As it is rightfully said that developing secure software is critical to a company’s reputation and bottom line, a vulnerability can resolute in the loss of millions of dollars, Intellectual property, assets and the ruin of the organization’s reputation. This was evident as in the case of April 19, 2011, attack on the Sony Playstation Networks, which gave hackers access to millions of customer credit card information and denial-of-service for days on end.
Information security has become one of the most prominent concerns for many software development companies, communities, and developers as a whole. However, we still have many vulnerabilities in our code, even after decades of advancements in technology and coding technique?
The answer to this question is relatively simple. Developers are bombarded with the need to develop and release rapidly with not much emphasis on Security being a requirement in the early stages of the Software Development Life Cycle(SDLC). Another reason which was also stated by Shackleford(2011), is “the relationship among developers and security personnel, which has traditionally been perceived as being like oil and water”. Even though developing a bug-free code might be on developers’ minds, the priorities coincide with the statement made before, they are more concerned with functionalities, meeting deadlines and minimizing the time to market.
Figure 1.0 Illustrates the Software Development Life Cycle(Hussung, 2016)
As more development companies adopt Agile development style of development, which focuses on speed above all other things.
What we need on a global scale is an awareness of the increase in security vulnerabilities and the result of the same. We could even go a step further and implement the security measures or requirements and testing in each of the Software Development Life Cycle phases shown in above Figure 1.0. By doing so it will greatly reduce both time and financial costs and there wouldn’t be the fear of “Security Toll Gate”.
Security tends to be associated with a coding project in three major areas, are:
- The first is during the QA reviews – where bugs are found, logged and prioritized
- “Security Toll Gate” as it is known – allows for the security team to be one part of a project review or planning committee.
- Lastly, the most comprehensive method integrates security and risk management into SDLC.
In conclusion, clearly, there are insurmountable benefits that can be gained from development and security groups working together, from improved code to efficient development operations or even quality-control processes. With this said, I reflect on the very powerful statement made in Coverity White Paper(2012), “The need to consider security and privacy “up front” is a fundamental aspect of secure system development. The optimal point to define trustworthiness requirements for a software project is during the initial planning stages. This early definition of requirements allows development teams to identify key milestones and deliverables, and permits the integration of security and privacy in a way that minimizes any disruption to plans and schedules.”.
Figure 1.1 Illustrates the Integration of Security into the SDLC(Smith, 2015)
Hussung, T. (2016) What Is the Software Development Life Cycle?, Available at: http://online.husson.edu/software-development-cycle/ (Accessed: Aug 12, 2016).
Coles, E.S., 2015. Analyzing and specifying security requirements in early stages of software development life cycle. Journal of Mobile, Embedded and Distributed Systems, 7(2), pp.87-94.
Coverity (2012) Building Security into Your Software Development Lifecycle, Available at: http://www.coverity.com/library/pdf/coverity-security-wp.pdf (Accessed: Aug 12, 2016).
Shackleford, D. (2011) Integrating Security into Development, No Pain Required. A SANS Whitepaper [Online]. Available at: https://www.sans.org/reading-room/whitepapers/analyst/integrating-security-development-pain-required-35060 (Accessed: Aug 12, 2016).