Traditional
software development believes security as Band-Aid or add-on features after the
programming is completed. Modern day product development does incorporate
security as part of the SDLC phases. In any business without the secure product,
business cannot run as it creates much more risk and the loss in return of
investment (ROI). So, incorporating security as part of software development life-cycle will help in identifying all associated risk to the product,
potential integration challenges, framework necessary for the product or re-usability of the existing framework, and predetermines the work necessary for
the parallel security integration with the software development and testing.
Involvement of security team in each phases, Analysis to production support
will lower any rework, cost associated to it and the maintenance will be easy
and cost effective.
Most
of the software development approached the risk based solution, meaning the
risks are identified during the planning phase along with the stakeholders and
the delivery team. Once we clearly identify the problem that we are trying to
solve and the risk associated, it much easier to develop, integrate, test and
deliver the validated and verified software application to the client. Hence,
identifying the risk and system vulnerabilities at the early phase requires a
proper system security planning process and it can be done in the early phases
of the planning and requirement gathering process (Kissel, et
al., 2008) .
Due to the market competition and the fast software delivery approach most of
the organizations are surging to agile framework and it is much easier to
integrate the security as part of the spring cycle rather than lengthy
waterfall process. Security requirements can be captured as technical user
stories along with the functional stories and it will be much easier and
thorough testing in this methodology. In addition, the pair programming has
grate essence in developing and testing the product security and function at
the same time which will leverage the software quality and the delivery in the
agile sprint cycle. Most important including security in SDLC requires lot of
meetings, minutes, decisions and documentation that are helpful during the line
at the time of production support and training vs integrating the security as
an ad-hoc feature late in the game without proper documentation and alignment.
So
what does it mean to include security in SDLC for different teams involved? For
a stakeholder it means safe and successful product and how it can be achieved
through integration, meaning stakeholder’s involvement in pre analysis and
during the development phases is equally important and intact to communicate
whether the standards are met or not. For the project managers, Chief
Information Security Officer (CISO) it is the process of working together to
identify the organizational vision, set the industry and organizational
standards, provide strategies and program for secure and sound software and
maintain the cost effective program. For Core development delivery team, it is
all about understanding the problem that we are trying to solve and approaches
to deliver the right product in right way. This involves the sound requirement
gathering and deliver to the team so that they can understand both functional and
security aspect of it. This can be done using the process modeling tools and
techniques and map the functional requirement with the security integration.
This will help the development team to develop and unite test as one product
rather than separate entity. For testing it means testing the integrated
application end to end than letting it go without any security features. Bugs
identified for any security holes can be fixed and promoted to the production
that has testing approval and stamp is much easier to handle within the SDLC
than later. For implementation, training and production support integration
security within SDLC means proper, process, less work, good documentation and
quick fix and support.
In
Conclusion, building security as part of every phases of the SDLC will be
beneficial to the users and the organization.
References
Kissel, R., Stine, K., Scholl, M., Rossman, H.,
Fahlsing, J., & Gulick, J. (2008, October). Security Considerations in
the System Development Life Cycle. Retrieved from National Institute of
Standards and Technology:
http://csrc.nist.gov/publications/nistpubs/800-64-Rev2/SP800-64-Revision2.pdf
No comments:
Post a Comment