For this week’s Discussion, we consider Application (Software) Development. Answer at least one of the following questions:
- During which phase should Information Security be included? How would you explain to someone that Information Security has a role without a finalized product yet?
- Choose one of the popular software development methodologies, such as Scrum, Agile, or Waterfall; how does the choice of the methodology affect Information Security concerns?
Anthony Wong says
1. Within the software development lifecycle, security requirements should be included at all phases. Starting with requirements for an SDLC project, at the the same time, security requirements can be discussed. Then when considering the application design, security architect can occur to determine the placement of security controls throughout the application and infrastructure. In development, security controls should be obtained and implemented, where it will next be tested. After the controls are tested and functioning as expected, the security controls are to be deployed to production along with the application.
Mohammed Syed says
Also, we should understand the concept of the secure software development cycle and the functional requirements and security considerations. The verification phase must test SDLC to meet security’s original design and requirements.
Shubham Patil says
Development, Security and Operations (DevSecOps) is an approach every company dealing with critical information should follow, It’s an approach to culture, automation, and platform design that integrates security as a shared responsibility throughout the entire IT lifecycle.
Kelly Sharadin says
Hi Shubham,
I think organizations should adopt a DevSecOps methodology for the points you have outlined. In prior times, security was often siloed or an afterthought and reactive department within an organization; however, this is not a sustainable model in our current cyber threat landscape. By integrating security throughout the entire I.T. lifecycle, organizations are better equipped to defend against cyber threats and keep the business operational.
Kelly
Anthony Wong says
Hi Kelly,
I agree with integrating security from the start! Generally, incidents can be prevented if security is included. But the reality is that security finds out after the fact and has to scramble to resolve the issues.
Mitchell Dulaney says
Hi Anthony, good point that controls must be tested and confirmed functional before they’re pushed to production. Otherwise, useless or malfunctioning controls might end up in the production environment and create more problems than they were meant to solve.
Kelly Sharadin says
Information Security should be included in the design phase of the software development cycle. Many security incidents can be avoided by implementing secure software development practices at the beginning of the project. Given the rise of high-profile news stories of supply chain attacks and exploits due to software vulnerabilities, I believe gaining support for embedding information security into the software development process is a little easier than before. By incorporating secure software development by avoiding vulnerable or unsigned code packages and integrating application testing and code review, the organization can reduce its likelihood of compromise and stakeholders’ financial investment in the final product.
Mohammed Syed says
Yeah, and Secure SDLC involves integrating security testing and other actions into the remaining development process.
Antonio Cozza says
This sentiment is much more beneficial to organizations and their reputations in the long run as software that is designed with security in mind will have a much greater chance in mitigating commonly overlooked vulnerabilities and will allow appropriate time to ensure adequate security testing is performed consistently throughout the development of the entire application development process until it is pushed into production.
Vraj Patel says
Hey Kelly, I sure do agree that the information security should be implemented at the design phase. As the business would be identifying the requirements for the software, it would be easier for them to identify the risks at the moment and also plan to implement and effective controls in place to protect that software.
Mitchell Dulaney says
Hi Kelly – I agree that security must be prioritized especially at the beginning of a project during the design phase, however I believe it is also necessary during the other stages as well. It’s feasible that a team could design an application with security in mind, but during development, implementation, or maintenance, the different controls and design principles get lost. There needs to be a conscious effort throughout the lifecycle to maintain security.
Mohammed Syed says
In the early phase, the secure software development cycle needs to understand functional requirements and security considerations. The second phase needs to sample functional design and sample security concerns. In the third step at the time of development when actually implementing the design and writing the code security perspective, here need to write code as per secure coding guidelines such as SQL queries, user validation, data sanitizing process, open-source libraries for vulnerabilities, and more with manual and automation tools. The verification, phase needs to test SDLC to meet the original design and requirements as per security. It is a great place to test it with a variety of testing tools like the CI/CD pipeline. In the last step maintenance and evolution check and release the patch earlier when discovering the vulnerability. At this stage, vulnerabilities are caught from other sources also such as ethical hackers, and pen testers as well we can ring programs like bug bounty to identify and patch bugs.
Vraj Patel says
The five phases covered within the CISSP All-In-One Exam Guide book are Requirements Gathering, Design, Development, Testing, and Operations and Maintenance. The information security should be included from the first phase Requirements Gathering and be evaluated during all the other phases. It would be helpful to evaluate it from the first phase so it can assist in identifying the control that will be required to implement within the application to protect it. In addition, it should be reviewed during each phase since the requirement to add/remove functionality from the applications could be changed as well as it will ensure the security controls identified in the previous steps are implemented and/or effective.
Mohammed Syed says
There are four essential elements of the information security life cycle, Identity, Assess, protect, and monitor. Information security first thing to do when entering the information, security lifecycle is to determine what is that you are trying to preserve, what you cannot protect, and what you cannot see
Tal Eidenzon says
Hi Vraj,
I agree that security should be a part of each of the five phases. It is a mandatory component of the end-product, and the sooner that it is incorporated into the design, the more logical and sound the solution will be.
Thanks,
Tal
Antonio Cozza says
Vraj, this is easily agreeable; any application that is designed with security in mind will inherently be less susceptible to simpler easily found vulnerabilities provided that they are created by adequately skilled personnel.
Anthony Wong says
Raj,
Great quick post! You are spot on and I completely agree with your analysis. One aspect I did not think of is to review the controls overtime to determine if they are still necessary or additional controls need to be added.
