A security representative participating in the development process is your key to managing software security. One benefit of a model like the SDLC or agile method is the group nature of the model process. If you formally implement a development model, you should have required phase pass-off meetings every time your project is ready to move from one stage to another. The frequency of this phase pass-off depends on how you scope your projects. You have many different ways to scope software development projects. TABLE 14-1 lists several common approaches to software project scope.

In most SDLC environments, the best choice is to create a project for a group of related software programs. This balances the advantages and disadvantages of other approaches. This approach also makes it easy to include maintenance modifications after you have implemented your software product. Of course, the first three choices are for SDLC environments. Choosing agile is another choice many organizations make.

Once you decide how you will scope projects, include a security component in every phase. Incorporating security in the earliest phases of software development increases the application’s security and decreases the cost of adding safeguards. In fact, many development organizations have one or more security specialists on the development team to ensure such concerns are met. All too often, organizations add security features late in the development cycle. Waiting too late in the design or development process may cause problems that could force a partial redesign. Include security requirements from the very beginning.

Another way to ensure your applications include security concerns early in the development process is to pursue security training for developers. Security classes are available that specifically target software developers. It makes sense to find good training for your analysts and developers to help them learn how to write more secure programs.

Along with ensuring your software developers are fully trained to write secure code, make sure your development environment and tools don’t get in the way. Many of the latest development environments integrate tools with secure libraries to empower developers to write more sound applications. One of the most popular development environments for Windows applications is Microsoft Visual Studio. Visual Studio supports developers working in a wide variety of languages developing applications for Android, iOS, web, and cloud environments. Visual Studio includes many features and tools for developing secure applications:

• Code analyzer—Identifies many coding errors

• Application verifier—Identifies stability, compatibility, and security issues

• Compiler option—Helps prevent buffer overflows

• Secure libraries—Are used in applications

• Security exceptions—Are used in debugging

Visual Studio is available as a fully featured, comprehensive Integrated Development Environment (IDE), or as a free open source general purpose IDE named Visual Studio Code. Visual Studio Code boasts thousands of plugins that allow it to support nearly every programming language, and it runs on all popular OSs. You can find out more about Visual Studio and Visual Studio Code at https://visualstudio.microsoft.com/.

Each time programs move from one phase to the next, conduct a security review. It is also a good time to perform a risk analysis. The review should cover the programs that have changed to ensure no new vulnerabilities have been introduced into your software. Start your security reviews with the very first phase. Microsoft has formalized the inclusion of security activities into the classic SDLC. To punctuate the need for integrating security into all phases of the development life cycle, Microsoft developed the Security Development Lifecycle (SDL). According to Microsoft, the SDL “is a security assurance process that is focused on software development.” The company based the SDL on three core concepts that support secure development: education, continuous improvement, and accountability. The SDL groups security-related activities into seven phases. The SDL’s phases correspond to phases in the SDLC. FIGURE 14-3 shows the phases and activities of the SDL.

The Microsoft SDL defines the following phases of development activities:

• Training—Ensure all developers are fully trained on security development topics before engaging in any software application development activities. Training all developers on secure development techniques is crucial to creating secure applications.

• Requirements—This phase corresponds to the SDLC Software Requirements Analysis phase. During this phase, the development team establishes security requirements as well as creates quality gates and conducts security and privacy risk assessments.

• Design—This SDL phase corresponds to the SDLC System Analysis and Design phase. SDL activities include establishing design requirements, analyzing the application’s attack surface, and modeling threats to the application.

• Implementation—This SDL phase corresponds to the Code Generation SDLC phase. During code generation, SDL activities include using approved tools, deprecating unsafe functions, and performing static code analysis to ensure new or modified code is secure.

• Verification—This SDL phase corresponds to the Formal Testing SDLC phase. Formal testing focuses on evaluating functionality, while verification activities include dynamic code analysis, fuzz testing, and attack surface reviews.

• Release—This SDL phase corresponds to the Implementation SDLC phase. Once you implement application changes, you can create or update the incident response plan and conduct a final security review.

• Response—This phase comes into play when an incident occurs. The response phase corresponds to executing your incident response plan.

The Microsoft SDL extends the classic SDLC and complements standard development activities with a security-related focus. It provides managers with a prescribed method to ensure that the software development process pays appropriate attention to security matters. The three core concepts ensure that developers are well educated, always improving the development process, and accountable for the code they write.