Security embedded into dev life cycle Step 1- Planning

Planning, 8 letters that entail responsibility and force you to prepare and think before typing a single line of code. Security as most of you know is a journey and not a destination, and as requires preparation before taking the first step. So what do we think about as we enter the planning phase?

Know the product: What type of application are we talking about from a deployment stand point. For example, is it an On-Premise or Cloud based service ,where each has its own risks and vulnerabilities. Understand the layers in which the product will be developed, for example. the 7 OSI layers.

Identify the risks: Identification of the threat surface and exposure is needed. A well rounded 360 threat modeling research should be performed on all layers of the product and adequate means of securing these layers should be defined (Encryption, Secure communications, Hashing, etc).

Identify external content: Identify large 3rd Party Software that will be used and verify their security. validate the TPS and make sure they are in pristine state.

Training: Train the people, make sure that those who write the product understand the meaning and implications of a none secure product. Educate them on processes in place for handling arising issues.

Know the security eco system: Understand the various security tools that will be used. Testing tools should be verified, reporting and monitoring tools should be defined.

Plan of action: Make sure all the layers of the product are secure, network, application, or any other layer for that matter.

Clearly this is not an exhaustive list so please add your thoughts in the comments section. Just keep in mind that we are simply talking about the planning, we have not written a single line of code yet. Let us start the journey!