How a process model can help bring security into software development

Featured eBooks
The State of Trust in Government
Cybersecurity in State and Local Government
Building Data Literacy in the State and Local Workforce
 

Connecting state and local government leaders

By

A secure software development life cycle requires a process model wherein process improvements are managed from a common framework. This disciplined approach will not alleviate all vulnerabilities but will increase the likelihood of building secure software to meet users’ needs in a cost-effective fashion.

Agile software development methods may be characterized by the Agile Manifesto, which aims to produce functionally correct software as quickly as possible. Although Agile methods tend to de-emphasize building security in, Gary McGraw has been working with the Agile methods to show how security can be built into the process.

Third in a series on the secure software lifecycle.

Lifecycle processes have been around for years, so why has it been so difficult to incorporate security into the process? The secure software development lifecycle (sSDLC) comprises a number of complex processes that require early involvement by business users, project managers and applications developers, as well as information security practitioners, to successfully develop a functional and secure product. An organization must adopt a process model wherein process improvements are managed from a common framework. This disciplined approach will not alleviate all vulnerabilities but will increase the likelihood of building secure software to meet users’ needs in a cost-effective fashion. Several models are described below.

Related articles:

How control gates can help secure the software development life cycle

The recipe for 'baking in' security in software systems

Implementing process improvement attuned to organizational culture increases the likelihood of building secure software by following software engineering practices – good design, quality practices, testing methods, risk management and project management. However, well-known software development processes and frameworks are designed to produce quality and reliable products but ones that do not specifically address security requirements. According to NASA’s Software Assurance Guidebook, a minimum security assurance program will include:

  • A security risk evaluation.
  • Established security requirements for information and software.
  • Established security requirements for development and maintenance processes.
  • Reviews of security requirements in evaluations.
  • Provisions for security through the configuration management process.
  • Prevention of security violations through the change evaluation process.
  • Provisions of adequate physical security.

Risk management throughout the sSDLC is integral to the development of a secure application that meets business needs. According to the National Institute of Standards and Technology’s Special Publication 800-30, “Effective risk management must be totally integrated into the SDLC ... [which] has five phases: initiation, development or acquisition, implementation, operation or maintenance and disposal.” The process begins by identifying the information assets that the software will be processing and ensuring that business owners specify requirements for confidentiality, integrity, availability and auditability. By understanding the value of information assets, threats can be identified and proper controls designed into the software, thereby reducing risk. Once the application characterization has been performed, the scope can be defined and boundaries identified, along with the resources, integration points, and information that constitute the application.

The next step is to perform an architectural risk analysis to spot exploitable vulnerabilities. The activities encompass known vulnerability analysis, ambiguity analysis and underlying platform vulnerability analysis. Known vulnerability analysis is performed on known documented vulnerabilities and practices in the code and system management. Ambiguity analysis is the analysis between business requirements and software development. The underlying platform vulnerability analysis includes the operating system, network, platform and interaction vulnerabilities. The phase of the sSDLC where the vulnerability analysis is performed dictates the type of analysis performed and which security features are incorporated.

Also consider the acquisition of commercial off-the-shelf (COTS), government off-the-shelf (GOTS) or open-source software, which all present security risks. Often, such software does not meet the functional or security requirements of the acquiring organization. To address this problem, Federal Acquisition Regulation 7.104(b)(17) was modified in 2005 to include the following language: “For information technology acquisitions, discuss how agency information security requirements will be met.” In 2006, the Open Web Application Security Project (OWASP) Legal Project developed a Contract Annex of a sample contract that included security requirements for the life cycle so that COTS products would be more secure. Movement to include more strenuous contracting language is adding impetus for including and assessing software assurance requirements.

In reviewing the Information Assurance Technology Analysis Centers’ “Software Security Assurance, State-of-the Art Report,” several methods of incorporation of security into the SDLC have been proposed. Cigital’s Gary McGraw and John Viega propose the following activities in their book, “Building Secure Software”:

  • Security requirements derivation/elicitation and specification.
  • Security risk assessment.
  • Secure architecture and design.
  • Secure implementation.
  • Security testing.
  • Security assurance.

Further, Cigital has developed a proprietary risk management framework (RFM) that it used to develop the Build Security In (BSI) RMF, a condensed version of its RMF, under contract to the Homeland Security Department. The BSI RMF consists of five phase risk management activities:

  1. Understanding the business context in which software risk management will occur.
  2. Identifying and linking the business and technical risks within the business context to clarify and quantify the likelihood that certain events will directly affect business goals – including analyses of software and development artifacts.
  3. Synthesizing and ranking the risks.
  4. Defining a cost-effective risk mitigation strategy
  5. Carrying out and validating the identified fixes for security risks.

McGraw also provides seven – plus one – touch points for software security in “Software Security: Building Security In” (Addison-Wesley, 2006) that are “lightweight” best practices that can be applied in software development. The touch points are:

  1. Static analysis/review of source code.
  2. Risk analysis of architecture and design.
  3. Penetration testing.
  4. Risk-based security testing.
  5. Building abuse cases.
  6. Security requirements specification.
  7. Security operations.
  8. “Bonus” for external analysis.

Marco Morana of Foundstone proposes a long-term, holistic software security approach that recommends considering software security and information security risks together rather than separately. Below, Morana provides a Notional Software Security Framework.

Click for larger image.

Microsoft also published its own Security RMF mapping to its Microsoft Solutions Framework. Unfortunately, it is oriented towards turnkey software products rather than software integration. Microsoft has also established its own security enhanced software development process that integrates tasks and checkpoints to improve security of the software produced by reducing the number of security-related design and coding defects and the severity of impact of residual defects.

Another methodology to insert security into the lifecycle is the Comprehensive, Lightweight Application Security Process (CLASP), developed by John Viega, of McAfee, Inc. CLASP’s core feature is to integrate 30 security-focused activities into the software development process. The key activities include:

  • Monitoring security metrics.
  • Identifying user roles and requirements.
  • Researching and assessing security solutions.
  • Performing security analysis of system design.
  • Identifying and implementing security tests.

Baking security into software development would seem to be a naturally occurring process, but it has not been the case. The complexity of the software development process requires that good security requirements be defined in the development process by all stakeholders. Security must be designed in from the start of development and security features tested and verified before the application is deployed. By building the system following disciplined processes that incorporate security, development costs can be more accurately defined and controlled, service and maintenance costs will be reduced and time for retrofits will be drastically minimized. The very costly (time as well as money) model of build and patch – and patch again – will finally be obsolete.

NEXT STORY: Critics not satisfied with partial revelation of secret cybersecurity plan

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.