BT

New Early adopter or innovator? InfoQ has been working on some new features for you. Learn more

Security in the Software Development Lifecycle

| by Srini Penchikala Follow 13 Followers on Feb 21, 2011. Estimated reading time: 1 minute |

Application security aspects must be integrated into software development process. Late stage penetration testing is not sufficient because it will be too late and too expensive to fix mistakes. Steve Lipner from Microsoft spoke at the application security seminar at RSA 2011 Conference last week about security in the software development lifecycle. He talked about the different phases of Security Development Lifecycle process developed by Microsoft:

  • Security Training
  • Requirements
  • Design
  • Implementation
  • Verification
  • Release and
  • Response

There is also an agile versin of the SDL framework that supports the integration of security aspects into agile development processes. Security requirements in agile processes can be assigned into three categories:

  • Every-Sprint: These are the high priority and critical security requirements that can be identified using techniques like Threat Modeling.
  • One-time: These include the infrastructure and policy requirements like deciding on a compiler version or setting up a bug tracking database.
  • Bucket: This category includes the requirements that are long running or deferrable. Examples are File or ActiveX fuzzing.

Other speakers also presented at the seminar about the techniques to improve application security. Alberto Revelli (Cigital) discussed the secure design principles like blacklisting v. whitelisting, memory level and host level protections, secure interoperability, principle of least privilege, and compartmentalization.

Brian Chess and Jacob West (both from Fortify) talked about the secure coding techniques. There are various security defect classification lists such as OWASP Top 10, Seven Pernicious Kingdoms, Common Weakness Enumeration (CWE), Sans Top 25, and Common Vulnerability Scoring System (CVSS) that organizations can use to manage the security vulnerabilities in their applications. Jacob gave examples of some of the vulnerabilities like Cross-Site Scripting (XSS), Cross-Site Request Forgery (CSRF), HTTP Response Splitting, Session Fixation, and SQL Injection. Brian recommended secure coding guidelines like making good validation the default, establishing trust boundaries between the different layers of the application, indirect selection and whitelisting.

Chris Eng (Veracode) explained the different security testing methods like static, dynamic, manual testing and fuzzing and the strengths and limitations of each of them. Reeny Sondhi (EMC Corporation) gave an overview of the vulnerability response program they use in her organization.
 

Rate this Article

Adoption Stage
Style

Hello stranger!

You need to Register an InfoQ account or or login to post comments. But there's so much more behind being registered.

Get the most out of the InfoQ experience.

Tell us what you think

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread
Community comments

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread

Discuss

Login to InfoQ to interact with what matters most to you.


Recover your password...

Follow

Follow your favorite topics and editors

Quick overview of most important highlights in the industry and on the site.

Like

More signal, less noise

Build your own feed by choosing topics you want to read about and editors you want to hear from.

Notifications

Stay up-to-date

Set up your notifications and don't miss out on content that matters to you

BT