An initiation to SSDLC framework and the impact of Cloud development environments

In the age of cloud computing and with the increasing cyber security concerns and business risks associated with insecure applications, conducting security testing after developing the software and right before going” live” is no longer an option. Organizations today have become aware of the need to integrate security into the development process.

Implementing a proper Secure Software Development Life Cycle (SDLC) is important now, more than ever.

What is SSDLC and how does it work? 

As security is most effective if planned and managed throughout every stage, SSDLC is a framework that intends to integrate security and privacy considerations throughout the software development lifecycle. It helps building highly secure applications, address security compliance needs, and reduce development costs. 

Yes, it reduces the cost. In fact, performing security-related activities at the end of the software development lifecycle results in finding bugs, flaws, and other vulnerabilities when they are far more expensive and time-consuming to fix. It might also cause delay in launching the application or launching a not secured enough application as there might not be enough time to fix all vulnerabilities or worse not find them at all. 

Normally, software development goes through six key stages:

• The Planning stage consists of gathering requirements and determining the project's financial and technical feasibility.
• The Defining stage involves getting clarity on the product requirements and documenting them, often by way of a Software Requirement Specification (SRS).
• The Designing stage is based on the SRS, which product architects use to construct a Design Document Specification (DDS) that includes design approaches, architecture, data flow and third-party integrations.
• The Building or Development stage is when development begins. Developers follow the DDS and generate code according to their organization's coding guidelines document.
• The Testing stage includes reporting of defects and fixing them until the product reaches the required standard.
• The Deployment stage is when the product is released.

SSDLC ensures that security assurance activities are an integral part of the development process by including architecture analysis during design stage, code review during building stage, and penetration testing before deployment. Depending on the used framework, SSDLC might also include training and security awareness activities.

How to get started with SSDLC in my organization?

There are multiple Secure Software Development Life Cycle (SSDLC) Frameworks that an organization could adopt and use to help improve the security posture of software development and deployment processes as well as the overall security posture of the organization. However, it is rather recommended to combine those frameworks and adjust them to better fit the organization context. 

In fact, most of those frameworks have been developed to meet enterprises internal requirements. Take the Microsoft SDL for instance, the most common framework, was an outcome of Microsoft’s software development groups initiative. OWASP has also defined a Software Assurance Maturity Model (SAMM) which is dedicated to web applications. 

Also, SSDLC depends on your development methodology. Once you define it, being it Agile, Lean or CD, each phase in the SDLC should be mapped to the corresponding activities in the SSDLC as follows: 

CLOUD IMPACT ON SSDLC

While many organizations are relying more and more on Cloud services to build their applications, they are slowly migrating to what is known today as cloud development lifecycle (CDLC). They are also forced to trust the cloud service provider (CSP) in ways that traditionally were handled in-house by IT and adhere to the concept of Security Shared Responsibility. That being said, organizations are obliged to revisit security in every cloud component used in their software architecture. 

The SDLC scope in the Cloud is then highly impacted and belows a non-exhaustive list of what it includes: 

• The management plane, which refers to the interfaces for managing your assets in the cloud, is part of the SSDLC. 
• IAM and internal controls provided by the CSP are also in scope for application security in the cloud because they ensure access to microservices.
• As DevOps is dictating the new approach for cloud application development, the CI/CD pipeline security, containers and clusters security should now be integrated into SSDLC frameworks.

Most CSP have clear recommendations that detail how you are responsible for securing your cloud resources. They manage and provide services, with built-in security controls.

Your organization’s responsibility is then to refer to those measures and integrate them within your development lifecycle and make sure to design your code and cloud infrastructure according to security best practices, which includes measures that may not be enabled by default.

Summary

Thanks for reading my first article. This post intended to initiate developers, DevOps engineers, CISO and project managers to SSDLC framework.

It is time for everyone to start building proper security routines and guidelines in your development team.