A Simple Process for Software Security
posted by John Spacey, February 23, 2011Software security is an integral part of the software development life cycle (SDLC).
Constraints
Security needs to take into account constraints such as budget, time and target architecture.Example: from a security point of view design methodologies such as SOA represent constraints.
Tools
Security development life cycle tools can help establish security requirements, create quality gates, perform risk assessments, model threats and identify common and known vulnerabilities.Security testing tools can automate tasks such as vulnerability and penetration testing.
Techniques
Techniques such as security design patterns are critical to the process of building secure software.Common vulnerabilities
It is important to consider common security vulnerabilities when designing, developing and testing software.Known vulnerabilities
Known vulnerabilities in components, APIs, servers and algorithms need to be investigated.Common threats
Common threats to software such as SQL injection and cross-site scripting need to be considered at each step of the SDLC.Security Architecture and Design
Secure software development begins with a secure architecture and design. Design faults generally represent more serious vulnerabilities than software bugs.Security Reviews
After code is developed there should be a series of both informal and formal code reviews. Developers can often identify weaknesses in the code that are difficult to discover in testing.Security Testing
It is possible to automate many black box security tests such as vulnerability scans and penetration tests.It is important for a security analyst to go further and identify key risks in the software. Test cases should consider the overall architecture and likely vulnerabilities and threats. In other words, security testing should be driven by risk identification.
Current state blueprints capture business, data and implementation architecture at the conceptual, logical and physical levels. |
Recently on Simplicable
Physical Security Explainedposted by Anna MarPhysical security is real world security. The type of security that existed long before the information revolution. |
Canary Trap Explainedposted by Anna MarA digital signature embedded in information that can be tied to a source such as an individual or an IP address. |
Honeypot Explained (Security)posted by Anna MarA honeypot is decoy designed to distract attackers from your information infrastructure. |