During this first week’s reading assignment, I learned there are many different methods for developing a software development lifecycle (SDLC). For example, for most SDLC’s, the basic response steps include planning, analysis, design, implementation and maintenance. However some organizations, such as Microsoft, will add additional steps to the process or define a step differently.
MSFT’s Software Development Lifecycle includes training, requirements, design, implementation, verification, release and response. Each member of the development team must receive training in security basics and trends in security. This is to help make the team start their SDL with security in mind. With this additional step, it can help prevent the company from committing security errors because they weren’t looking at their project with security as a focus. Even with this extra step, the process outlined by MSFT can be used in many frameworks. They can use Agile, CASE, DevOps or DevSecOps when trying to implement their process.
I feel adding a step such as training is a must for most organizations. Applications must be developed with security as the top priority. If the SDLC process doesn’t have the correct security measures in place, the organization could end up being the next SolarWinds.
SDLC IN THE NEWS
SDLC has been in the news a lot lately due to the SolarWinds supply chain attack which occurred last month. During the SolarWinds attack, the intruders were able to leverage the SDLC of SolarWinds and move laterally within the organization. The attackers made their code look authentic and were able to inject it into the ORION platform. The SDLC process from SolarWinds didn’t find the intruders code in the DLL file. This allowed the ORION platform to be updated with this file included. Customers would visit the SolarWinds site and download the new file. The admins then updated their ORION software. The new software would download the DLL, allowing intruders to potentially invade other organizations. All of the traffic to and from the ORION application looked authentic. The attackers did a very good job of making everything look legitimate. Because of this major issue, the SDLC process is under heavy scrutiny within most large application development companies.
https://www.guide-rails.io/resources/the-solarwinds-breach-and-securing-the-sdlc
https://securityboulevard.com/2020/12/solarwinds-sunbrust-backdoor-investigation-using-shiftlefts-code-property-graph/
For more information about the SolarWinds attack, read this blog by FireEye: https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html