sdlc model for website development

2022.03.23

sdlc model for website development


sdlc model for website development


National Institute of Standards and Technology

2020year4moon23day

(sdlc model for website development)

write in front:Security software development,Previously known mainly Microsoft'sSDL,threat modeling、Attack plane and other concepts,OWASP Secure Coding Guidelines,Then there is the code security testASTtool。When communicating with customers,Also understand some management systems of customers,process requirements, etc.。This article is mainly a summary and combination of best practices,more oriented towards management,Many customers have already implemented some of these requirements,just not so comprehensive。

Two types of readers have been defined in the text,if i want to add something,From an industrial worker's point of view,I think doing software development management,Development Security Assessment,Vendors developing security consulting can also refer to this framework,refine the content of the text,do oneSSDFtemplate,Help users regulate safe behavior in the development process。Although this template is not an industry compliance requirement,But because of its comprehensive,Still very helpful and reference。The content is divided into organizational preparation,protection software,Production Security Software,The four parts of responding to the vulnerability,Logic is preparation before development、during development、Aspects that need attention after development。

Thanks to teacher Chen Nengji for recommending the original text。

Summary


Virtually no software development life cycle(SDLC)model in detail,Clearly addresses software security concerns,Thus, inSDCLin the model,Often need to add secure software development practices,Ensure that the developed software is safe and reliable。This white paper recommends a core set of high-level secure software development practices,Secure Software Development Framework(SSDF),and integrated into eachSDLCPractice。This article promotes business owners within an organization、software developer、Project managers and leaders、Communication among cybersecurity experts on secure software development practices。follow these practices,Will help software producers reduce the number of vulnerabilities in released software,Mitigate the potential impact of exploiting undiscovered or unaddressed vulnerabilities,and find the root cause of these vulnerabilities,prevent future recurrence。also,Framework provides common terminology for secure software development,Software consumers can use it to communicate with suppliers during the buying process and other management activities。

(sdlc model for website development)

readers of this article


There are two types of readers for this white paper。The first category is software producers(E.g,Commercial off-the-shelf product suppliers,Government Spot Product Software Developer,Custom Software Developer),regardless of size、Department 、maturity level。The second category is software consumers,Includes federal government agencies and other organizations。In order to understand the documentation,Readers are not required to be experts in secure software development,but implement recommended practices,Expertise in secure software development required。

From the National Cybersecurity Education Initiative(NICE)Cybersecurity Workforce Framework Workforce Categories and Professional Areas of Individuals,Most likely to find the benefit of this article:

  • safe supply(Securely Provision):Risk Management、software development、System Requirements Planning、test and evaluation、System Development
  • operation and maintenance(OM):System analysis
  • Oversight and Governance(OV):training、education and awareness;Network Security Management;Senior Network Leadership;program/Project Management and Purchasing
  • protection and defense(PR):Incident response,Vulnerability Assessment and Management
  • analyze(AN):Threat Analysis,Vulnerability Exploitation Analysis


text


1 introduce

(sdlc model for website development)

software development life cycle(SDLC)is a formal or informal software(including code implanted in hardware)design、Methods of generating and maintaining。there are manySDLCModel,including waterfall、Spiral、agile、Development and Operations(DevOps)。but almost noneSDLCModels explicitly address software security in detail,therefore,SDLCModels often require adding and integrating secure software development practices。whichever you useSDLCModel development software,for three reasons,Need to integrate secure software development practices:Reduce vulnerabilities in released software,Mitigate the potential impact of undetected or unresolved software vulnerabilities,Find the root cause of the vulnerability,prevent future recurrence。Most security issues can be found inSDLCMultiple links within the solution,but generally speaking,existSDLCInside,The sooner security issues are addressed,The lower cost and effort required to ultimately achieve the same level of security。no matter whatSDLC,this principle,also known asshift left,are very important。

There is currently a lot of material on secure software development practices,Include those listed in the References section of this article。This white paper does not introduce new practices or define new terms;on the contrary,It is based on an existing standard、guide、Secure Software Development Practice Documentation,Introduces a subset of high-level practice。these practices,collectively referred to as a secure software development framework(Secure Software Development Framework,SSDF)。Especially helpful for readers who want to achieve their goals in secure software development。Note that these practices are limited to direct secure software development(E.g,Secure the development framework or the pipeline itself,beyond this range)。

This article is intended to serve as a starting point for discussing the concept of a secure software development framework,therefore,does not provide a holistic view of a secure software development framework。Future work may extend the material in this paper,May include secure software development frameworks(SSDF)How to apply and change in different software development methods,and how organizations are transitioning from current software development methods toSSDFpractices included in。Most likely future work will be in the form of user stories,To make it easier to apply the included practices to a certain type of development environment。

(sdlc model for website development)This paper introduces secure software development practices,but it is not clearly specified how to implement them。The point is to deploy these practices,rather than a tool to implement、Technology and Mechanism。E.g,An organization may automate certain steps,Others may use manual processes。The advantages of specifying these practices at a high level include:

