Challenges in implementing Secure SDLC

With ever increasing technology landscape, the threat landscape is continuously changing as well. This demands for more proactive approach to application security compared to the earlier traditional approaches of performing a VA/PT of a go-live application or periodic assessment of an application in production. We understand and fully agree that application security now needs to be integrated into each phase of the SDLC with review toll gates at each phase end to ensure that security risks are identified and addressed at the earliest stages possible. The challenge most organizations face today is how do we deploy Secure SDLC in an existing setup with multiple applications already in production environment been enhanced continuously and new applications been added to the inventory. This article focuses on some of these challenges faced while rolling out Secure SDLC. However we will not focus on what comprises of a secure SDLC process.

Should I focus on production applications, enhancements or new developments - This is a common query where do I begin with? The simplest answer is what is at the greatest risk Ôö£├ÂÔö£├éÔö¼├║├ö├Â┬úÔö£├®Ôö£├ÂÔö£├éÔö¼├║├ö├Â┬úÔö¼ÔòæÔö£├ÂÔö£├éÔö¼├║Ôö£├ÂÔö£├éÔö£ÔûÆ Your production environment. The approach here would be to ensure that your existing live applications are assessed using a combination of tool and manual approaches (Black and Whitebox) to establish the baseline vulnerabilities. Once you know how deep the mess is Ôö£├ÂÔö£├éÔö¼├║├ö├Â┬úÔö£├®Ôö£├ÂÔö£├éÔö¼├║├ö├Â┬úÔö¼ÔòæÔö£├ÂÔö£├éÔö¼├║Ôö£├ÂÔö£├éÔö£ÔûÆ you can work out where you want to focus your energies. To help facilitate this much faster, even in the production environments, focus on what is most critical Ôö£├ÂÔö£├éÔö¼├║├ö├Â┬úÔö£├®Ôö£├ÂÔö£├éÔö¼├║├ö├Â┬úÔö¼ÔòæÔö£├ÂÔö£├éÔö¼├║Ôö£├ÂÔö£├éÔö£ÔûÆ availability, confidentiality, exposure. Ensure that you are focusing on the most critical ones first.
At the same time it is important to ensure that what is been added to the already existing applications Ôö£├ÂÔö£├éÔö¼├║├ö├Â┬úÔö£├®Ôö£├ÂÔö£├éÔö¼├║├ö├Â┬úÔö¼ÔòæÔö£├ÂÔö£├éÔö¼├║Ôö£├ÂÔö£├éÔö£ÔûÆ is secure. This translates to ensuring that the new development/enhancements go through a pre-defined tollgate process of security reviews. The last thing you would want is to try cleaning the mess while someone else is continuously adding at the other end.

How do I setup my team - First and foremost Ôö£├ÂÔö£├éÔö¼├║├ö├Â┬úÔö£├®Ôö£├ÂÔö£├éÔö¼├║├ö├Â┬úÔö¼ÔòæÔö£├ÂÔö£├éÔö¼├║Ôö£├ÂÔö£├éÔö£ÔûÆ you cannot run this show without a leader who is fully committed to the cause. While the senior management commitment is important and the first step, you need to have an Application Security Leader to ensure that the assessment focus remains, awareness spreads and planned remediation happen as committed. This is a dedicated role and should be staffed accordingly. The remaining team can be assembled based on the scope Ôö£├ÂÔö£├éÔö¼├║├ö├Â┬úÔö£├®Ôö£├ÂÔö£├éÔö¼├║├ö├Â┬úÔö¼ÔòæÔö£├ÂÔö£├éÔö¼├║Ôö£├ÂÔö£├éÔö£ÔûÆ Review cycle for the existing inventory v/s the delivery pipeline.

Do I factor in the cost associated with security activities Ôö£├ÂÔö£├éÔö¼├║├ö├Â┬úÔö£├®Ôö£├ÂÔö£├éÔö¼├║├ö├Â┬úÔö¼ÔòæÔö£├ÂÔö£├éÔö¼├║Ôö£├ÂÔö£├éÔö£ÔûÆ While secure code is a hygiene factor, do understand that it needs to be implemented as a set of sequential activities that needs to be performed by skilled consultants. Nothing is for free. The way you plan and budget for performance testing or functional testing, you need to plan and budget for security activities. Your tool cost, effort cost needs to be accounted for. If you are already working on an engagement where it has not been accounted, stop and correct rather than providing a half baked solution.

Should I invest in tools right away Ôö£├ÂÔö£├éÔö¼├║├ö├Â┬úÔö£├®Ôö£├ÂÔö£├éÔö¼├║├ö├Â┬úÔö¼ÔòæÔö£├ÂÔö£├éÔö¼├║Ôö£├ÂÔö£├éÔö£ÔûÆ While baseline assessment would need presence of tools to help fasten the assessment process, we also need to balance that tools are effective only if they are used efficiently. You donÔö£├ÂÔö£├éÔö¼├║├ö├Â┬úÔö£├®Ôö£├ÂÔö£├éÔö¼├║├ö├Â┬úÔö¼ÔòæÔö£├ÂÔö£├éÔö¼├║├ö├Â┬ú├ö├▓├╣t want to invest in tools without really having a strategy in place. Allow the processes defined and the team to mature before you invest in tools. What tools to invest would define on your assessment rhythms, the delivery pipeline and the technology landscape. But do remember if you want quality results you will need to invest in tools at some point or other. The only question you need to ask is when and which type.

Reference
TCS SSA Framework - https://knowmax.ultimatix.net/sites/peg-oi/security_orm/Software_Securit...

Rate this article: 
Average: 1 (1 vote)

There are 3 Comments

<p>Salim, good article. I have a question - would it be possible for an organisation to focus its efforts on applications that support a complete 'critical' business process? If it was possible then an organisation could look at focusing their attention to those 'critical' business processes and the applications that support them as the first priority with everything else followin later.</p>

Thanks Farshid for bringing this out. This would definitely be a criteria in prioritizing your testing for live applications

Agile software development methodologies and proliferation of cloud services are adding to the challenges of implementing secure SDLC. While organizations will have to mature towards adopting the S-SDLC practices, organization can explore deploying run time application self diagnostics & healing capabilities (RASP) as an alternate measure. These are mechanisms to be called through existing application as a pluggable security functions without requiring any changes to the existing applications. How appropriate this shielding approach Vis a Vis secure coding is debatable!!!