Secure Software Development Lifecycle (SSDL)
Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or
Already have an account? Sign In »
Time
12 hours 57 minutes
Difficulty
Intermediate
CEU/CPE
13
Video Transcription
00:00
>> Anyone who has developed
00:00
an application or developed
00:00
any kind of software for that matter,
00:00
is familiar with the software development lifecycle.
00:00
But now we're going to put a little bit of
00:00
a cloud security spin on it
00:00
and talk about the secure
00:00
>> software development lifecycle.
00:00
>> In this lesson, we're going to talk about the steps of
00:00
the secure software development lifecycle,
00:00
I want to convey
00:00
the security implications of each stage of the process,
00:00
and then we'll talk about a little bit,
00:00
many of the security issues that
00:00
crop up with software development process..
00:00
This secure software development lifecycle
00:00
has six different steps.
00:00
Just like the typical software development lifecycle,
00:00
first you want to define
00:00
what it is you're trying to develop.
00:00
At this stage, you're not really talking about
00:00
particular technologies or approaches,
00:00
it's really at a fundamental level,
00:00
what is this application or code going to do.
00:00
Then in the design stage,
00:00
you start to think about many of the user stories,
00:00
whether or not this application is going to
00:00
need an API to connect to it.
00:00
It's very important also to think during this stage
00:00
how if the architecture of
00:00
the applications coming together,
00:00
what security considerations need to go into effect.
00:00
Now, one thing I forgot to mention is that,
00:00
in the define stage,
00:00
this is where security needs to come to the table.
00:00
If you're talking about what it needs to do,
00:00
you really want to have
00:00
security application architects there to advise you
00:00
about what do you want to do and the potential
00:00
security considerations for how
00:00
the application is going to work.
00:00
Then in the design stage when you're starting to firm
00:00
up some of the requirements, again,
00:00
this is where we want to start thinking of like, well,
00:00
if it's going to do these user stories,
00:00
how is it going to do these things in a secure manner?
00:00
Now you might be thinking, "Oh, well,
00:00
we're going to bog down this development process
00:00
by security each step of the way."
00:00
One of the things I often like to
00:00
reiterate when this objection comes up is that,
00:00
security is part of product quality.
00:00
Would you design a car that's not very safe?
00:00
Obviously, you don't want to design software that is
00:00
inherently vulnerable to your customers.
00:00
It could damage your brand,
00:00
it also can create more administrative headache down
00:00
the line in terms of maintaining the software.
00:00
Then we move to the development.
00:00
We actually start coding and creating the application.
00:00
We've talked about some of the best practices
00:00
for training people on
00:00
how to develop code in
00:00
cloud applications in a secure manner.
00:00
That's where that training really
00:00
gets implemented in helping develop the application.
00:00
Then there's testing.
00:00
At this stage, many of the active tests to look
00:00
for vulnerabilities when the application will be done,
00:00
as well as ensuring that it's
00:00
functionally tested and works according
00:00
to the user stories and what it's supposed to do.
00:00
Then we go to the secure operations piece.
00:00
In addition to validating and testing
00:00
the application from
00:00
a security predictor for vulnerabilities,
00:00
we also want to ensure that we have many of
00:00
the administrative aspects of security done,
00:00
such as any changes that are
00:00
going to be done to this application or
00:00
configuration changes need to go through a process.
00:00
We need to vet those changes,
00:00
its impacts on security,
00:00
and ensure that any changes is evaluated,
00:00
tested, and then deployed to
00:00
>> the production environment.
00:00
>> Another very important aspect is ensuring that
00:00
the development environment where this application
00:00
and code is going to be deployed is
00:00
effectively monitored so that
00:00
any suspicious activity is detected and addressed.
00:00
Ultimately, one thing we don't
00:00
necessarily always want to think about in
00:00
the development of software is like what
00:00
is the end of life of this software going to entail?
00:00
Many cloud applications are constantly being
00:00
updated but there can be
00:00
>> customers who really lag behind.
00:00
>> You really need to think about how you're going
00:00
to create a process to
00:00
transition customers off older deprecated versions
00:00
of your software,
00:00
especially when you have
00:00
to make firm business decision about when
00:00
you're no longer going to be providing
00:00
security and performance updates to that software.
00:00
Quiz question. What is the most important step in
00:00
the secure software development lifecycle
00:00
from a security perspective?
00:00
Design, secure operations, or define?
00:00
If you said define you are correct.
00:00
Although there may be more explicit things that
00:00
security is doing later in the process,
00:00
security needs to be at the table from the outset of
00:00
when an application is being defined.
00:00
Now, from a security perspective,
00:00
I caution anyone, first,
00:00
let people define the business need and use
00:00
case before jumping in with
00:00
the risks related to security.
00:00
You're really there to help make
00:00
sure that security makes it in to
00:00
the early stages of the product.
00:00
Don't undermine yourself by
00:00
bringing up risks too quickly.
00:00
Allow the application to take
00:00
shape before providing your expert opinion.
00:00
In summary, we talked about the stages of
00:00
the secure software development lifecycle,
00:00
we talked about the security considerations
00:00
at each of these stages.
00:00
Well, I hope this helped you get
00:00
some ideas for how to design more secure software.
00:00
I'll see you in the next lesson.
Up Next
Instructed By
Similar Content