  • Organizations can be used in any sector or community,Regardless of scale or cybersecurity complexity
  • for supporting information technology(information technology,IT)、Industrial control system(industrial control system,ICS)、cyber-physical system(cyber-physical system,CPS)、Internet of Things(internet of Things,IOT)software development。
  • Integrates with existing software development workflows and automation toolchains;Does not affect the organization's current well-established software development practices。
  • make these practices broadly applicable,Not limited to a specific technology、platform、Programming language、SDLCModel、development environment、Operating environment、tools etc.。
  • Can help organizations document current secure software development practices,Defining future target practices,as part of a continuous improvement process。
  • Can help currently use modern software development models(E.g,agile、DevOps)organization,Transition from classic software development model to security software development practice。
  • Help are being procured and used organizations to understand the security software development practices used by their suppliers。
(sdlc model for website development)This article also provides a general language to describe basic security software development practices。andImprove key infrastructure network security framework(which isNIST Network security framework)Method。Understanding this practice does not require expertise in security software development。This helps to promote communication security software practice between internal and external participants。Including participants as follows:

  • Opened in the organization、Software developer、Project manager and leadership、Network expert。
  • Software consumers,Including federal government agencies and other organizations,In order to have high quality software,In their purchase process,Want to define the requirements or desired software features。
  • Software producer(Commercial spot product supplier、Government stock product software developer、Software developers representing or working in software using organizations、software test/Quality assurance personnel)Hope in themSDLCmiddle,Integrated security software development practice,Expressing their security software development practices for customers,Or define demand for suppliers。

Practice of this white paper,Not based on all organizations have the same security objectives and priority assumptions;on the contrary,It is recommended to reflect each software producer may have a unique security assumption.,Each software user may have unique security needs and requirements。Although our desire is for each software producer,Follow all applicable practices,Expected to the extent to each practice,And the form of implementation varies depending on the safety assumption of the producer,Practice provides flexibility for the user,But it is also very wise to avoid too much interpretation space.。


2 Safety software development framework(SSDF)


This white paper is based on existing security software development practical documentation.,Introduced a basic、Reliable and secure software development practice security software development framework。In order to achieve this white paper,Practice is divided into four groups:

  • Organization preparation(Prepare the Organization,PO):Personally guaranteed、process、And technology levels in tissue,Ready to implement security software development,Certain situation,Can be used for each individual item。
  • Protection software(Protect the Software,PS):Protect all components of the software,Prevent tampering and unauthorized access。
  • Production safety software(Produce Well-Secure Software,PW):Safety and reliable software,There are minimal security vulnerabilities in the software release。
  • Response vulnerability(Respond to Vulnerability,RV):Discover vulnerabilities in the software release version,Respond and resolve these vulnerabilities,Prevent similar problems in the future。

Each practice uses the following elements to define:

  • practice:Brief description of practice,Plus the only identifier and interpretation practice and why。
  • Task:Complete a single action(Multiple actions)。
  • Example:Can be used to implement tool types for this practice、process、Examples of other methods;It is not implicit to need a certain example or example combination.,Or only the examples of statements are feasible options。
  • refer to:Existing security development practical documentation,Corresponding option to a task。

Although most practices are related to any software development work,Some practices are not always applicable。E.g,If developing a specific software,Does not involve using a compiler,Do not need to follow the configuration of the configuration compiler to improve the security of executable file security。Some practices are more basic,Other more advanced,Maybe rely on some basic practices that have been implemented。also,In any case,Practice is not always equally important。Which practice decided to use,How much time and resources spent in each practice must consider。finally,Did not specify frequent frequency,because,For any specific situation,Suitable frequency depends on risks and other factors。

(sdlc model for website development)Low below is a list of definition practices。remember,These practices are only a subset of organizations that need to work.,Help organization to achieve security software development。Practice is not listed in the order of importance。Due to space issues,Limited information listed in the list,More information for each practice,See:


BSIMM10: Building Security in Maturity Model (BSIMM) Version 10 [3]

Creating safety in maturity model

BSA: BSA, Framework for Secure Software [4]

BSA,Security software framework

IDASOAR: Institute for Defense Analyses (IDA), State-of-the-Art Resources (SOAR) for Software Vulnerability Detection, Test, and Evaluation 2016 [5] Defense analysis institution(IDA)

Defense Analysis Institute,Software vulnerability detection、test、The latest resources of the assessment

ISO27034: International Organization for Standardization/International Electrotechnical Commission (ISO/IEC), Information technology – Security techniques – Application security – Part 1: Overview and concepts, ISO/IEC 27034-1:2011 [6]

International Organization for Standardization/International Electrotechnical Commission(ISO/IEC),information Technology-safety technology-Application security-first part:Outline and concept,ISO/IEC 27034-1:2011

(sdlc model for website development)MSSDL: Microsoft, Security Development Lifecycle [7] Microsoft Safety Development Life Cycle

NISTCSF: NIST, Framework for Improving Critical Infrastructure Cybersecurity, Version 1.1 [2]

NIST Key infrastructure security improvement framework Version 1.1

(sdlc model for website development)OWASPASVS: OWASP, OWASP Application Security Verification Standard 4.0 [8]

OWASP Application safety verification standard4.0

OWASPTEST: OWASP, OWASP Testing Guide 4.0 [9]

OWASP Test guide4.0

PCISSLRAP: Payment Card Industry (PCI) Security Standards Council,Secure Software Lifecycle (Secure SLC) Requirements and Assessment Procedures Version 1.0 [10]

(sdlc model for website development)Payment Card Industry Security Standards Committee,Safety software lifecycle requirements and evaluation steps Version 1.0

(sdlc model for website development)SAMM15: OWASP, Software Assurance Maturity Model Version 1.5 [11] OWASP,Software guarantee maturity model Version 1.5

