Security in the SDLC
I have been thinking A LOT about Security in the SDLC lately. Well, the whole purpose of Jemurai is to help development teams build more secure code. So for the last year, I've been steeped in how to effectively plug into the SDLC. I have had a range of ideas, which I'll get to in a moment. The funny thing is that I'm hearing more and more people in security talk about SDLC. I wonder if its just fashionable, or if they really understand how SDLC's work? Is your security appliance vendor really the right person to go to for advise about building security into the SDLC?
In preparing for our ChicagoRuby talk last week, I put together two slides about security in the SDLC. These are largely inspired by our Builders VS. Breakers talk and the friction I sense when talking about Agile development with security folks. The red text are examples of security controls and how they might fit.
At that time, I was mostly interested in why it seems "easy" to plug security into waterfall: specifically that there are fewer points and they are fewer and further between. Then I thought about similar ideas around agile:
Obviously, it should seem more complicated because there are more different points in the process. This is somewhat of a false dichotomy, because many of the controls shown in the agile examples could have been integrated into the waterfall model but weren't. In any case, since the "drop off" point is less clear with agile, I think we've spent time figuring out more places we can insert good ideas.
So then I spent some time brainstorming about the many different places you can plug security controls into a development effort. I came up with the following. Theoretically, tools that facilitate ANY of these is the scope of what I want Jemurai to be able to do. I am eager to get input and feedback about items I've missed or controls that should be emphasized more!
Notice that the heavy work is mostly done at the story level in an ideal world, and almost NONE is done at the release level. I want to make another diagram that somehow visually represents the process and illustrates how different security controls impact multiple things. Also notice how so many of the classic tools fit in the "operations" category.
I think the most obvious areas to focus are:
- Code Analysis
- Surface Area Change
- Frameworks for Security Unit Tests
- Security Code Review
- Agile Security Metrics
- QA Driving App Scan
- Application Portfolio
I would love to talk to ANYONE about where they see gaps or areas to emphasize!