Security Integration for the Software Development Lifecycle
They walked in looking like they hadn't slept in a week. Their application had been hacked because they hadn't taken security seriously enough at the beginning...I was sure of it.
The developer was with them:
"We don't know what to do...help us! We're so afraid of being hacked and losing everything."
We were shocked. They hadn't even been breached yet, but they knew it was coming. The developer sat in complete humility. "I follow secure coding best practices, but I need to be sure my code is actually secure. Can you help us?" I hope they're paying her enough -- any developer who admits that is worth their weight in gold.
I hope they're paying her enough...
So we walked through the core requirements for SDLC-SI, or Software Development Lifecycle-Security Integration. These are key to protecting proprietary applications.
Dynamic Code Security Testing & Analysis
Dynamic code analysis is the method of analyzing an application during its execution. This dynamic analysis process will be divided into several steps:
○ Preparing input data.
○ Running a test program launch and gathering the necessary parameters.
○ Analyzing the output data.
Static Code Security Testing & Analysis
Static analysis is performed in a non-runtime environment. Typically, a static analysis tool will inspect program code for all possible run-time behaviors and seek out coding flaws, back doors, and potential malicious code.
Vulnerability Security Assessment Engineering
The Engineering vulnerability security assessment will evaluate the security, stability, integrity, confidentially, and accessibility of the application threshold while under attack and at rest. This test will determine the bandwidth of objective defensive capabilities of the application.
API Security Testing & Analysis
This Pentest of the Application's API will attempt to expose, extract, manipulate, or interactively access resources on the target system, or behind the target system.
Web Application Security Testing & Analysis
This is a series of automated, manual, and skill-based external penetration tests performed against all versions of an application in local lab installations. It is an unauthenticated external assessment using commercial, open source, automated and manual toolsets. These Penetration Tests look for previously undisclosed vulnerabilities within the target system.
Management, Analytical, & Technical Support
The process of performing assessments requires oversight and management into the development, recommendations, mitigations, and secure implementation of security best practices in the Developer's Software Development Lifecycle of the Application.
By taking these steps as part of the development process, protecting proprietary applications is possible. Make sure you consider each one before you roll our your new app.
We can do this for you, or we can coach and train your internal team. Reach out with questions. We're ready for your app security challenges.
David Evenden is our CEO and an experienced offensive security operator/analyst with 10 years of active work experience inside the Intelligence Community (IC). During his time inside the IC, he learned Persian Farsi, worked at NSA Red Team and was a member of an elite international team operating in conjunction with coalition forces to aid in the ongoing efforts in the Middle East. While he currently works with an ISP and DHS to aid in the efforts to enhance the bidirectional sharing relationship between the US Government and Commercial entities, his passion is educating network administrators and security engineers on best practices when securing your network. David currently holds Pentest+ and CySA certificates.