Importance of secure SDLC

-
Time does require the change. Isn’t it? We’ll talk about the importance of securely software development life cycle in this story. We all know what exactly SDLC is? SDLC stands for Software Development Life Cycle. The developers builds the applications for certain purpose. The SDLC process has got certain pre-defined phases. 

Requirement Gathering:

What is the purpose and what’s it going to take for building the application.

Plan and Design:

Plan the phases of development. Prioritize the modules and finalize the design suitable.

Implementation:

Start implementing the modules. Coding takes place.

Testing:

Test the modules which are built

Deploy:

Deploy the application once the application is tested properly.

Maintain:

Check whether the application behaves exactly in the same way it was meant to. Eliminate the vulnerabilities identified if any.
This is how the traditional SDLC process works. There are certain models to accomplish the process. What’s missing here is the SECURITY factor. The application is built using the various framework and as per the requirements. Once the application is built, it goes under the testing phase where the vulnerabilities or weaknesses are identified. Once these vulnerabilities are identified, developers are asked to fix them with the help of security analysts.
This is the process which most of the organizations follow. This can even lead the delay in going live for the application and more often frustrates the developers as they need to deal with the pressure of maintaining the deadlines for going live and also need to fix the vulnerabilities identified in the testing phases. Later on they come up the clarifications and files for exceptions in the vulnerabilities. These exceptions might lead to some serious exploitation meanwhile the developers fix the vulnerabilities. Well, these are the scenarios which occurs in the most of the big organizations. It’s security analyst’s responsibility to tackle all the vulnerabilities and give proper judgement. 
There’s one solution for this problem: Secure SDLC. What if the security is included in the SDLC process from the very first phase? What if all the precautionary steps are taken from the start. To do this, it is necessary for the developers and other concern team related teams to understand the importance of security. Security has become the essential ingredient to avoid the major exploits and more importantly run the business flawless. There are certain pre-defined guidelines which needs to be keep in mind while developing the application. Let’s consider the scenario of broken authentication.
There are certain scenarios which developers need to take care to avoid setbacks later.
- What authentication mechanism is used?
- How secure is it?
- Is the session timeout set properly?
- How complex is the session Id? Is it guessable?
- What’s the password policy?
- Multi-factor authentication used or not? How effective is it?


image-source: OWASP
There are plenty of questions that can be added in the above list. Starting from Authentication to Monitoring, there needs to be a defined process. That’s what secure SDLC is all about.
Secure SDLC is nothing but implementing the well needed security in the application covering all the areas of it. Frameworks, libraries, authentication mechanisms, data storage, servers used and much more. Once the application is built securely, you don’t have to worry much. All you need to do is monitoring and maitainance which falls under post production phase. In Post production phase, you need to check for the vulnerabilities in your application by running periodical scans or conducting the audits in quarterly or as per your requirement. 
To carry out the secure SDLC more effectively, developers needs to understand the importance of security as mentioned earlier and this task can be achieved by providing them the trainings. The training program needs to be in place by the security experts to help developers understand the security factor in app development. Apart from training programs, there is need to include security experts or analysts in the analysis phase. Once the application requirements are defined, it is necessary to analyze them. What’s the best platform to build the application, how secure is it, what server to opt for, the database being used. The security analysts can provide their valuable feedback and recommendations while building the application. There is no point of using the vulnerable libraries and frameworks while building the application and later on recognizing that oh snap, this is vulnerable and attacker can leverage this weakness. We need to change the damn libraries again. This won’t help the developers at all. That’s why it is good to have security analysts on board from the analysis phase itself.
There are OWASP security guides available as well which can help the developers to understand what’s best to use and keep in mind while building the secure applications. 
The effective implementation of secure SDLC not only strengthens the security of your application but also eliminates the extra efforts and time of the developers as well as the pen testers. So, it’s always a good option to adopt the change which is in our favor. Secure SDLC is the change which needs to be adopted on wide scale.

Comments

Post a Comment

Popular posts from this blog

Dresscode-Android malware that can infiltrate corporate networks is spreading

-
Image
According to Trendmicro, DressCode-a family of Android malware, has been found circulating in at least 3,000 Trojanized apps. An Android malware is spreading across app stores, including Google Play, and has the capability of stealing sensitive files from corporate networks. DressCode hides itself inside games, user interface themes, and phone optimization boosters. It can also be difficult to detect because the malicious coding only makes up a small portion of the overall app. On Google Play, Trend Micro found more than 400 apps that are part of the DressCode family, it said. That's 10 times more than what security researchers at Check Point observed a month ago. Trend Micro added that one these apps on Google Play had been installed 100,000 to 500,000 times. Once installed, Dress Code's malicious coding will contact its command and control servers and receive orders from its developers. The malware is particularly dangerous because it can infiltrate whatever internet
Read more

Clickjacking leads Android ransomware to gain the administrative rights!

-
Image
What is Ransomware? Ransomware   is one type of malware which prevents or limits users from accessing their system.   File-encrypting ransomware which is also called as Cryptolocker applications that target Android devices are becoming increasingly sophisticated. One new such program is using clickjacking techniques to trick users into granting it administrator rights. What’s this Clickjacking? Clickjacking is a method that involves manipulating the UI in a way that allows attackers to hijack users' clicks and trigger unauthorized actions. It is mostly used in Web-based attacks, where various technologies allow creating invisible buttons and positioning them on top of seemingly harmless page elements. Due to the restrictive application permissions system in Android, ransomware apps targeting the OS have historically been less effective than on Windows. For example, many of the early Android ransomware threats only displayed a persistent window on the screen with an
Read more