Secure SDLC / Security Code Review

Whether a formal process is in place or ad hoc informal procedures are followed, companies rely on some semblance of a Software Development Methodology. Regardless, security should be an important aspect throughout the process.

Unfortunately many organizations lack internal expertise and the toolsets necessary to conduct the critical components of secure coding, such as code reviews, addressing regulatory issues, creating threat models, and conducting vulnerability and penetration testing.

Security can be addressed within several key phases of the development lifecycle, including Requirements Gathering, Functional Design, Technical Design, Integration and Quality Assurance Testing, and Production Deployment.

Requirements Gathering
It is critical to address any regulatory (Sarbanes-Oxley (SOX) HIPAA, GLBA, PCI, NERC, etc. ) issues pertaining to the system prior to the design phase.

Functional Design
Functional design includes such things as data classification. Data classification determines to what extent the data needs to be secured.

Technical Design
Technical design issues include developing threat models, evaluating data handling strategies, determining appropriate authentication mechanisms, determining session management strategies, error handling facilities, designing audit logging mechanisms, and developing deployment best practice documents.

Integration & QA Testing
Code Reviews should that code that runs in elevated context, listening on a globally accessible network interface, that communicates with external resources, and that handles sensitive data.
While most development firms conduct User Requirements Testing, very few review the original design specification regarding security requirements. Security Requirements testing can be completed via vulnerability and penetration testing.

Production Deployment
It is also critical to enforce security best practices and ensure production environment is properly deployed.