Secure Development Lifecycle Flashcards
Learn the stages and requirements of SDLC
What is Secure Development Lifecycle?
The secure development lifecycle (SDLC) is a comprehensive approach that integrates security considerations throughout the entire software development process, from initial requirements to end- of-life.
What are the benefits of implementing Secure Development Lifecycle?
By implementing a robust SDLC, organisations can bolster its application security and ensure that security is a key focus at every stage of the development journey.
What are the stages of secure development life cycle?
Requirements, design, development, testing: performing static analysis, dynamic analysis and penetration testing, deployment, maintenance and end of life.
Describe what each stage entails.
Requirements: In this stage, developers gather and define the functional and security requirements for the software. It’s essential to consider security aspects early on.
Design: During design, architects create a blueprint for the software. Security design principles, threat modelling, and secure architecture decisions are made here.
Development: Developers write the actual code. Secure coding practices, input validation, and avoiding common vulnerabilities (e.g., SQL injection, buffer overflows) are crucial.
Testing: Security testing occurs at multiple levels:
Static Analysis: Scans the code for vulnerabilities without executing it.
Dynamic Analysis: Tests the running application for security flaws.
Penetration Testing: Simulates attacks to find vulnerabilities.
Deployment: The software is deployed to production. Security configurations, access controls, and secure deployment practices are followed.
Maintenance and EoL: Regular updates, patches, and monitoring are essential. Security incidents are addressed promptly.
What are the recommendations that organisations should implement, based on the secured development life cycle stage?
Requirements:
Should conduct threat modelling to identify potential security threats and define security controls required to mitigate these risks.
Design:
Should use secure design patterns and conduct regular design reviews with a focus on security, ensuring that the architecture avoids common security pitfalls.
Development:
Implement mandatory secure coding training for developers and use static code analysis tools to identify and remediate security flaws during the development phase.
Deployment:
Use automated deployment tools that incorporate security checks and ensure that the production environment is hardened and securely configured.
Testing column
Should integrate automated security testing tools into their CI/CD pipeline to ensure continuous security assessment and include manual penetration testing to identify complex security issues.
Maintenance and end of life:
Implement a robust vulnerability management process and plan for secure decommissioning of the application, ensuring that all sensitive data is securely erased or migrated.
What strategies can be utilised for security automation and tooling?
DevSecOps Integration
Continuous Integration/Continuous Deployment (CI/CD) pipelines integrate security practices.
Tools like Jenkins, GitLab CI/CD, and CircleCI offer native capabilities or security-focused plugins
Automated Processes:
Shift-left security: Integrate security tools into version control and CI/CD pipelines.
Intrusion detection, monitoring, and access control are automated for better security
DevOps and Secure DevOps (DevSecOps)
DevOps automates SDLC phases, but security must be built in.
DevSecOps ensures automated security testing within DevOps activities.
What are the characteristics of static application security testing (SAST) tools?
They integrate SonarQube into the CI/CD pipeline, enabling automated code analysis with each build. This ensures immediate feedback to developers about security issues, facilitating early and efficient remediation.
What are the features of dynamic application security testing (DAST) tools?
They automate regular security scans with OWASP ZAP in the staging environment before each release, allowing organisation to detect and address runtime security issues before they reach production.
What are the types of tools that can be used in security automation?
Software composition analysis, infrastructure as a code tools, security information and event management tools (SIEM).
What is the example of Software Composition Analysis (SCA) tools?
Integrate Black Duck into the development workflow to scan for open-source dependencies whenever new code is committed, ensuring that developers are alerted to potential vulnerabilities or compliance issues immediately
What do Infrastructure as a Code (IAC) tools can be used?
Use Terraform to define and deploy infrastructure configurations, integrating security benchmarks into the code. This ensures that every piece of infrastructure deployed is configured according to security best practices.
What Security Information and Event Management (SIEM) could be used?
One can implement Splunk to continuously monitor and analyse security logs from all parts of the application and infrastructure. This integration helps quickly identify and respond to potential security threats, enhancing overall security responsiveness.
Describe the development strategies.
Identification of metrics for progress and effectiveness
Metrics are quantifiable measurements used to assess performance, track progress, and measure the success of various processes, initiatives, or entities.
Transition plan
In the context of software development or project management, a transition plan helps ensure a smooth shift from one phase to another.
Milestones
Milestones are specific points in a project timeline where important outcomes are reached or objectives are met.
What elements a transition plan should have?
Initial assessment and training
Integration of Security Tools and Processes
Iterative Implementation and Feedback Loop
Identify the characteristics of milestones.
Completion of training programmes
Full implementation of security tools and processes
First complete development cycle with secure SDLC.
