Embedding Security In Your Development Process

In his latest article Alessandro Innocenzi teaches us how to embed security at the heart of your development lifecycle.

Embedding Security In Your Development Process

As a software architect with a specific focus on SecDevOps, I want to design my applications with security in mind, rather than as an afterthought.

Unfortunately, especially in Italy, most companies don’t take security seriously, as CommitStrip.com below emphasizes:

Security too expensive? Try a hack.
Security too expensive? Try a hack.

But we want to do projects in the right way, so in our Software Development Life Cycle (better known by its acronym SDLC) we have to put security to the left, adding security-oriented activities to the development process.

This is called the Security Development Lifecycle, or SDL (sometimes SSDLC).

With SDL we can avoid all (or almost all) security problems, from simple buffer overflows to the more complex man in the middle attacks.

There are many frameworks/methodologies from Microsoft, BSIMM, SAFECode, NIST, OWASP, which can help us to use security as the starting point for designing better software solutions.

Each of these frameworks has their own guides, tools, activities and practices structured in a certain way, while the phases in general are Training, Requirements, Design, Implementation, Validation/Verification, Release and Response/Maintenance.

Obviously, nobody is forced to use these frameworks as they are, for example many companies modify some activities or phases according to their needs, but I advise you to evaluate the hypothesis of using this type of approach in your software development life cycle, even in small projects.

As developers, we have an obligation to create safe environments, as well as secure our existing environments, for the sake of everyone.

If you have been in software development for a while, you will be familiar with the scenario in the above cartoon, but by starting with security in your development, that scenario can be avoided.

If you are a developer and acutely aware of the lack of security audits around your software, start thinking about how to use security as a starting point in your development cycle, it will save you a lot of stress later.