SCAGILE: Software Assurance Forum for Excellence in Code (SAFECode),Practical Security Stories and Security Tasks for Agile Development Environments [12]

Excellence Code Software Guarantee Forum(SAFECode),

SAFECode,Agile software development environment,Practical security story and security tasks

SCFPSSD: SAFECode, Fundamental Practices for Secure Software Development: Essential Elements of a Secure Development Lifecycle Program, Third Edition [13]

SAFECode,Safety software development basic practice:Basic elements for safe development of life cycle programs,Third edition

SCSIC: SAFECode, Software Integrity Controls: An Assurance-Based Approach to Minimizing Risks in the Software Supply Chain [14]

SAFECode,Software integrity control:Guarantee-based approach,Minimize software supply chain risks,

SCTPC: SAFECode, Managing Security Risks Inherent in the Use of Third-Party Components [15]

SAFECode,Manage security risks in the use of third party components

SCTTM: SAFECode, Tactical Threat Modeling[16] SAFECode,Tactical threat modeling

SP80053: Joint Task Force Transformation Initiative, Security and Privacy Controls for Federal Information Systems and Organizations, NIST Special Publication (SP) 800-53 Revision 4 [17]

NIST SP80053 Federal Information System and Organization Safety and Privacy Control Joint Working Group Transformation Initiative

SP800160: NIST, Systems Security Engineering: Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems, NIST SP 800-160 Volume 1 [18]

NIST SP800160 System security engineering:Multi-discipline method in the process of trusted security system

SP800181: NIST, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST SP 800-181 [1]。

NIST SP800181National Network Security Education Initiative(NICE) Network Security Labor Framework

(sdlc model for website development)

Organization preparation(Prepare the Organization,PO)

(sdlc model for website development)practice

Task

Instance case

refer to

Define software development security requirements(PO.1):

(sdlc model for website development)anytime,Guarantee the safety needs of software development to know everyone,ThroughoutSDLCConsidering the process,Demand information can be collected and shared at a time,Minimize repetitive work。Including internal source(E.g,Organizational strategy、business goal,Risk management strategy)And external source(Applicable laws and regulations)

PO.1.1Development of organizational general software,Determine all applicable security requirements,And progress over time,Maintain these needs。

.Policy to define the security needs of the organization software to meet,Security coding practices including developers。

.Define the designated software architecture requirements policy,Generate code module,Accelerated code reuse and easy update,And when execution,Isolate security features from other functions。

.Define strategies to protect development infrastructure,Such as developer workstation and code warehouse。

.Guaranteed the policy overwritten the entire software lifecycle,Including probation user software support time and software life end date。

.Use a group of well-known security requirements to set glossary as a structure or definition organization。This collection can correspond to third-party security needs that the organization also needs to comply.。

.After each vulnerability event response,Check and update demand。

(sdlc model for website development).For all security needs,Periodic inspection(At least once a year)

.Review new external demand in time,Update existing external needs。

.Changes to occur in demand,Education for affected individuals。

BSIMM10: CP1.1, CP1.3, SR1.1

(sdlc model for website development)BSA: SC.1-1, SC.2, PD.1-1, PD.1-2, PD.1-3, PD.2-2

ISO27034: 7.3.2

MSSDL: Practice 2

(sdlc model for website development)NISTCSF: ID.GV-3

(sdlc model for website development)OWASPTEST: Phase 2.1

PCISSLRAP: 2.1

(sdlc model for website development)SAMM15: PC1-A, PC1-B, PC2-A, SR1- A, SR1-B, SR2-B

SCFPSSD: Planning the Implementation and Deployment of Secure Development Practices; Establish Coding Standards and Conventions

SP80053: SA-15

SP800160: 3.1.2, 3.3.1, 3.4.2, 3.4.3

SP800181: T0414; K0003, K0039, K0044, K0157, K0168, K0177, K0211, K0260, K0261, K0262, K0524; S0010, S0357, S0368; A0033, A0123, A0151



practice

Task

Example

refer to

Implement role and responsibility(PO.2):Guaranteed the internal and external part of the organizationSDLCEveryone,Prepare roles and responsibilities related to the development framework of them and safety software。

PO.2.1:Generate new roles and change the responsibility of existing roles,CompriseSSDFAll parts。Qualitative check has defined roles and responsibilities,Update them according to requirements。

.All members of the software development team,Define roles and responsibilities related to security software development frameworks。

.Add security roles in the software development team。

.existSDLCAll roles involved:Security team,Security champion,Project manager and leadership,Senior management personnel,software developer,Software tester/Quality assurance personnel,Product owner,Other related personnel,Define their roles and responsibilities。

(sdlc model for website development).All roles and responsibilities,Protect once a year。

(sdlc model for website development).When the role and ability have changed,Education affected individual。

(sdlc model for website development)BSA: PD.2-1, PD.2-2

BSIMM10: CP3.2, SM1.1

(sdlc model for website development)NISTCSF: ID.AM-6, ID.GV-2

PCISSLRAP: 1.2

SCSIC: Vendor Software Development Integrity Controls

SP80053: SA-3

SP800160: 3.2.1, 3.2.4, 3.3.1

SP800181: K0233

(sdlc model for website development)PO.2.2:Responsible for software security,Provide role related training。

