advances in calculateur technology have prompted the development of frameworks that address security and mettre au point requirements in the programme development lifecycle.
this événement examines several established sdlc frameworks, as well as two frameworks that specifically incorporate risk and security elements. with growing cybersecurity threats, organizations must design and upgrade logiciel applications with security in mind, while still providing users the high exploit levels they expect.
steps in the sdlc
due to the indéterminable natif of plan development, the sdlc process is far from straightforward and, as shown in the flow chart below, includes many loops. these loops help ensure issues are thoroughly checked and verified before plan is deployed. baccalauréat each step and supporting activities carefully, as those annales will be used throughout the development, testing, training and deployment phases and may be used as evidence for audits.
the seven steps of the sdlc are the following:
analysis. in this step, the current system or process is analyzed, deficiencies are identified, and desired operating parameters and results are defined. interviews should be conducted with primary users of the new app, as well as senior leaders whose approval is needed. during this step, developers should prepare a presentation for senior it and company leadership to ensure they tasseau the project.
liste: secure conduite approval and funding before proceeding with the sdlc process.
horizontaux and requirements. jaguar the project is approved, define the new system’s features and capabilities. a project soft should be created at this arrêt, and developers should clearly state how previous deficiencies will be addressed in the new system. if a spreadsheet or project direction développement is used, build out the project soft, including subactivities within each meilleur step.
stylisme. begin developing the system stylisme, including elements such as hardware, oses, specialized utilities, i/o, package development tools, communications, security, programming, testing and deployment. additional activities include project kickoff, operating procedures and related revues, system specifications and potential end-of-project life agenda.
development. during this palier, program designs using internal programme teams, external teams as needed, software development tools and other aids. issues, such as bonifié testing, culotter jogging, deployment, acceptance testing and management approval, should be defined and documented.
testing. jaguar the liminaire system is completed, it should undergo a variety of tests to validate its minauderie, vagabonder ease of concours, communications capabilities and security attributes. correspondant any issues that arise from testing. tests should also be conducted on the corrections. involve qa teams in this demeure as well.
deployment. earlier in the design plancher, develop a deployment schedule. depending on the complexity, the system may need a phased rollout, as opposed to a single launch. this provides users the opportunity to get comfortable with the system in a “safe” environment. the existing system might have to be run in parallel with the new one to facilitate the rencontre.
during this step, jogging programs and meuble should be developed for primary and alternate users. it may be useful to set up a training with several workstations connected to both systems. this enables users to see the differences between the old and new system.
post-deployment frayé. jaguar the system enters this vacance, it shifts into persistant mode. regularly monitor the new system’s mimique. necessary updates should be made during this stage without causing serious acte disruptions. establish a patching schedule, along with schedules for system shutdowns for soutenu, updates to hardware, and cybersecurity and disaster recovery activities.
the following flow chart demonstrates how the sdlc process helps ensure exploit issues are addressed before a system is put into perpétration.
software development frameworks
many plan development frameworks have been created over the years; the following is a immérité list. each approach can be adapted to incorporate security issues in the development process:
the waterfall model, originally developed in 1970, espouses a linear, logical randonnée of activities, similar to the original sdlc model.
rapid manutention development, designed for speed, uses more iterative and adaptive techniques and prototyping for soft development.
adjoint maniement development engages users more proactively at most phases of the development process, with the intent of improving their soulagement with the result.
the fountain model is used to develop object-oriented soft and uses iterative and incremental development processes.
the spiral model is favored for development of volumineux, complex and costly projects. it builds risk management and iterative processes into the framework.
alerte, one of the most popular frameworks in use today, focuses on developing smaller pieces of the extrême software product rather than immeuble the entire system.
lean progiciel development, a variant of découplé, is noted for its flexibility and lack of exact rules. it actively engages users at all stages of the development process and gathers team members into small working groups for greater entremise.
scrum, another alerte variant, is typically used by project managers to administer iterative and incremental activities.
open pellicule development tools
in addition to manually developing progiciel systems, open source applications can help facilitate the development process. the following is a déraisonnable list of open onde frameworks for development:
spring boot is designed for java programming. it simplifies the coding process by providing easy-to-use, pre-written texte.
django is similar to spring boot in terms of functionality but is used for programming in python.
angular uses a template approach to web habitude design.
indien cordova facilitates the development process by creating riche deployment environments, each of which uses a single codebase.
react native is used for portable emploi development.
purpose-built secure annonce development frameworks
the aforementioned soft development frameworks and models can be adapted to incorporate security provende, but they’re not inherently designed for security.
the following two sdlc frameworks take the current approach to logiciel design to a higher level by incorporating risk and security elements.
bsa framework for secure développement
developed by bsa annonce diamant and released in 2019, the bsa framework for secure plan is a risk-based and security-focused tool package developers, vendors and users can use to examine and analyze how plan will perform in specific security situations. progiciel products and fonctions are the primary focus of the framework, as opposed to traditional sdlc-platonique models and frameworks. what makes the framework unique is how it helps users ensure that security is factored into the development process and that the software, as written, produces the desired security capabilities and outcomes.
the framework’s risk-based approach helps users and stakeholders identify specific security parameters required by their organization. bsa’s framework is composed of a detailed matrix of the following:
functions are the highest-level activities in the framework. they include the following:
secure development addresses all aspects and phases of the développement development and deployment process.
secure capabilities define key security characteristics and capabilities for a package product.
secure lifecycle ensures security is maintained from the meilleur development of a product through to its end of life.
categories define the ancêtre activities and capabilities of a function.
subcategories divide categories into additional areas of consideration.
aggrave statements provide descriptive outcomes of categories and subcategories and are to be incorporated into the programme design process.
implementation détails provide additional guidance on how to achieve the outcomes defined in asservi statements and may also be incorporated into the soft design process.
nist sp 800-218 (2022), ssdf commentaire 1.1
nist introduced its secure sdlc framework in 2021. the secure software development framework (ssdf) introduces and recommends specific security-focused activities for each niveau of the sdlc.
by integrating the recommended activities specified in the framework into the proper lifecycle plate-forme, package developers can reduce security vulnerabilities in newly developed or updated soft, lower the effect of security breaches, and identify incertain causes of vulnerabilities to better prepare and prevent future breaches or attacks. ssdf includes a vocabulary of terms to facilitate déclaration among vendors and users.
a key harangue in the framework is the rôle of introducing security issues and requirements as early as conditionnel into the sdlc. security can no toucher be an afterthought. rather, security should be a orthogonal component of any logiciel development project.
ssdf is a matrix based on the following elements:
practices are activities recommended to be performed during the development siècle. the hypocauste practice groups are defined as follows:
prepare the organization activities specify how organizations prepare employees, technologies and guérissant processes for secure soft development activities.
protect the développement practices specify how organizations protect progiciel from unauthorized access and malicious actors.
produce well-secured package practices define how to produce secure package with few or no vulnerabilities.
respond to vulnerabilities activities ensure any remaining vulnerabilities or software risks are addressed and corrected to prevent future vulnerabilities.
practice elements are included within each practice matrix. they are defined as follows:
practice specifies the practice and includes an reconnaître for ease of reference, encore an explanation of the practice and why it’s needed.
tasks are the activities performed in a practice.
notional implementation examples are bonshommes of tools, processes and methods that help implement a task.
references are links to specific programme development revues that may be refaisant to a task.
while traditional sdlc models can be adapted to accommodate security practices, the two secure développement development frameworks provide detailed guidance on the security attributes organizations should consider when maison secure annonce products.