Product Security Glossary

Secure SDLC

What is secure SDLC?

Secure SDLC stands for Secure Software Development Life Cycle.

What is a Software Development Life Cycle?

The Software Development Life Cycle, or SDLC, is the process of designing, creating, testing, and maintaining software.  There are many different SDLC models, and different software shops might have their own reasons for choosing which one to use. In any event, the design, coding, and testing phases must be carefully planned. Unfortunately, secure SDLC is often not considered as part of the process. 

What are the challenges of secure SDLC?

The biggest challenge to secure SDLC is that programmers often consider it a burden.  They simply do not like the extra work that’s required to write secure code, especially when they have to rework the code multiple times in order to get the security right.  They would much rather produce code quickly and include cool features. 

Another challenge is that with some programming languages, it is very easy to write insecure code.  For example, the C language makes it very easy to introduce security-related bugs such as buffer overflows.  These types of bugs can make it very easy for an attacker to take over a system. 

Some organizations do try to include some sort of secure SDLC practices, but they might include them too late in the process.  They might start looking for security problems in the software testing stage, when they should be starting the secure SDLC process at the very beginning, in the planning and design stages. 

What if we don’t have secure SDLC?

Not having a secure SDLC program could be disastrous for businesses.  Let’s say that an attacker was to find a security-related bug in a program that a business has to use to deal with its customers.  The attacker could exploit the bug and possibly steal either money or sensitive data from either the customer or the business.  Either way, it would be a public relations nightmare for the business, and would cause the business to lose its customers’ trust. 

There is also the issue of safety.  An attacker who successfully exploits a security bug in a medical device or an industrial controller could cause injury, death, or property damage. 

How can we have a secure SDLC?

Software developers need to understand that it is much easier and cheaper to embrace secure SDLC practices for the whole development process than to have to fix security bugs later.  According to a study done by IBM, fixing bugs that were found during the implementation stage could cost six times more to fix than a bug found during the design stage.  The study also found that fixing a bug found during the testing stage could cost 15 times more than fixing a bug found during the design stage. 

To have an effective secure SDLC program, development shops should perform an architecture analysis during the design phase, code review during the coding phase, and penetration testing prior to product release.  Developers should be required to attend classes to learn secure coding practices. The best way to secure SDLC is to follow the NIST Secure Software Development Framework (SSDF) and to sue automated tools that help find bugs and security exposures during the SDLC, and help the developers mitigate them. An automated system that is easy to use by developers will encourage proper secure SDLC practices. 

Having a secure SDLC process is very important, and software developers should become familiar with how to implement it.