You are on page 1of 27

SECURE SDLC CONSIDERATION

WITH NIST SP 800 64


- High Level Summary
SECURE SDLC
Security should be incorporated at the early
stage of development cycle rather than doing
it later.

This needs to be done keeping in mind the


guidelines and frameworks set by The
Information Technology Laboratory of the
National Institute of Standards and Technology
(NIST)
NIST SP 800-64 REV2

Complements the Risk Management Framework by


having a comprehensive approach of managing risk
and appropriate level of security based on the levels
of risk.

Helps in providing the way of integrating security


functionality and assurance into the SDLC.
HOW SECURE SDLC ENSURES MAX. ROI
Early we identify possible Security concerns,
lower the Security Control Implementation
and Vulnerability mitigation Cost
Awareness of potential engineering
challenges that one may encounter in future.
Challenges and Effective Security control
implementation
Ensures Security is build-in, improving overall
Security posture of a product
Informed executive decision making through
comprehensive risk management in a timely
manner.
KEY ROLES AND RESPONSIBILITY IN SDLC:

Authorizing Executive responsible for acquiring/operating of an information system at


Official (AO) an acceptable level of risk.

Chief
Responsible for Planning, Budgeting, Investment, Performance and
Information
Acquisitions.
Officer (CIO)

Configuration
Responsible streamlining Change Management Processes and controls
Management
changes which may affect Security Posture of the System
(CM) Manager
Continued..
Information
Responsible for ensuring the security of the system throughout the
System Security
Lifecycle.
Officer (ISSO)

Responsible for ensuring the privacy of procured services or system.


Privacy Officer

Program Manages the functional system requirement during SDLC and


Manager responsible all business and program handling during Lifecycle process.

Responsible for reviewing system specifications and determines test


QA/Test Director needs, and works with Program Managers to plan activities leading up
to field test activities.
Continued..
Chief Information
Responsible for imposing policies of integrating security into SDLC.
Security Officer
(CISO)

Software Responsible for Secure Coding, implement controls and other CM


Developer issues.

System Responsible for designing and maintaining the system architecture.


Architect Also ensures quality of specification, documentation etc.

The system owner is responsible for the procurement, development,


System Owner integration, modification, operation, and maintenance of an
information system.
INCORPORATING SECURITY INTO SDLC
In NIST guide, SDLC process has been described as a 5-step Process.

Each step is assigned set of security tasks.


INITIATION PHASE:

During this phase the enterprise establishes the project


goals and system requirements and document it.
It will help in early planning and risk assessment which will
help developers to define the threat environment in
which system will operate.
Security categorization standards assist organizations in
making the appropriate selection of security controls for
their information systems.
Major Security Activities In Initiation Phase:
Initiate Security Planning
Identify Key Security Roles & Stakeholder Security Integration
Awareness
Identify Sources of Security Requirements
Outline Key Security Milestones
Security Reporting Metrics
Categorize Information System
Based on Potential Business Impact, Risk analysis
Assist in making appropriate Selection of Security controls
Business Impact Analysis
Privacy impact Analysis
Ensure use of Secure Information System Development Processes
Plan for required Security Training
DEVELOPMENT/ACQUISITION PHASE:

At this stage, the system is designed, purchased,


programmed, developed, or otherwise constructed.
Major Security Activities In Development/Acquisition Phase
Initial Risk assessment
To evaluate Systems design and Security Requirements
Evaluate Security Controls effectiveness
Select and Document Security Controls
Design Security Architecture
Security Control implementation in System Design
Develop Security Documentation
Configuration Management Plan
Contingency Plan, Incident Response Plan
Continuous Monitoring Plan... etc
Security Assurance analysis
Different hardware, software etc Cost consideration
Initial documents for System Certification and Accreditation
IMPLEMENTATION/ASSESSMENT PHASE:

At this stage the developers review the system design


by installing the system security features and tests its
functionality before placing the system into
operation, as described in the specifications.
Security controls are integrated at the operational
site through established techniques and procedures.
Major Security Activities In Implementation/Assessment Phase

Create Detailed Plan for Certification & Accreditation (C&A)


Integrate Security into Established Environments or Systems
Integration and Acceptance Testing
Enabling Security control settings
Assess System Security
Validate system functional and security requirements
Testing of Security Controls and their resiliency
Security Accreditation: Authorize Information System to process, store
or transmit information
OPERATIONS/MAINTENANCE PHASE

System is operating and continuously monitored to


ensure the pre-established requirements are
incorporated, and hardware, software components
are added or replaced.
Major Security Activities In Operations/Maintenance Phase

Review Operational Readiness to handle unplanned modifications


to system
Perform Configuration Management and Control activities to
ensure consideration of potential security impacts due to specific
changes in the system
Conduct Continuous Monitoring to ensure effectiveness of security
controls over time
DISPOSITION

At this stage the contract closeout and the disposal


of the systems is provided.
An orderly termination of the system is done by
preserving all the vital information of the system
according to the record management regulations so
that it can be reactivated in future if needed.
Major Security Activities In Deposition Phase

Build and Execute a Disposal/Transition Plan


Ensuring Information Preservation (Backup) and Retrieval methods
Legal requirements related with Record retention, when
disposing systems
Media sanitization policy to prevent unauthorized information
disclosure
Hardware and Software disposal policy
System closure or disassembling policy
OTHER SECURITY CONSIDERATIONS
Supply Chain and Software Assurance

This process require to showcase best practices and


methodologies to promote security and integrity in the hardware
and software.

It should target three goals.


1. Trustworthiness
2. Predictable Execution
3. Conformance
Service-Oriented Architecture (SOA)

It is an architectural design, where existing or new functionalities are


packed as services.
These services communicate with each other by passing data from one
service to another.
Specific Accreditation of Security Modules for Reuse

It provides developers trusted codes that can be reused when


needed, at a reduced cost that must be relied upon to provide
security functionality across a broad range of projects.
Cross-Organizational Solutions

It provides value and benefit to multiple organizations by


providing access to memorandum of agreement or service-
level agreement.

It should also talk about test and validation responsibilities,


incident response procedures and monitoring and operations
policies.
Technology Advancement and Major Migrations

As the technology advances the existing systems should also


be migrated or upgraded to cope up with the current
technology advancement.

Consideration must be given to integrating security into the


SDLC for new systems, the integration of systems, and the
overhaul, upgrade, or migration of systems.
Data Center or IT Facility Development

It deals with the physical security solutions.

Data centre is the storage upon which the applications are built.

Customers using the data centre facility should only be provided


with matrix of redundancy along with protection mechanism.
Virtualization

The use of virtual machine is a great idea of cost saving.

It can provide additional Security in terms of Isolation and


Recovery, but needs additional planning for risk imposed due to
virtualization implementation like Data Interception, DOS to
hosts resources etc.
Hack2Secure
Secure SDLC program is based on different Industry security standards and
practices, including NIST SP 800 64, providing organizations an end-to-end
solution to learn, adopt, integrate, implement and analyse Secure SDLC
process.

Secure SDLC workshop integrated with globally available Certification


Program, equip professionals with required skills for Secure SDLC adoption.

Hack2Secure exclusive Secure SDLC Consulting service assist organizations to


adopt Secure SDLC framework and assist in integrating as a part of their
process.
Conclusion

We provided the high level summary of NIST Special


Publication on Security considerations in SDLC, assisting
organizations by providing guidelines for building security
into their SDLC process.

This will help them to build cost effective, risk appropriate


security control identification, development and testing.

You might also like