Secure SDLC

In this video, we'll introduce the secure software development lifecycle and cover the metaphases that the CSA uses to reflect their perspective on the secure software development lifecycle. What is SSDLC? Well, in short, it's taking the traditional software development life cycle and ensuring that you have security-related activities embedded.

‍

Traditionally, securities been employed only at the tail end of projects in the testing phase. But the goal of the secure SSDLC is to incorporate security throughout the entire process, from preliminary training to defining what's being created, designing it, developing it and then of course, security still plays a major role in testing phase 2.

‍

There are quite a few different takes on a secure software development lifecycle and various organizations have published standards and frameworks that pertain to this. Here, you can see Microsoft's perspective on the secure software lifecycle and the different phases and the different activities at each phase. NIST itself also defines a secure software development lifecycle. Here, you can see their layout of it. ISO 27034 is an additional example of a secure software lifecycle.

‍

Then, you have things such as OWASP, OpenSAMM, the Software Assurance Maturity Model, where they incorporate security into evaluating the maturity of your software development life cycle. There are a lot of other standards out there regarding the secure lifecycle that I didn't touch on. But the CSA takes a look at all of those different standards and they've simplified it into three general metaphases. For your CCSK exam, you're going to want to be familiar with these metaphases and we're going to go into each one of these phases in the ensuing videos.

‍

But to touch on those, it starts with secure design and development phase. This phase includes activities ranging from training and developing organizational standards together and requirements, performing design reviews through threat modeling and writing and testing code. Secure development. Well, this phase, it addresses security and testing activities that must be performed when you're moving application code from a development environment into production and rounding it out. We have secure operations.

‍

This phase is concerned with the ongoing security of applications as they're running in the production environment. It includes additional defenses such as web application firewalls, ongoing vulnerability assessments, penetration tests, and other activities that can be performed once an application is in the production environment. In this video, we covered the secure software development lifecycle.

‍

We glanced over different standards that exist out there: Microsoft, NIST, ISO, and OWASP to address and embed security in the development lifecycle. Then we took a look at the metaphases of secure development that the CSA follows. Secure design and development phase, secure deployment, and secure operation. We'll be going into each of these three in subsequent videos, I look forward to seeing you there.