(sdlc model for website development)Training for specific roles regularly,Update as needed。

.Record the expected results of each role training。

.Develop training programs for each role。

.Buy or create training for each role;Purchase training,Perhaps the need to be customized according to the organization。

BSA: PD.2-2

BSIMM10: CP2.5, SM1.3, T1.1, T1.5, T1.7, T2.6, T2.8, T3.2, T3.4

MSSDL: Practice 1

NISTCSF: PR.AT-*

PCISSLRAP: 1.3

(sdlc model for website development)SAMM15: EG1-A, EG2-A

SCAGILE: Operational Security Tasks 14, 15; Tasks Requiring the Help of Security Experts 1

SCFPSSD: Planning the Implementation and Deployment of Secure Development Practices

SCSIC: Vendor Software Development Integrity Controls

SP80053: SA-8

SP800160: 3.2.4

SP800181: OV-TEA-001, OV-TEA-002; T0030, T0073, T0320; K0204, K0208, K0220, K0226, K0243, K0245, K0252; S0100, S0101; A0004, A0057

(sdlc model for website development)PO.2.3:Safety development is promised by higher management,And convey the commitment to the role and responsibility。

(sdlc model for website development).Improve the consciousness of superior management

.Assist superior management,Incorporate security development supportSSDFRelated role responsibility communication。

.Education all related personnel,Understand the importance of the security development framework and the commitment of superior management on security development。

BSIMM10: SM1.2, SM1.3 PCISSLRAP: 1.1 SAMM15: SM1.A

SP 800-181: T0001, T0004

(sdlc model for website development)

practice

Task

Example

refer to

Implement the support tool chain(PO.3):Use automation to reduce the desired manual,improveSDLCAccuracy of China Security Practice、Continuity and integrity,Also provide a method record and demonstrate the use of these practices。Toolchain and other tools may be used at different levels of organization,Such as organized or specific projects。

PO.3.1:Specify which tools or tool types containing each toolchain,Which one is forced。How do tool chain components integrate with each other?。

.Define tool chain category,Specify the tool or tool type forced to use within each category。

.Determine security tools integrated into the developer tool chain。

(sdlc model for website development).Automation technology,Management and Orchestration Toolchain。

BSA: TC.1, TC.1-1, TC.1-2

MSSDL:Practice 8

SCAGILE: Tasks Requiring the Help of Security Experts 9

SP80053: SA-15

(sdlc model for website development)SP800181:K0013, K0178

PO.3.2:Follow reliable security practices,Deployment and configuration tools,Integrate them in the tool chain,Be a whole maintenance of a single tool and toolchain。

(sdlc model for website development).evaluate、Select and purchase tools,Assess the security of each tool。

.Integrate tools and other tools and existing software development processes and workflow。

.renew、Upgrade and replace the current tool。

.Monitoring tools and tool logs,Discover potential operations and security issues。

BSA: TC.1-1, TC.1-6

SCAGILE: Tasks Requiring the Help of Security Experts 9

SP80053: SA-15

SP800181: K0013, K0178


PO.3.3:Configuration tools collect evidence and workpieces supporting security software development practices。

.Use the organization's current workflow or problem tracking system,Audit tracking of active security development related behavior。

.Decided to collect information for auditing frequencies,Implement the execution of the audit。

BSA: PD.1.6

MSSDL: Practice 8

PCISSLRAP: 2.5

(sdlc model for website development)SCAGILE: Tasks Requiring the Help of Security Experts 9

SP80053: SA-15

SP800181: K0013


practice

Task

(sdlc model for website development)Example

refer to

Define the standards for software security checks(PO.4):By defining the software security check standard during development,Help guarantee fromSDLCSoftware finished product,Combine the expectations of the organization。

PO.4.1:definitionSDLCmiddle,Software security check standard。

.Guarantee standards,How to effectively manage security risks。

.Define security softwareKPI

.Add software security standards in existing inspections(InjurySDCLIn the method,“Complete definition”)。

.Part of the software development workflow system,Check the generated workpiece,Determine if it meets the standard goals。

.Record safety inspection approval、reject、Exceptional request,As part of the workflow and tracking system。

(sdlc model for website development)BSA: TV.2-1, TV.5-1

BSIMM10: SM1.4, SM2.2

ISO27034: 7.3.5

MSSDL: Practice 3

(sdlc model for website development)OWASPTEST: Phase 1.3

SAMM15: DR3-B, IR3-B, PC3-A, ST3-B

SP80053: SA-15

SP800160: 3.2.1, 3.2.5, 3.3.1

SP800181: K0153, K0165

PO.4.2:Implementation process、Mechanism, etc.。Collect the necessary information for support standards。

.Toolchain,Automatically collect information notified security decisions。

.If needed,Deploy additional tool support information collection and build,Information must support standards。

.Use standard,Automation decision process。

BSA: PD.1-6

BSIMM10: SM1.4, SM2.2

SP80053: SA-15

SP800160: 3.3.7

SP800181: T0349; K0153



Protection software(Protect Software,PS)

practice

Task

Example

refer to

Protect all forms of code,Prevent unauthorized access to tamper(PS.1):Help block unauthorized changes,No matter what is unintentional or intentional,It decks and avoids software expected security features。Code for unwanted public access,Helps prevent the software from being stolen,Make an attacker discovering that the difficulty of software vulnerability is increased or time consuming。

