Security Integration into the SDLC

Author: Dr. Wendy Ng

DevOps is a set of practices used by some of the most innovative and efficient technology organisations in the world. The goal is to accelerate product and services deliveries, accompanied by improved product support in development and operations. Perhaps the most critical aspect is cultural change, breaking down silos and an emphasis on self-sufficiency.

It's been a decade since DevOps practices were introduced, and perhaps a part of the software development practice which has remained relatively siloed is application security. Recent advances in tools provided improved integration into software development technology stacks. This allows DevOps professionals to start vetting and reviewing the code for vulnerabilities earlier in the software development process. Research by the National Institute of Standards and Technology (NIST) and the Ponemon Institute suggests the relative cost to remediate can differ between 10 to 30 folds, when discovered at the architecture or design stage, compared to discovery when the application enters production. Late discovery of vulnerabilities in the application will invariably result in delays in product deliveries.

In previous blogs, I have shared steps required to transform an organisation so that security can be integrated into software development lifecycle (SDLC) with DevOps principles and practical methods of adapting existing governance processes to support the speed and agility of DevOps. In addition to the traditional application security ‘toolset’, manual penetration testing, we actually have an array of tools which supports security assurance at earlier stages of the software development cycle. Application security toolsets used in development and operations can be grouped into the following categories:

• SAST or Static Application Security Test: examines proprietary code for vulnerabilities.
• SCA or Software Composition Analysis: examines open source libraries for vulnerabilities.
• IAST or Interactive Application Security Testing: automated penetration testing where the location of the vulnerability is also provided and can be integrated into the development pipeline before the production environment.
• DAST or Dynamic Application Security Testing: automated penetration testing.

In the diagram below, I depicted locations within the SDLC whereby current application security tools could be integrated into the software development process for earlier, incremental as well as continuous monitoring after deployment into production.

Please note the above is a simplified extrapolation of stages, processes and their connectivity within the SDLC. The blog is based on current tooling capabilities, but the diagram is designed to be vendor-agnostic.

Dr. Wendy Ng is a DevSecOps Security Managing Advisor, who’s honed her technical consulting skills through a number of industries: aerospace, healthcare, fintech, telco, transport logistics, and critical national infrastructure. Wendy completed her doctoral studies at the University of Oxford and has contributed to the scientific community through peer-reviewed publications. She has been sharing her experience and expertise, addressing key challenges, in her blogs since 2016.