Building security into your software development lifecycle

Share and earn Cybytes
Facebook Twitter LinkedIn Email

By Sanjay Zalavadia

VP of Client Services, Zephyr

March 2017

Tight schedules, lack of resources and inadequate employee skills can lead to significant technical debts during application development, where teams look to cut corners in order to send a product out. However, this not only leaves gaping holes in defect management capabilities, it also opens up the program to potential vulnerabilities.

Cyberthreats are getting more sophisticated every day, making unprotected software an easy target to disrupt operations and glean sensitive information. This can significantly impact a business’s reputation and result in consequences for any compliance violations. For example, any organization that accepts payment cards must keep this data secure under PCI-DSS regulations. If any of this information is compromised, the company will be dealt heavy fines. To avoid this type of situation, teams must build security into their software development and release lifecycles.

1. Establish a process

Organizations thrive on policies and processes that dictate how to complete a particular task and what steps to take to do so effectively. Software teams must build security into their development lifecycle by making it a part of the process from the very beginning. Protection is no longer a luxury – it’s a necessity that businesses can’t afford to overlook.

Some companies have created their own process for addressing the entire lifecycle. As TechTarget contributor Anurag Agarwal noted, ISECOM created a mature model that addressed a number of security practices that teams can follow. If a group decides to create a custom process, it should include details on requirements gathering, functional design, technical design, coding, QA software testing, integration and deployment. These will form an essential basis to expand upon based on the unique requirements of the team and industry.

2. Provide the right tools

Protection should certainly start with developers building it directly into the code, but it’s up to testers to ensure that the safety measures will be up to par. Security testing is becoming a major part of QA processes to ensure that a new piece of code doesn’t break functionality or open up vulnerabilities when it’s integrated into the build. When teams are pushing to deliver updates on a daily basis and support continuous operations, it’s essential to have a quality testing tool that evaluates security needs and alerts teams quickly if a test fails.

Rapid feedback and integration with other technologies like automation are going to be essential for streamlining repeatable, reusable tests and fixing any bugs. ESecurity Planet contributor Nazar Tymoshyk suggested marrying security testing tools with other tools to evolve the code base and ensure security testing coverage. These capabilities will be critical to detecting defects and addressing any protection concerns.

3. Educate employees on their responsibility

Tools and processes can only get software development teams so far. It’s up to the capabilities of developers and testers to ensure that their programs are secure and meet quality requirements. In the past, developers and testers would be separate from one another, siloed off to complete their part of the project. This resulted in the image of throwing code over a wall to become someone else’s problem. Waterfall development kept individuals apart, leading to blaming one another when things went wrong. Groups could experience significant time setbacks due to arguing and determining the best course of action to address the issue.

With agile software development, these divisions have been broken down in an effort to form a more collaborative union. In this environment, it’s essential to train personnel on software security and to establish the mindset that they are all responsible for maintaining protection. This sense of ownership can motivate teams to be more thorough in their testing and developing efforts to ensure that no issues make it through to production. TechTarget contributor Peter H. Gregory noted that there should be a standard in place to fix events like orphan user accounts or fraudulent transactions. Building security into employee responsibilities can be a major boost in catching disruptive events and mitigating them before they cause more damage.

Cyber threats are becoming more sophisticated, and it’s up to testers and developers to ensure that their software projects are adequately protected. By building in security into the entire lifecycle, teams can ensure that they keep information safe and continue to provide value to the users.

Read more articles like this one on our Insights Section.

Share this post and earn Cybytes
Facebook Twitter LinkedIn Email
About Zephyr
Zephyr provides on-demand Test Management solutions designed to meet the needs of today's dynamic and global Test and Quality Assurance departments. Zephyr uses modern, standards-based technologies to provide an unparalleled level of agility, ease-of-use, and integration capability. Zephyr is privately held and headquartered in Newark, California. For more information, please visit

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Support Cybrary

Donate Here to Get This Month's Donor Badge

Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?