SDLC Flashcards
What parts of the SDLC should security be integrated into.
Essential that security is embedded in all stages of the SDLC
Requirements definition
Design
Development
Testing
Implementation
And this should be flexible
Catch security issues early on
Supporting quotes and research (+)
Secure Coding Guidelines (-)
Secure Coding checklist (+)
Non Functional Requirements (++)
Static Code Analysis (+)
Dynamic Code Analysis (+)
Security Awareness Training (++)
Threat Modeling (+/-)
Application Security Risk Matrix (++)
Published SDLC (++)
What should you do to secure the SDLC?
Security requirements review
Secure design review
secure code review
penetration testing
What is a Secure Software Development Lifecycle (SSDLC)?
A Secure SDLC requires adding security testing at each software development stage, from design, to development, to deployment and beyond. Examples include designing applications to ensure that your architecture will be secure, as well as including security risk factors as part of the initial planning phase.
What is SCA?
SCA stands for static composition analysis. is an application security methodology in which development teams can quickly track and analyze any open source component brought into a project. Simply put, SCA is used to scan your dependencies for security vulnerabilities.
Github has code scanning (SAST) and dependabot.
There’s Snyk for SCA.
What is DAST?
Dynamic security testing.
DAST uses a black-box approach that assumes testers have no knowledge of the inner workings of the software being tested, and have to use the available inputs and outputs.
For example, when testing web applications, a DAST system will crawl web pages, locate the end points of web services, and test a range of inputs and outputs. Another key difference between SAST and DAST, is that because DAST requires functioning software, it can only be used much later in the development process than SAST.
Fuzzing
SAST system
