to mitigate threats.
Certification requirements List requirements for product and operations certifications.
List of third-party software Identify dependence on third-party software.
Metrics template Establish cadence for regular reporting to executives.
Business requirements Software requirements, including CIA
Threat modeling artifacts Data flow diagrams, elements, threat listing
Architecture threat analysis Prioritization of threats and risks based on threat analysis
Risk mitigation plan Plan to mitigate, accept, or tolerate risk
Policy compliance analysis Analysis of adherence to company policies
Design and Development (A3):
SDL Activities and Best Practices
Updated threat modeling artifacts Data flow diagrams, elements, threat listing
Design security review Modifications to design of software components based on
security assessments
Security test plans Plan to mitigate, accept, or tolerate risk
Updated policy compliance analysis Analysis of adherence to company policies
Privacy implementation assessment results Recommendations from privacy assessment

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required