This article is taken from US-CERT
“Security enhancement” of the SDLC process mainly involves the adaptation or augmentation of existing SDLC activities, practices, and checkpoints, and in a few instances, it may also entail the addition of new activities, practices, or checkpoints. In a very few instances, it may also require the elimination or wholesale replacement of certain activities or practices that are known to obstruct the ability to produce secure software.
The key elements of a secure software life cycle process are
- security criteria in all software life cycle checkpoints (both at the entry of a life cycle phase and at its exit)
- adherence to secure software principles and practices
- adequate requirements, architecture, and design
- secure coding practices
- secure software integration/assembly practices
- security testing practices that focus on verifying the dependability, trustworthiness, and sustainability of the software being tested
- secure distribution and deployment practices and mechanisms
- secure sustainment practices
- supportive tools
- secure software configuration management systems and processes
- security-knowledgeable software professionals
- security-aware project management
- upper management commitment to production of secure software
Organizations can insert secure development practices into their software life cycle process either by adopting a codified secure software development methodology, such as those discussed in Section 3.6 of Enhancing the Development Life Cycle to Produce Secure Software [DHS/DACS 08], and the SDLC Process content area of Build Security In, or through the evolutionary security enhancement of their current practices, as described in Sections 4-10 of Enhancing the Development Life Cycle to Produce Secure Software and in the Best Practices and Knowledge sections of Build Security In.
These, as well as the other Best Practices, Knowledge, and Tools articles on Build Security In support organizations in making progress toward achieving these goals. Those responsible for ensuring that software and systems meet their security requirements throughout the development life cycle should review, select, and tailor BSI guidance as part of normal project management activities. Additional Resources on BSI and the references below provide additional, experience-based practices and lessons learned that development organizations need to consider.
This article is taken from US-CERT you can read more from
No comments:
Post a Comment