1 / 9

Implementing Security in the SDLC

Implementing Security in the SDLC. Approach & Keys to Success. Why is this important?. Based on NIST SP 800-64 Early identification and mitigation of security vulnerabilities and misconfigurations resulting in lower cost of security control implementation and vulnerability mitigation.

uma-terrell
Download Presentation

Implementing Security in the SDLC

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Implementing Security in the SDLC Approach & Keys to Success

  2. Why is this important? Based on NIST SP 800-64 • Early identification and mitigation of security vulnerabilities and misconfigurations resulting in lower cost of security control implementation and vulnerability mitigation. • Awareness of potential engineering challenges caused by mandatory security controls. • Identification of shared security services and reuse of security strategies and tools to reduce development cost and schedule while improving security posture through proven methods and techniques. • Facilitation of informed executive decision making through comprehensive risk management in a timely manner. • Documentation of important security decisions made during development, assuring management that security was fully considered during all phases. • Improved organization and customer confidence to facilitate adoption and usage as well as executive confidence to promote continued investment. • Improved systems interoperability and integration that would otherwise be hampered by securing systems at various system levels.

  3. Approach There are many processes that may stand alone or be integrated. All methods of integration can lead to successful implementations of security in the SDLC.

  4. Peer Review Integration Peer Review Definition: A peer review is an assessment of a product conducted by a person or persons of similar expertise to the creator of the product. From a software development perspective, the product being assessed is source code. Advantages • Already in place to enforce standards. • Personnel executing the change tend to be integrated, familiar and trusted within the delivery organization. • The quickest method to put in place on several initiatives at once. • Helps eliminate bottle necks in larger organizations that are delivery heavy. Challenges • Do not include SMEs in delivery areas that have security knowledge or backgrounds. This means increased documentation and training requirements for the Security & Compliance team. • Do not address post implementation/maintenance security requirements. • Affect only one part of the life cycle typically. • Do not provide assurance right before implementation typically.

  5. Architecture Review Integration Architecture Review Definition: Architecture review is a scrutiny of the compliance of a specific project against established architectural criteria, spirit, and business objectives. Review performed by an enterprise architect. Advantages • Catches errors in the project architecture early, and thereby reduce the cost and risk of changes required later in the lifecycle. • Incorporates architectural standards reflecting security goals and needs and may be updated any time there is a significant architectural or security/compliance requirement change. • Decide between architectural alternatives, since the decision-makers typically involved in the review have a more holistic vision that includes technical and business visibility. • Have similar needs to security compliance from a timing perspective. Challenges • Do not include architects with security knowledge or backgrounds. This means increased documentation and training requirements for the Security & Compliance team. • Do not address post implementation/maintenance security requirements.

  6. Change Control Integration Change Control Definition: Change Control within IT is a formal process used to ensure that changes to a product or system are introduced in a controlled and coordinated manner. Change Control is typically a set of six steps: Record/Classify, Assess, Plan, Build/Test, Implement and Close/Gain Acceptance. It is in the Assess stage that the Security Analyst will perform his analysis and Risk Assessment. Advantages • Provides for the most comprehensive risk analysis. • Provides holistic compensations and mitigations. • Incorporates recent security and compliance changes. • Minimizes impact to the majority of IT resources. Challenge • Tends to create bottle neck situations due to there being a small ratio of security analysts to delivery personnel. • Does not provide security in design (privacy by design). • Can cause delays at the end of the SDLC process and incur inefficient resource use.

  7. Release Management Integration Release Management Definition: Release Management begins in the development cycle. If the request is approved, the new release is planned and designed. The new design enters the testing or quality assurance phase, in which the release is built, reviewed and tested. The release then enters the deployment phase, where it is implemented and made available. Once deployed, the release enters a support phase, where bug reports and other issues are collected; this leads to new requests for changes, and the cycle repeats. The Security Analyst performs his analysis and Risk Assessment between every phase. Advantages • Provides for the most comprehensive risk analysis. • Provides holistic compensations and mitigations. • Incorporates recent security and compliance changes. • Minimizes impact to the majority of IT resources. • Leads to fewer discoveries and issues the longer a solution has been in the lifecycle. Challenge • Tends to create bottle neck situations due to there being a small ration of security analysts to delivery personnel.

  8. Keys to Success It’s all about Building Trust • Build Awareness • Focus on the facts. • Use industry data: There are several reputable sources that show the importance of security in the SDLC. The sources can be found in the best practice side of things as well as incident response. • Get Executive Buy-In • Discuss Reputation • Evangelize about protecting the brand/public perception. • Require executives to establish the organization’s reputation’s worth. • Educate executives on the impacts to reputation in the event of a compromise. • Protect sensitive data(PII, CC data, intellectual property and proprietary information). • Be Consistent. • Differentiate Between Security and Compliance Requirements. • Understand the “Why” behind every initiative. • Become Knowledgeable of the Business You are Evaluating. • Rarely, Definitively Say No. • Apprise executives of risk and let them make educated business decisions.

More Related