PS.1.1:Store all forms of code,Source code and executable code,Principle based on minimum permissions,Guarantee only the necessary access form。

.Store all source code in the code warehouse,According to code characteristics,Limit visit。E.g,Some of the code may be used for public access,under these circumstances,Should protect integrity and availability;Other code also requires confidentiality protection。

(sdlc model for website development).Use the code library version control function,Tracking the responsibility of all code changes in developer account。

(sdlc model for website development).Check and approve all changes。

.Use code signature,Help protect the integrity and source of executables。

.Encryption(For example, encrypted myr)Protection document integrity。

.Each package generated,Create and maintain software composition list(SBOM)

BSA: IA.1, IA.2-2, SM.4-1

IDASOAR: Fact Sheet 25

NISTCSF: PR.AC-4 OWASPASVS: 1.10, 10.3.2, 14.2 PCISSLRAP: 6.1

SCSIC: Vendor Software Delivery Integrity Controls, Vendor Software Development Integrity Controls


Provide verification software version integrity mechanism(PS.2):Help software consumers guarantee that their purchases is legal,No tamper。

(sdlc model for website development)PS.2.1:Provide verification information to software consumers

.In a secure website,Hash value of the publishing software file。

(sdlc model for website development).UseCA,Signature code,Consumers can confirm the effectiveness of the signature。

.Regular check code signature process,Including certificate updates and protection。

BSA: SM.4.2, SM.4.3, SM.5.1, SM.6.1

BSIMM10: SE2.4

NISTCSF: PR.DS-6

PCISSLRAP: 6.2

SAMM15: OE3-B

SCSIC: Vendor Software Delivery Integrity Controls

(sdlc model for website development)SP800181: K0178

Archive and protect each software release(PS.3):Help confirm、Vulnerabilities found after analyzing and eliminating software release。

PS.3.1:Safety archive each release version and component copy(E.g,Code、Package file、Third party library、Documentation),And its version of integrity verification information。

(sdlc model for website development).Store all files in a software library,Restrict access to them

BSA: PD.1-6

IDASOAR: Fact Sheet 25

(sdlc model for website development)NISTCSF: PR.IP-4

PCISSLRAP: 5.2, 6.2

SCSIC: Vendor Software Delivery Integrity Controls

SP80053: SA-15



Production safety software(Produce Well-Secured Software,PW)


practice

Task

Example

refer to

Designed to meet safety requirements and reduce safety risks(PW.1):Determine and evaluate the safety needs for software design applications;Take the product operation,Software may face security risks,How to transfer these risks through software design;No risk-based decision,Description should relax or give up safety needs。In software design(Design guarantee safety)Solving security requirements,Helps how to develop more efficient。

PW.1.1:Use risk modeling,For example, threat modeling、Attack modeling、Or attack surface map,Help evaluate software security risks。

(sdlc model for website development).Training and development team(Especially the safety champion),Or cooperate with threat modeling experts,Generate threat models and attack models,Analyze how to use risk-based methods to resolve risks and implementation。

.In high risk zone,Execute more stringent assessment,Such as protective sensitive data and protection identity、Authentication and access control,Includes credential management

.Check the vulnerability report and statistics report for previous software。

BSA: SC.1-3, SC.1-4

BSIMM10: AM1.3, AM1.5, AM2.1, AM2.2, AM2.5, AM2.6, AM2.7

IDASOAR: Fact Sheet 1

(sdlc model for website development)ISO27034: 7.3.3

MSSDL: Practice 4

NISTCSF: ID.RA-*

OWASPASVS: 1.1.2, 1.2, 1.4, 1.6, 1.8, 1.9, 1.11, 2, 3, 4, 6, 8, 9, 11, 12, 13

OWASPTEST: Phase 2.4

PCISSLRAP: 3.2

SAMM15: DR1-A, TA1-A, TA1-B, TA3-B

SCAGILE: Tasks Requiring the Help of Security Experts 3

SCFPSSD: Threat Modeling

SCTTM: Entire guide

SP80053: SA-8, SA-15, SA-17

SP800160: 3.3.4, 3.4.5

SP800181: T0038, T0062, T0236; K0005, K0009, K0038, K0039, K0070, K0080, K0119, K0147, K0149, K0151, K0152, K0160, K0161, K0162, K0165, K0297, K0310, K034

(sdlc model for website development)

(sdlc model for website development)practice

Task

Example

(sdlc model for website development)refer to

(sdlc model for website development)Check software design,Verify that it is in line with security requirements and risk information(PW.2):Help to ensure that the software meets the safety needs,Satisfiedly solve the discovered risk information。

PW.2.1:LetQualified personal checks do not participate in software design,Confirming all security needs,Satisfiedly solved the risk information found。

.Check software design,Confirm that all security needs

.Check the risk model generated by software design,Determine if the risk can be fully identified

.Check software design,Confirming whether the risk model recognition is solved satisfactorily.。

(sdlc model for website development).Let software designers correct errors,meets requirements。

(sdlc model for website development).If the security needs are not satisfied,Change design and/Or risk response strategy。

BSA: TV.3, TV.3-1, TV.5

BSIMM10: AA1.2, AA2.1

ISO27034: 7.3.3

OWASPTEST: Phase 2.2

SAMM15: DR1-A, DR1-B

(sdlc model for website development)SP800181: T0328; K0038, K0039, K0070, K0080, K0119, K0152, K0153, K0161, K0165, K0172, K0297; S0006, S0009, S0022, S0036, S0141, S0171


practice

Task

Example

refer to

Verify third-party software in line with security requirements(PW.3):Reduce the risk of using the purchase software module and service,May be a potential vulnerability source。

