Secure SDLC
Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or
Already have an account? Sign In »
Time
9 hours 59 minutes
Difficulty
Intermediate
CEU/CPE
10
Video Transcription
00:02
>> In this video, we'll introduce
00:02
the secure software development lifecycle
00:02
and cover the metaphases
00:02
that the CSA uses to reflect
00:02
their perspective on
00:02
the secure software development lifecycle.
00:02
What is SSDLC? Well, in short,
00:02
it's taking the traditional software
00:02
development life cycle and
00:02
ensuring that you have
00:02
security-related activities embedded.
00:02
Traditionally, securities been employed
00:02
only at the tail end of projects in the testing phase.
00:02
But the goal of the secure SSDLC is to
00:02
incorporate security throughout the entire process,
00:02
from preliminary training to
00:02
defining what's being created, designing it,
00:02
developing it and then of course,
00:02
security still plays a major role in testing phase 2.
00:02
There are quite a few different takes on
00:02
a secure software development lifecycle and
00:02
various organizations have published
00:02
standards and frameworks that pertain to this.
00:02
Here, you can see Microsoft's perspective on
00:02
the secure software lifecycle and
00:02
the different phases and
00:02
the different activities at each phase.
00:02
NIST itself also defines
00:02
a secure software development lifecycle.
00:02
Here, you can see their layout of it.
00:02
ISO 27034 is an additional example
00:02
of a secure software lifecycle.
00:02
Then, you have things such as OWASP,
00:02
OpenSAMM, the Software Assurance Maturity Model,
00:02
where they incorporate security into
00:02
evaluating the maturity of
00:02
your software development life cycle.
00:02
There are a lot of other standards out there
00:02
regarding the secure lifecycle that I didn't touch on.
00:02
But the CSA takes a look at all of
00:02
those different standards and they've simplified
00:02
it into three general metaphases.
00:02
For your CCSK exam,
00:02
you're going to want to be familiar with
00:02
these metaphases and we're going to go into
00:02
each one of these phases in the ensuing videos.
00:02
But to touch on those, it starts with
00:02
secure design and development phase.
00:02
This phase includes activities ranging from training and
00:02
developing organizational standards
00:02
together and requirements,
00:02
performing design reviews through threat
00:02
modeling and writing and testing code.
00:02
Secure development. Well, this phase,
00:02
it addresses security and testing activities
00:02
that must be performed when you're moving
00:02
application code from a development environment
00:02
into production and rounding it out.
00:02
We have secure operations.
00:02
This phase is concerned with the ongoing security of
00:02
applications as they're running
00:02
in the production environment.
00:02
It includes additional defenses such as
00:02
web application firewalls,
00:02
ongoing vulnerability assessments,
00:02
penetration tests, and other activities that can
00:02
be performed once an application
00:02
is in the production environment.
00:02
In this video, we covered
00:02
the secure software development lifecycle.
00:02
We glanced over different standards that
00:02
exist out there: Microsoft, NIST,
00:02
ISO, and OWASP to address
00:02
and embed security in the development lifecycle.
00:02
Then we took a look at the metaphases of
00:02
secure development that the CSA follows.
00:02
Secure design and development phase,
00:02
secure deployment, and secure operation.
00:02
We'll be going into each of these
00:02
three in subsequent videos,
00:02
I look forward to seeing you there.
Up Next
Similar Content