Kyuande Johnson says
There are various security concerns with the Agile software development methodology. The true nature of Agile software development is to quickly develop software. There is a major increase in customer satisfaction due to the product being developed and launched in a very reasonable timeline. At the same time security is not built within the stages of Agile. Which is the main reason many organizations are starting to move away from this methodology. It’s essential for security to be baked into the software development process not at the end of the life cycle. During the core development stage organizations should task programmers to scan and remediate security flaws within the software during the early stages of development. Also develop proper code conventions that cater to the OWASP proactive controls. It’s essential for organizations to proactively mitigate generated vulnerabilities as attackers typically attack systems by scanning for the most common vulnerabilities.
Shubham Patil says
Kyuande,
Agile development teams should begin by asking the product owner questions about feature priority and negotiate its scope and requirements. One way to do this without being confrontational is to enforce rigor in writing user stories and estimating them so that complexities get exposed before coding begins.
Kelly Sharadin says
Hi Kyuande,
Great point about integrating code scanning software as part of the software development process. Scanning allows developers to identify vulnerabilites as they’re developing and can remediate before pushing to production. As you mentioned these scanners often use OWASP rules to identify vulnerabilites that have the highest likelihood of exploitation. By reducing the potential for vulnerable applications companies are more resilent against cyber attacks and increase the value of their business.
Kelly
Antonio Cozza says
I agree K, the agile methodology can definitely have security concerns as each individual component of the application in question may be developed without fully inclusive security assurance. Agile was meant to deliver value more quickly to customers, however, pushing software faster would almost immediately raise questions regarding security as ensuring security simply takes extra time and is somewhat counterintuitive to the agile methodology in general.
Shubham Patil says
Information Security should be addressed in each phase of software development. It should not be addressed only at the end of development because of the added cost, time, and effort and the lack of functionality. It is important that you understand how secure software is developed. Knowing this enables you to see what an organization is doing, software development-wise, and quickly get a sense of the maturity of its processes.
Tal Eidenzon says
Hi Shubham,
Good point, otherwise security is an after thought, and requires bolt-on implementation which is often clunky, resource intensive, and often slows down the process for the end-user.
Vraj Patel says
Hello Shubham, I do agree that the information security should be addressed during each phase of the software development process. As the software is being built, the new risk could be identified and if they put proper controls in place at that time then it sure would save business time and cost compared to addressing those risk at the end.
Mitchell Dulaney says
Information security should be included in all phases of software development to ensure the final software product is as secure as possible. Security by design dictates that information security should not be simply one of many considerations when developing a new product (such as a software application). Rather, security be design means that information security is part of the foundation of the development process, and it is implied that unless security is recognized and treated as a foundational aspect of development, the final product will not be satisfactory. During the requirements gathering phase, information security considerations must be accounted for and treated as requirements for the remaining phases. During the design and development phases, those security requirements must be prioritized and integrated with the software. During the testing phase, the security requirements should be tested alongside the other operational requirements of the software. And finally, during the operations and maintenance phase, the security requirements must continue to be met while the software is in use and the security needs should be maintained for the useful life of the software.
Tal Eidenzon says
During which phase should Information Security be included? How would you explain to someone that Information Security has a role without a finalized product yet?
Security should be included in the discussion right from the start. Unfortunately Cybersecurity is often seen as a profit inhibitive control, which makes the life of the end user more difficult. Too often the reason for this perception is because security measures were added on as “Bolt-On security”. This is when security was an afterthought, and mandated the proverbial hoop-jumping to enact security.
When Information Security is considered starting from the initial phases of planning, the implementation of it can be done in such a way that minimizes the effect on business operations.
Vraj Patel says
Hey Tal, I do agree that the information security should be addressed from the start. In addition, it should also be evaluated throughout the software development process as the requirements could change for the software being build and that could introduce new risk or could impact the level of risk identified prior.
Mitchell Dulaney says
Hi Tal, you’re absolutely right, security is (wrongly) seen as an unnecessary cost to be avoided at all costs in some organizations. In fact, proper information security incorporated throughout the software development life cycle will mean cost savings in the future when security incidents are successfully mitigated by the controls that were implemented during development.
Antonio Cozza says
During which phase should Information Security be included? How would you explain to someone that Information Security has a role without a finalized product yet?
By now, it is relatively easy to see that it is rather crucial to include information security from the beginning while architecting a software solution. It is one of the driving reasons that strategies like devSecOps have become popular development methodologies. Previously, security was an afterthought in software development, which has ultimately led to an innumerable amount of vulnerabilities, compromised systems, networks, and downfalls of companies around the world. Security in software development must be present throughout the lifecycle from its inception to the finished product, or it will be reverse engineered to compromise a network significantly sooner rather than later, and result in damages to an organization using that software that could have potentially been either avoided or bare minimum delayed. The difficulty lays in the demand for finished software products, which ultimately leads to shorting the security element. However, this idea must continue to wither away, as a sped up software solution in most cases is unlikely to have the same level of security testing compared to one that was not rushed into production.
Vraj Patel says
Hello Antonio, that was a great post. I do agree that the businesses should use the DevSecOps approach while creating a new software. As the DevSecOps ensure the proper security measures are being implemented during the process of software development.
Mitchell Dulaney says
Antonio, I agree that it is critical to incorporate security at every phase of the software development life cycle. Failure to do so significantly increases the likelihood that the software will be compromised in some fashion.