PW.3.1:And possible third-party communication needs to provide software modules and services to the organization,Organize your own software reuse。

.Define a set of core security needs,Contains in procurement documents、Software contract、And third-party other protocols。

(sdlc model for website development).Define standards related to commercial and open source software and security。

.Providers requiring commercial software and services provide evidence of their products and services in accordance with the security requirements of the organization。

.When third-party software modules and services do not meet the safety requirements,Establish and follow steps to solve risks。

BSA: SM.1, SM.2, SM.2-1, SM.2.4BSIMM10: CP2.4, SR2.5, SR3.2

IDASOAR: Fact Sheets 19, 21

(sdlc model for website development)MSSDL: Practice 7

SAMM15: SR3-A
SCFPSSD: Manage Security Risk

(sdlc model for website development)Inherent in the Use of Third-Party Components
SCSIC: Vendor Sourcing Integrity Controls

SP80053: SA-4, SA-12

SP800160: 3.1.1, 3.1.2

SP800181: T0203, T0415; K0039; S0374; A0056, A0161

PW.3.2:Verify business in a suitable way、Open source、All third-party software modules and services meet the requirements。

(sdlc model for website development).View in software,Is there publicly known?、Manufacturers have not been repaired vulnerabilities。

.Ensure that each software and module still get active maintenance,Should include software that is being repaired and discovered new vulnerabilities。

.Third-party software and service formulation plan for no longer maintenance or future unavailable。

(sdlc model for website development).Use the commercial service,Carefully check the software modules and services。

.[refer toInspect/Or analyze artificial readable code,Discover vulnerability,Verify that conformity needs(PW.7)]

.[refer toTest executable code,Discover vulnerability,Verify that conformity needs(PW.8)]

BSA: SC.3-1, TV.2

IDASOAR: Fact Sheet 21

MSSDL: Practice 7

OWASPASVS: 10, 14.2

PCISSLRAP: 4.1

SCAGILE: Tasks Requiring the Help of Security Experts 8

SCFPSSD: Manage Security Risk Inherent in the Use of Third-Party Components

SCSIC: Vendor Sourcing Integrity Controls

SCTPC: 3.2.2

SP80053: SA-12

(sdlc model for website development)SP800160: 3.1.2, 3.3.8

SP800181: SP-DEV-002; K0153, K0266

[See (PW.7)]

[See (PW.8)]


(sdlc model for website development)

practice

(sdlc model for website development)Task

Example

refer to

(sdlc model for website development)Feasible,Multiplexed、Secure software,Not copy function(PW.4):Reduce software development costs,Accelerate software development,Reduce the possibility of introducing other vulnerabilities。These software that contain security features are particularly correct,For example, encryption modules and protocols。

PW.4.1:From third partiesBuy a safe and reliable component(For example, software library、Module、Middleware、frame)Organization software。

.Depending on the estimated use of third-party software,Check and evaluate。If you use it in a very different way in the future,Remember to check and evaluate again in the new environment。

.Establish a software library within the entire organization,Open source components that have been approved and carefully checked。

.Commercial software components and versions of the organization approved。

.In the software that will be developed,Specifies the components that must be included。

BSA: SM.2, SM.2.1

IDASOAR: Fact Sheet 19

MSSDL: Practice 6

(sdlc model for website development)SAMM15: SA1-A

SCTPC: 3.2.1

SP80053: SA-12

SP800181: K0039

(sdlc model for website development)

PW.4.2:Third-party components cannot meet demand,according toSDLCprocess,Generate good protection software components,Combine common internal software development needs。

.Follow the organization and establish a good security practice。

(sdlc model for website development).For these components,Software library within the maintenance organization。

. In the software that will be developed,Specifies the components that must be included。

BSIMM10: SFD1.1, SFD2.1

IDASOAR: Fact Sheet 19

(sdlc model for website development)OWASPASVS: 10

SP800181: SP-DEV-001

PW.4.3:Appropriate situation,Support for standardized security features and services(E.g,Integrated log management、Identity management、Access control and vulnerability management system)Instead of generating proprietary security features and services。

.Maintain the software module library throughout the organization,Support standardized security features and services。

. In the software that will be developed,Specifies the components that must be included。

BSA: SI.2, EN.1-1, LO.1

MSSDL: Practice 5

OWASPASVS: 1.1.6

SCFPSSD: Establish Log Requirements and Audit Practices


(sdlc model for website development)

practice

Task

Example

(sdlc model for website development)refer to

(sdlc model for website development)Follow the safety code practice to generate source code(PW.5):Reducing the number of security vulnerabilities in software,Reduce vulnerabilities during source code to reduce cost。

PW.5.1:According to the development language and environment,Follow all security coding practices。

(sdlc model for website development).Verify all inputs,Verify and correctly encode output。

