Security in the software development lifecycle

The software development lifecycle (SDLC) is a framework used to develop, deploy, and maintain software. The framework formalizes the tasks or activities into six to eight phases with the goal to improve software quality by focusing on the process. Formalizing the steps is intended to allow measurement and analysis that can be used for improvements while monitoring progress and costs.

The phases of the SDLC:

• Plan: determine the scope and purpose of the software
• Requirements: define what functions the software should perform
• Design: decide key parameters like architecture, platforms, and user interfaces
• Build: create and implement the software
• Document: produce the information to help users and stakeholders understand how to use and operate the software
• Test: validate that the software fulfills the requirements
• Deploy: make the software available to its intended users
• Maintain: resolve bugs or vulnerabilities discovered in the software

At first glance, SDLC and application lifecycle management (ALM) seem very similar as they both deal with the process of software development and management. SDLC can be considered a subset of ALM that is primarily focused on the development phase. ALM is usually used to take a broader view of managing a software portfolio, while the domain of SDLC is a single application.

How does SDLC relate to DevOps and agile?

A common misconception is that SDLC is tied to a specific software development methodology. While the full eight phases of SDLC executed in sequential order seem to describe the waterfall software development process, it is important to realize that waterfall, agile, DevOps, lean, iterative, and spiral are all SDLC methodologies. SDLC methodologies might differ in what the phases are named, which phases are included, or the order in which they are executed. Activities like planning and requirements analysis might be grouped into one phase. Regardless of the differences, SDLC provides a framework that can be used for understanding and analyzing the necessary software development activities.

SDLC methodologies like agile and DevOps emphasize the iterative nature of software development instead of the linear approach of waterfall.

Why is security important in the SDLC?

A common problem in software development is that security related activities are deferred until the testing phase, which is late in the SDLC after most of the critical design and implementation has been completed. The security checks performed during the testing phase can be superficial, limited to scanning and penetration testing, which might not reveal more complex security issues.

"Shift left" and "shift right" are terms that have emerged as a way to address the need for emphasizing security throughout the SDLC. By adopting shift left and shift right principles, teams are able to fix security flaws early on, save money that would otherwise be spent on a costly rework, and have a better chance of avoiding delays going into production.

What is a secure SDLC (SSDLC)?

Implementing effective security processes requires teams to “shift left” –– including security concerns in each phase of the SDLC, starting at project inception and running throughout the project. To adopt a secure software development lifecycle (SSDLC), there are security steps to add at each phase of the SDLC. These include:

SDLC phase

Security activity

• Assess risks and security threat landscape
• Evaluate the potential impact of security incidents like reputational risk to the business

• Include security requirements as part of defining functional requirements
• Understand and incorporate compliance and regulatory requirements

• Engage in threat modeling
• Make security considerations an integral part of the architecture plan
• Evaluate security impact of design phase choices such as platform and UI

• Educate developers on secure coding practices
• Incorporate security testing tools in development process
• Evaluate software dependencies and mitigate potential security risks

• Document security controls and processes
• Assemble the information to prepare for audits, compliance checks, and security reviews

• Implement code review processes
• Perform security testing such as static analysis and interactive application security testing.

• Security assessment of deployment environment
• Review configurations for security

• Implement monitoring to detect threats
• Be prepared to respond to vulnerabilities and intrusions with remediations

How to implement a SSDLC: DevSecOps and automation

To be prepared for the ever-increasing landscape of security threats, organizations need a continuously updated set of security practices and processes. As part of a SSDLC, security gates and controls need to be implemented early throughout development and deployment processes. To iterate quickly, organizations have turned to DevOps processes and automated continuous integration and continuous deployment (CI/CD) pipelines. To avoid a bottleneck, security also needs to be a continuous and automated process. Development teams need to be responsible for application security in addition to design, building, operations, and maintenance.

DevSecOps is a set of practices that include people, processes, and technology intended to improve speed and efficiency of software development, while providing better security, improved consistency, repeatability, and collaboration. The key to DevSecOps is creating shared ownership across development, operations, and security. The goals of DevSecOps include:

• Improve safety and minimize risks by removing more security vulnerabilities early in the application development and infrastructure lifecycle, which can reduce potential production issues.
• Enhance efficiency and speed of DevOps release cycles by removing legacy security practices and tools. Using automation, standardizing on a toolchain, and implementing infrastructure as code, security as code, and compliance as code for repeatability and consistency can result in an improved development process.
• Lessen risk and increase visibility by implementing security gates early in the application development and infrastructure lifecycle to reduce the possibility of human error and improve security, compliance, predictability, and repeatability while reducing audit concerns.

Moving through the four stages of DevSecOps maturity model will help ensure that security can be woven through the CI/CD pipeline and adjusted as business and/or global conditions change. The Open Web Application Security Project® (OWASP) is a nonprofit foundation that facilitates community-led open-source software projects to improve software security and IT security awareness. OWASP offers projects, tools, documents for free that you can use to improve your security development lifecycle.

Software supply chain security and the SDLC

Software supply chain security combines best practices from risk management and cybersecurity to help protect the software supply chain from potential vulnerabilities. The software supply chain is made up of everything and everyone that touches your code in the SDLC, from application development to the CI/CD pipeline and deployment.

Software supply chain security is important to your organization, your customers, and any organization that relies upon open source contributions. While no organization wants to be breached, it also does not want to be responsible for another organization encountering a similar event. Implementing protections for your software supply chain is the key.

Some supply security best practices that security teams should consider include:

• Providing least privilege access to resources across the supply chain (e.g. developer tools, source code repositories, and other software systems), enabling multi-factor authentication, and using strong passwords.
• Hardening the security of all your connected devices and sensitive data.
• Knowing your suppliers and who you do business with, starting with your tier-one suppliers. Conducting risk assessments to evaluate each supplier's cybersecurity posture and public policies on vulnerabilities.

Why choose Red Hat® for security in the SDLC?

Red Hat offers trusted open source software that helps organizations implement a layered security approach across the infrastructure and application stack and lifecycle for better security on-premise, in the cloud, or at edge sites. Red Hat technologies are developed with a process that focuses on securing the software supply chain. With this foundation focused on security, organizations can turn their focus to building, managing, and controlling hybrid environments, implementing an automation strategy, and developing security in the SDLC with DevSecOps practices.

Red Hat and its security partner ecosystem bring a comprehensive DevSecOps approach to help organizations continue to innovate without sacrificing security. Red Hat has the expertise and ability to offer a robust portfolio to build, deploy, and run security-focused apps across an open hybrid cloud to help organizations wherever they are in their DevSecOps journey.