Integrating Security into the Device SDLC Process
What do connected products, such as medical devices, autonomous cars, network routers, industrial machines, HVAC systems, IoT home equipment and security cameras, all have in common? Their development processes are invariably complex and involve a long list of tasks that are performed by different entities. These processes are typically driven by multiple owners, including engineers, architects, product managers and the executives they report to. Although they all want to deliver the best quality product in the fastest possible time to market, each has different challenges, considerations and constraints.
These development processes get even more complex once security considerations come into play. The important questions you need to ask at that point include:
- What is the right level of security we need to implement for this specific product?
- How do we test the product’s security and then fix the issues as quickly as possible?
- How to optimize security without slowing down the Continuous Integration process?
The Typical SDLC Process for Connected Products
The Software Development Life Cycle (SDLC) process, a framework that defines the tasks that should be performed at each step in the software development process, provides significant value related to reducing risk, meeting business goals and enabling repeatable processes. The graphic below describes the major phases in a typical device SDLC process, including their technical and non-technical activities and the steps required to ensure the smooth integration of security requirements into each phase.
The following sections of this post describe each phase and how it is impacted by the implementation of security measures. For the full version including all development- and security-related details about each phase of the SDLC process, please download our latest practical guide – Integrating Security into the Device SDLC Process.
Phase 1 - Requirements
When planning a new product, you first need to determine the purpose of the product, the problems it is supposed to solve, the user and usage profiles, and the product’s input/output. To properly answer these questions, a well-organized product management process needs to be conducted based on documents such as MRDs, PRDs and SRDs.
Even at this early phase, it is essential to define the product's security requirements. To do this, you first need to define the product's key security risks, such as the type of information that it will process and its functionality. Next, you need to define the security standards or certifications that the product should meet, which on the market or industry and needs to be received as a requirement from the product management team.
In order to determine the level of security that is appropriate for the product, and then test if that level is met later on, you need to conduct either a manual or an automated security analysis in order to generate a list of security requirements based on the specific device, its hardware, operating system and functional operations (for example, what connectivity protocol it supports). It is highly recommended that you be aware of these security requirements before you proceed to the design phase.
Phase 2 - Design
When designing a new product, you first need to determine what technologies you want to use, the risks in the design, and the time and budget constraints. To properly address these issues, you need to create system and software design documents based on the requirement specifications that were defined in the previous phase. These documents provide a detailed description of the various features and operations required to support the functional requirements of the connected product.
From a security perspective, you must review the architecture and design plans using threat modeling techniques in order to identify, enumerate and prioritize potential threats such as structural vulnerabilities. The threat modeling process includes four major steps - decomposing the application, categorizing the threats, ranking the threats, and mitigating the threats.
To make sure you consider all security requirements in this phase and properly plan their implementation, it is recommended that you have access to detailed information about each requirement including its severity level, the effort required for its implementation and detailed implementation how-to guidance, as well as information regarding the leading standards and regulations that are relevant to each requirement.
Phase 3 - Development
During the development phase, the code is built, tested, integrated and managed according to what was defined in the requirements and design phases. Developing a connected product includes the following steps - hardware bring up, software bring up, static analysis, build automation and test code.
To ensure that the product remains secure across all development phases, it is important to integrate the product security requirements into the CI process as early as possible. This dramatically reduces future overhead and delays related to after-the-fact security mitigations and implementations. While most CI processes are designed with software delivery speed as the top priority, waiting too long to integrate security requirements significantly affects release dates. These delays can be easily avoided by addressing security issues in earlier stages.
To simplify the implementation of security requirements at this stage of the SDLC process, it is very helpful to use automated analysis tools that provide device-specific reports based on the product’s firmware. Their reports should include, among other things, all the security gaps at different severity levels, descriptions of the resulting risks, references to relevant standards and regulations, and step-by-step mitigation guidance. It also helps if these reports include known third-party security vulnerabilities and suspected zero-day vulnerabilities.
Phase 4 - System Testing
The focus of this phase is to verify that the product meets the technical, functional and business requirements that were defined earlier, based on a series of tests that covers the entire system. A few of the major tests performed during this phase include virtual lab tests, acceptance tests, physical lab tests and certification tests.
From the security perspective, there are several security guidelines that need to be met during system testing including identifying critical security problems by running static & dynamic analysis of the complete final firmware image, running penetration tests to check how the product handles various abuse cases, and ensuring that the security assumptions specified during the design phase are still relevant.
To ensure that the product meets all security requirements before it is released, it is highly valuable to run final security evaluations such as those provided by automated analysis tools. At this point in the SDLC process the integrated firmware image can be analyzed in its entirety, enabling a thorough evaluation of any remaining security gaps.
Phase 5 - Requirements
This phase is focused on making the system operational in a live environment and then maintaining operational stability. It includes several steps – manufacturing, production validation, release and steady state.
From a security requirements perspective, it is important to verify that the manufacturing process follows security standards and guidelines which may be industry-specific, and that the product is not shipped with unnecessary open physical ports. Finally, the product’s software needs to be regularly updated in order to ensure a healthy security system, with special attention paid to third-party vulnerability management.
These security requirements can be implemented manually before/after the product’s release or automatically by running analysis tools on the product image. It is highly recommended that the firmware be analyzed periodically after deployment so it can be checked against up-to-date device-specific vulnerabilities (including third party ones) based on the product’s hardware and software profiles. To enhance vulnerability management, it is best to rely on a database that is continuously updated for new threats and vulnerabilities, as well as common software components and libraries.
SDLC Security Requirements Checklist for Connected Products
The continuous integration of security into every phase of the SDLC process as described here is not only essential to the development of secure software, it also reduces the overall cost and effort involved in security implementation and helps ensure that the connected product meets its business goals.
To summarize the process for connected products, here’s the SDLC security requirements checklist covering every point in the process at which analysis solutions can help you optimize the security integration process:
- During the requirements and design phases to provide the necessary device-specific security requirements list
- During the early development phase of software bring up
- During the later ongoing CI process
- During the system testing phase where certification tests are required
- During the steady state of the deployment & maintenance phase to ensure that product security levels are maintained post-release
For the full version of this blog post including all development- and security-related details about each phase of the SDLC process, please download our latest practical guide – Integrating Security into the Device SDLC Process.
Share this post