.Avoid using unsafe functions and calls。

.Depending on

.Provide logs and tracking functions。

.Develop environments that encourage or require secure coding practice。

.Follow the steps,Manual guarantee follows security coding practice。

.Check for common development languages and other vulnerabilities。


BSA: SC.2, SC.4, SC.3, SC.3-2, EE.1, EE.1.2, EE.2, LO.1,

(sdlc model for website development)IDASOAR: Fact Sheet 2

ISO27034: 7.3.5

MSSDL: Practice 9

OWASPASVS: 1.5, 1.7, 5, 7,

SCFPSSD: Establish Log Requirements and Audit Practices, Handle Data Safely, Handle Errors, Use Safe Functions Only

SP800181: SP-DEV-001; T0013, T0077, T0176; K0009, K0016, K0039, K0070, K0140, K0624; S0019, S0060, S0149, S0172, S0266; A0036, A0047

PW.5.2:Developers check their own artificial readable code,Analyze their own artificial readable code,and/Or test themselves to execute code,Replenish(Not alternative)Code checking from others、Analysis and test。

(sdlc model for website development).[refer toInspect/Or analyze artificial readable code,Discover vulnerability,Verify that conformity needs(PW.7)]

.[refer toTest executable code,Discover vulnerability,Verify that the safety needs(PW.8)]

[see (PW.7)]

(sdlc model for website development)[see(PW.8)]

(sdlc model for website development)

(sdlc model for website development)

practice

Task

Example

refer to

Configuration writing and build procedure,Improve executable security(PW.6):Reduce the number of security vulnerabilities in software,Eliminate vulnerabilities before testing to reduce costs。

PW.6.1:Using compilers and build tools that enhance executable security。

(sdlc model for website development).Use the latest compilers and build tools

(sdlc model for website development).Verify the integrity and availability of compilers and build tools。

BSA: TC.1-1, TC.1-3, TC.1-4, TC.1-5

(sdlc model for website development)MSSDL: Practice 8

SCAGILE: Operational Security Task 3

SCFPSSD: Use Current Compiler and Toolchain Versions and Secure Compiler Options

SCSIC: Vendor Software Development Integrity Controls

(sdlc model for website development)

PW.6.2:Decide which compiler and build tool function,How to configure,Write and build tools、Process implements approved configuration。

.Enable compiler function,Low level safety coding alarm during the encoding process。

.Implement“Clean construction”concept,All compilers alarms are considered to be wrong and need to be eliminated。

(sdlc model for website development).Provide compiler randomization,For example, memory addressing,Otherwise it is easy to predict and use。

.Execute test,Guaranteed function is performed according to expected,Will not cause operation or other issues。

(sdlc model for website development).Verify approved configuration for editing、Build tools and processes。

.In the knowledge base that developers can access and search,Record editing and build tool configuration information。

BSA: TC.1, TC.1-3, TC.1-4, TC.1-5 OWASPASVS: 1.14.3, 1.14.4, 14.1

SCAGILE: Operational Security Task 8

SCFPSSD: Use Current Compiler and Toolchain Versions and Secure Compiler Options

SCSIC: Vendor Software Development Integrity Controls

SP800181: K0039, K0070



(sdlc model for website development)
(sdlc model for website development)practice

Task

Example

refer to

Check and analyze artificial readable code,Discover vulnerability,Verify compliance with security needs(PW.7):Help find vulnerabilities,Changed before the software is released,Prevent attack。Use automation methods to reduce the workload and resources required to detect vulnerabilities。Artificial readable code,Includes source code and any other form of code。

(sdlc model for website development)PW.7.1:Decide whether to use code check(Individual direct viewing code,problem found)and/Code analysis(Use tools to find problems,Fully automated method or with human cooperation)。

.When the code check should be executed or how to execute,Follow organization strategies or guides。This includes third-party code and internal reusable code modules。

.Follow organization strategies or guides,When do you perform code analysis or how to execute?。

SCSIC: Peer Reviews and Security Testing

SP80053: SA-11

(sdlc model for website development)SP800181: SP-DEV-002; K0013, K0039, K0070, K0153, K0165; S0174


PW.7.2:Organization-based security coding standard,Execute code check or code analysis。In the development team's workflow or problem tracking system,Classification problem,Recommended repair。

(sdlc model for website development).Execute code peer check,Check existing code,Check、Analysis or test results。

.Use a peers,Check code latter and other malicious content。

.Use peers inspection tools,Acceleration process,Record all discussions and feedback。

.Use static analysis tools,Automatically check the compliance of code vulnerabilities and organization security coding requirements,Repair in time if necessary。

.Use checklist,Verify code meets the requirements。

.When the artificial readable code enters the code library,Continuous use of automation tools to discover and repair validated unsafe software practices。

.Discover and record the root cause of each discovery problem。

.Experience in logging code check and analysis in the developer can access and search for knowledge base。

BSA: PD.1-5, TV.2, TV.3

(sdlc model for website development)BSIMM10: CR1.2, CR1.4, CR1.6, CR2.6, CR2.7

IDASOAR: Fact Sheets 3, 4, 5, 14, 15, 48

ISO27034: 7.3.6

MSSDL: Practices 9, 10

OWASPASVS: 1.1.7, 10

OWASPTEST: Phase 3.2, Phase 4.1

PCISSLRAP: 4.1

SAMM15: IR1-B, IR2-A, IR2-B

SCAGILE: Operational Security Tasks 4, 7

(sdlc model for website development)SCFPSSD: Use Code Analysis Tools to Find Security Issues Early, Use Static Analysis Security Testing Tools, Perform Manual Verification of Security Features/Mitigations

