Embedding Security in the SDLC
0 likes96 views
The document outlines 4 steps for embedding security into the software development lifecycle (SDLC): 1. Introduce automated security scanning tools like SonarQube and OWASP ZAP to find vulnerabilities and train developers on common risks. 2. Incorporate OWASP's proactive controls into the SDLC to shift from reactive scanning to secure coding. 3. Implement the OWASP Application Security Verification Standard (ASVS) to manage security based on risk levels. 4. Use the OWASP Software Assurance Maturity Model (SAMM) for a maturity-based approach to securing the SDLC and optimizing resources.
Embedding Security in the SDLC
- 1. Embedding Security in the SDLC Jerod Brennen Founder & Principal Consultant, Brennen Consulting
- 2. Software security is a positive indicator of software quality.
- 3. Step 1: Introduce automated software security scanning Train developers on the OWASP Top 10 Web Application Security Risks ● OWASP Juice Shop Static Application Security Testing (SAST) ● SonarQube Community Edition ● Codacy ($180/yr) Dynamic Application Security Testing (DAST) ● OWASP ZAP ● Burp Suite ($399/yr)
- 4. Step 2: Introduce OWASP proactive controls into the SDLC C1: Define Security Requirements C2: Leverage Security Frameworks and Libraries C3: Secure Database Access C4: Encode and Escape Data C5: Validate All Inputs C6: Implement Digital Identity C7: Enforce Access Controls C8: Protect Data Everywhere C9: Implement Security Logging and Monitoring C10: Handle All Errors and Exceptions
- 5. Step 3: Implement the OWASP Application Security Verification Standard (ASVS) Level 1 - First steps, automated, or whole of portfolio view Level 2 - Most applications Level 3 - High value, high assurance, or high safety Map to data classification requirements and business criticality Validate compliance using the OWASP Web Security Testing Guide
- 6. Step 4: Implement the OWASP Software Assurance Maturity Model (SAMM) Each business function maps to multiple practices Perform a maturity self-assessment Train stakeholders on the SAMM model Governance Design Implementation Verification Operations
- 7. Reiterating the value Step 1 provides immediate visibility to higher risk vulnerabilities that could be present in your applications today. Step 2 allows you to shift from reactive scanning to proactive secure coding. Step 3 ensures that you’re managing software security activity (people, processes, and technologies) based on risk. Step 4 enables you to transition to a maturity-based approach to securing the SDLC, optimizing people, time, and resource allocation.
- 11. Thanks much!