Secure software development lifecycle (SSDL) refers to a security assurance process that employs a holistic and practical approach during software development to reduce the risk of vulnerabilities. SSDL ensures that security and privacy are considered at every phase of the development process. By identifying security problems before any code is written, organizations can save time and money by avoiding the need to rewrite or patch applications due to development-related errors.
The expert consultants at Positive Technologies offer all the services necessary for introducing procedures for secure application development at your organization. Our specialists will help to define and implement your approach to:
Understanding security threats and how to effectively counter them is fundamental to developing secure software. Each member of your development team should be properly educated on the basics of software security and made aware of information security trends.
Implementing SSDL requires an upfront investment as well as ongoing education of team members. Some topics are mandatory for all team members, while other sessions are tailored to individual roles such as analyst, architect, and programmer. Positive Technologies offers the following training courses to meet these needs:
- Introduction to information security
- Application security as part of information security
- Secure development lifecycle essentials
- Secure design, development, and test basics
- Security and privacy in software development
- Threat modeling
- Principles of secure design
- Principles of secure implementation
- Principles of security verification
Security Requirements and Risk Assessments
Defining security and privacy requirements is an essential part of the application development process. This planning allows development teams to identify key security and privacy objectives and act accordingly from the start. Our expert consultants will help you implement an effective requirements-gathering process that will identify the relevant requirements for each application and its associated production environment.
We will also guide you in the development of your security and privacy risk assessments, identifying any functional aspect of your application with the potential to cause harm to your business. Identifying these risks—and countermeasures to minimize them—is a critical part of the application development planning process.
Secure Architecture and Design
Although vulnerabilities in your application code can often be fixed with additional development or a patch, security gaps in the software architecture are potentially much more problematic and harder to resolve. It’s essential that your development team has processes in place that ensure the application architecture is based on proven secure patterns, algorithms, and frameworks.
Positive Technologies will show you how to include these elements at the start of each project to ensure the environment, operating system, database design, and system architecture for each application is modeled with security in mind. This will help your applications achieve compliance with security and privacy legislation, regulations, and official and industry standards.
Security code reviews are a key step in the development of any application. Checking the source code makes clear whether your developers have implemented all relevant security features in accordance with the specifications. Analysis also confirms that these functions work as expected and are invoked in the appropriate places. In addition, code reviews determine whether software was designed and developed with the ability to protect itself against possible threats in the environment.
Positive Technologies can conduct security code reviews on your behalf, or we can advise you on the tools and procedures necessary to do so yourself. Automated source code analyzers such as Positive Technologies Application Inspector can perform full-spectrum (including white-box) testing on your application to identify and find the cause of all security-related vulnerabilities.
Technical analysis is used to verify that an application meets the specified security requirements and that the application and its components continue to fulfill security expectations when in operation.
This stage involves stringent code review and specific security tests along with "attack surface review" in order to identify all parts of a system that require additional review and vulnerability testing. Experts from Positive Technologies can help to integrate these specialized testing practices into your development and QA groups.
Once you’ve trained your staff, defined your security requirements and risk assessment procedures, implemented a secure architecture, and executed code reviews, you’re now ready to deploy your application. But how can you be sure that your production environment fully supports your application’s security requirements?
Our specialists can guide your network operations team through a security review to identify any misconfigurations or missing service packs in infrastructure elements such as servers, databases, storage, and network systems that could degrade the security of your applications.