Thursday, January 23, 2014

Software Development Life Cycle (SDLC) for Application Security

Web application software has its own development life cycle and it can be divided into six broad sections like Requirement gathering, architecture, design, implementation, deployment and testing as shown in figure.
Software Development Life Cycle (SDLC) and Security
To protect final application corporate needs to have its own Application Security Cycle (ASC). While application development is going on, the corporate can define certain tasks in parallel to improve quality of end product with respect to security. One of the obvious means to achieve this is proper dissemination of application security knowledge at all levels by means of trainings and related literatures. We are focusing on other aspects of ASC and try to map with SDLC. Let’s see some of the phases of cycle and related security tasks along with tools:
Requirement – Application requirement and higher level goals can be created by corporate with respect to objective, at the same time one can define security policies and controls required to be followed by all during the process.
Tools – Policy documents, Threat and Risk frameworks, corporate guideline
Architecture – Application architecture consists of various different components like web and application server, database, third-party components etc. Application architecture can be laid down on paper along with key information. Once architecture of application is ready one can do its full review with respect to security and their integration points. Many times during this phase some vulnerability can be observed and defense can be put right into architecture layer to have secure application.
Tools – Threat Modeling Tool and Framework
Design – Application design phase contains much more granular interactions and class layout. This is the ideal time to perform full threat model for application for all possible use cases and branches of interactions. This helps in building proper attack profile and respective security controls for application. It also defines future path for developers in the form of remediation guideline and QA team for analysis approaches.
Tools – Threat Modeling Tool and Framework
Implementation – Developers can have best practices and secure coding guideline for application development. These guideline along with threat model helps in making implementation much more secure and countermeasure for all described threats. It is also possible to have security libraries for specific tasks like using AntiXSS for XSS defense and so forth.
Tools – Secure Coding Libraries and best secure coding practices
Deployment – Once application is about to deploy or initial testing is going on at QA one can start doing secure code review on it. Source code can be reviewed by static analysis tools, Instrumentation or related principals. This helps in verifying implementation of policies, controls and countermeasures defined in threat model.
Tools – Source Analysis and Instrumentation Tools
Testing – Security testing of application can be done by using zero knowledge approach if needed to verify on top of source code assessment. It is possible to run various different test cases for testing at protocol layer to determine strength of security along with fuzzing techniques.
Tools – Scanners
During Application Security Cycle (ASC) corporate needs various tools and knowledge base. Stronger cycle leads to better security and can have significant impact on overall architecture, design and implementation.