Sunday, June 26, 2016

Secure Development Lifecycle - The Basics

A secure and stable system, whether you're designing a Point of Sale terminal, a Space Shuttle or a Mobile Device Management system, always begins with the development system: not the software. It is the software development system that results in either sound or harmful software. Quality and Security are not things that can be bolted at the end of development or when the vehicle is being deployed.

In the same vein, the absence of prior failure does not provide an indicator of future success. It was precisely this belief that helped doom the Challenger STS-51-L mission:
We have also found that certification criteria used in Flight Readiness Reviews often develop a gradually decreasing strictness. The argument that the same risk was flown before without failure is often accepted as an argument for the safety of accepting it again. Because of this, obvious weaknesses are accepted again and again, sometimes without a sufficiently serious attempt to remedy them, or to delay a flight because of their continued presence.(Rogers Commission, STS-51-L)
This is not to say we do not implement controls in the environment the system is deployed to provide safety and security. Instead, those controls cannot account for or reverse bad planning, design, or implementation.

It is the responsibility of those performing the implementation - of any system - to ensure that the system under design is developed using a Secure Development Lifecycle.

For Software Development, there are six touch-points, each with associated activities, that must be performed to address security requirements:

  1. Requirements and Use Cases 
    • Abuse Cases / Attacker Stories 
    • Security Requirements 
  2. Architecture and Design 
    • Risk Analysis 
  3. Test Plans 
    • Risk Analysis 
    • Risk-Based Security Tests 
  4. Code 
    • Code Reviews 
  5. Tests and Results 
    • Risk Analysis 
    • Penetration Testing 
  6. Feedback from Consumers (the field, customers) 
    • Penetration Testing 
    • Security Operations
In future blogs, I'll address each of these topics.