The Security Development Lifecycle (SDL) contains a series of best practices intending to help software developers to create more secure applications by keeping them within security assurance and compliance and diminishing the amount and severity of possible vulnerabilities. Some of these best practices are:
· Teams awareness programs and making security a persistent concern
· Implementing patches or updating management
· Employing routine compliance check and reporting policy
· Applying risk assessment and threat modeling (Risk Management)
· Defining security requirements in software design such as cryptography, third-party and open-source components cautionary steps, preapproval requirement for using tools, security testing procedures, and analysis.
In order to apply the SDL practices to the process of software development, we need to know that typically there are six phases in most development workflow:
· Concept & Planning
· Architecture & Design
· Testing & fixing
· Release & Maintenance
· End of Life
Organizations tend to choose and employ the SDL methodologies that have been tested/proven already. Each one of those comes with a series of recommended practices, which could be used as templates, and give the security team several options to review and employ one or a combination of few.
At "Marks & Travis Software Village," the SDL starts with defining the principal of a secure design and itemized plan to utilize and address the security issues from the first step at the "concept and planning" stage by reviewing the range of applicable security practices in developing a new application.
At the "Architect & Design" stage, the SDL shows itself by potential threat modeling and adding countermeasures in response, third-party component tracking, and monitoring to ensure a secure design.
The "implementation" stage of the software development at our company employs secure coding, static scanning, and code reviews to enhance this development phase and combine automated checking and manual assessments.
The "Testing & Fixing" stage applies dynamic scanning, fuzzing, and pen-testing to the process to reduce security concerns and provide safeguards against known vulnerabilities.
At the "Release & Maintenance" stage of the development, SDL would be applied by the application's environment management, incident response plan, and constant security checks to guarantee our team's most secure application in action possible.
The "End of Life" stage requires SDL strategies such as data retention and data disposal to reduce unexpected risks and possible data breaches.
In an overview of SDL implementation at "Mark & Travis Software Village," I believe we have reasonably achieved an acceptable degree of secure software development by forming secure coding rules, building security-oriented culture and awareness within the software designer teams, and defining our expectations from teams' outcomes.