One of the most important aspects of creating a secure software solution is to focus on security from the start, it cannot be tested in. Many organizations make extensive use of security testing products to help find security vulnerabilities that exist in software solutions after deployment but which could have been identified by integrating security during development.
There are many different strategies that an organization can use to ensure security development (SDL) practices are integrated into the Systems Development Life Cycle SDLC but my focus here is to summarize some important factors to consider in that strategy. Processes for integrating security in software development are usually customized and different from one organization to another and therefore, it is one topic that is difficult to learn in an information security course of study. The difference in my opinion is due to various factors that include (1) risk tolerance, (2) security culture and (3) capability maturity levels of information security processes within an organization.
Understanding the 3 factors described above are very important in this scenario. One example of a secure culture would be an organization that has already established an information classification standard. This will assist in determining a level of risk for the “information” being processed by a software solution being implemented. If this is non-existent, you may have to get advice from a risk consultant or research what is being done in the industry to place a value on the type of information needing to be protected. Information Security processes for an entire organization can follow recommendations and concepts as documented in the ISO 27000 series standards. Obviously, if the processing involves handling or storing of information that is considered personal identifiable information (PII), that is a good indicator of where there is value to a potential attacker. Note that information can still be considered private in the sense that a person may not wish for it to become publicly known, without being personally identifiable. Another risk could be the disclosure of intellectual property which is always more difficult to value but fits into the category of risk tolerance for the organization. Establishing a secure culture is the intent of a good security awareness program that describes the audience as partners in risk management.
Most importantly, security is a process and not a one size fits all process at that. Some of the things to consider when developing a process to integrate security are Threat Modeling that includes the mitigation techniques that define security requirements and “Security Testing” similar to penetration testing but specifically focused on the security requirements for the software. The capability maturity level of the processes that integrate security into the development practices help not only define them but push for active optimization.
The security process in an organization of any size should be one targeted for constant improvement. Integrating the need to define security requirements early on in the SDLC can be a valuable contribution to a Risk Management program and a good defense-in-depth security strategy. Moreover, there have been many estimates throughout the industry that have proven security issues to be much less costly to an organization when they are identified early during development rather than after deployment. Software use cases and user population can change over time due to the need for more access to information and as those changes are made, security ramifications should be reviewed as well. For this reason, a security process defined and integrated early in the entire life cycle is very important.