SDLC - At what stage in the cycle do you "bring up" security?
During the development life cycle, it is important to plan for security integration. At what stage in the cycle do you "bring up" security?
SDLC could be taken as system development life cycle (Initiation, Acquisition/development, Implementation, Operation/maintenance, and Disposal) or software development life cycle (Requirements gathering, Design, Development, Testing/Validation, Release/Maintenance in general), since basic needs for computer systems may be different from developing software securely. As long as we are following a structure and nothing is being missed on security side and various steps involved, we are good.
Overall, whether we talk about system development life cycle or software development life cycle, security must be integrated in each and every phase involved.
What is Secure Software Development?
When security of the application is being on priority while each phase of development and all the possible measures have been taken, keeping in mind Confidentiality availability and integrity of the app right from beginning to end, no matter what model we follow, it's Secure Software Development.
As per Microsoft , "The Security Development Lifecycle (SDL) is a software development process that helps developers build more secure software and address security compliance requirements while reducing development cost"
Phase 1 Training
1. Core Security Training
Phase 2 Requirements
2. Establish Security and Privacy Requirements
3. Create Quality Gates/Bug Bars
4. Perform Security and Privacy Risk Assessments
Phase 3 Design
5. Establish Design Requirements
6. Perform Attack Surface Analysis/ Reduction
7. Use Threat Modeling
Phase 4 Implementation
8. Use Approved Tools
9. Deprecate Unsafe Functions
10. Perform Static Analysis
Phase 5 Verification
11. Perform Static Analysis
12. Perform Fuzz Testing
13. Conduct Attack Surface Review
Phase 6 Release
14. Create an Incident Response Plan
15. Conduct Final Security Review
16. Certify Release and Archive
Phase 7 Response
17. Execute Incident Response Plan
On the similar lines,Web Application Security Project (OWASP) talks about many recommendations that could integrate in each phase. Web Application Security Consortium (WASC) , talks about top attack methods against which application must be safeguard under Secure Software Development.