SCSIC: Peer Reviews and SecurityT esting

SP80053: SA-11, SA-15

SP800181: SP-DEV-001, SP-DEV-002; T0013, T0111, T0176, T0267, T0516; K0009, K0039, K0070, K0140, K0624; S0019, S0060, S0078, S0137, S0149, S0167, S0174, S0242, S0266; A0007, A0015, A0036, A0044, A0047



(sdlc model for website development)

practice

(sdlc model for website development)Task

Example

refer to

Test executable code,Discover the compliance of vulnerabilities and verify safety requirements(PW.8):Help find vulnerabilities,Corrected before the software is released,Prevention。Use automation methods to reduce the workload and resources of detection vulnerabilities。Executable code includes binary,Directly perform bytecode,Directly perform source code,Organization believes any other form of code that can be implemented。

PW.8.1:Decide whether to perform executable code testing,if,Which type is used?。

.When is executing a code test and how to execute?,Follow the organization's strategies and guidelines。Including third party executable code and organization you have written yourself to write yourself, you can write yourself, and third-party executable code。

(sdlc model for website development)BSA: TV.3

SCSIC: Peer Reviews and SecurityT esting

SP80053: SA-11

SP800181: SP-DEV-001, SP-DEV-002; T0456; K0013, K0039, K0070, K0153, K0165, K0342, K0367, K0536, K0624; S0001, S0015, S0026, S0061, S0083, S0112, S0135


PW.8.2:Design test,Execute test,Record result。

.Execute a security function and robust test。

(sdlc model for website development).In the project automation test set,Integrated dynamic vulnerability test。

.In the project automation test set,Includes vulnerabilities reported before testing,Guarantee the problem is not being introduced。

.Using automated fuzzy test tools,Discover problems in input processing。

(sdlc model for website development).If there is a resource,Use penetration test to simulate high-risk scenarios,Attacker attack software。

Determine and record the root cause of each discovery problem。

.In the knowledge base that developers can access and search,Record code test learning experience。

BSA: PD.1-5, TV.3, TV.5, TV.5-2

BSIMM10: PT1.1, PT1.2, PT1.3, ST1.1,

ST1.3, ST2.1, ST2.4, ST2.5, ST2.6, ST3.3, ST3.4

IDASOAR: Fact Sheets 7, 8, 10, 11, 38, 39, 43, 44, 48, 55, 56, 57

(sdlc model for website development)ISO27034: 7.3.6

MSSDL: Practice 11

PCISSLRAP: 4.1

SAMM15: ST1-B, ST2-A, ST2-B

SCAGILE: Operational Security Tasks 10, 11; Tasks Requiring the Help of Security Experts 4, 6, 7

SCFPSSD: Perform Dynamic Analysis Security Testing, Fuzz Parsers, Network Vulnerability Scanning, Perform Automated Functional Testing of Security Features/Mitigations, Perform Penetration Testing

SCSIC: Peer Reviews and Security T esting

SP80053: SA-11, SA-15

(sdlc model for website development)SP800181: SP-DEV-001, SP-DEV-002; T0013, T0028, T0169, T0176, T0253, T0266, T0456, T0516; K0009, K0039, K0070, K0272, K0339, K0342, K0362, K0536, K0624; S0001, S0015, S0046, S0051, S0078, S0081, S0083, S0135, S0137, S0167, S0242; A0015


practice

Task

Example

(sdlc model for website development)refer to

Set the software to default security settings(PW.9):Help to improve the security of software installation,Reducing software due to weak security settings,Possibility of greater risk。

PW.9.1:Decide how to configure settings that have an impact on security,Guaranteed the default settings,Do not weaken platform、Security features provided by network infrastructure and services。

.Execute test,Guarantee,Includes default settings,Follow the expected work,Will not unintentionally lead to security weaknesses,Problem or other issues。

BSA: CF.1, TC.1

IDASOAR: Fact Sheet 23

ISO27034: 7.3.5

OWASPTEST: Phase 4.2

SCAGILE: Tasks Requiring the Help of Security Experts 12

SCSIC: Vendor Software Delivery Integrity Controls, Vendor Software Development Integrity Controls

SP800181: SP-DEV-002; K0009, K0039, K0073, K0153, K0165, K0275, K0531; S0167

(sdlc model for website development)

PW.9.2:Implement the default setting(Feasible,Default setting group)Record each setting of software administrator。

.Verify that the approved software configuration is in place

.Record the purpose of each setting、Default、Security correlation、Potential operational impact,And other settings。

(sdlc model for website development).Record how software administrator implements each setting。

IDASOAR: Fact Sheet 23

OWASPTEST: Phase 4.2

PCISSLRAP: 8.1, 8.2

SCAGILE: Tasks Requiring the Help of Security Experts 12

SCFPSSD: Verify Secure Configurations and Use of Platfor



Response vulnerability (Respond to Vulnerabilities,RV)

practice

Task

Example

refer to

(sdlc model for website development)On the basis of continuous,Discover and confirm the vulnerability(RV.1):Ensure faster recognition vulnerability,To correct them faster,Reduce the opportunity window of the attacker。

RV.1.1:Collect software and software for vulnerabilities in any third party component from customers and public source,Survey all credible reports。

.Establish a vulnerability response program,Convenient security experts can easily understand your procedure,Report possible vulnerability。

.Monitor the Vulnerability Database by manual or automated、Safety mail list、Other vulnerabilities report data source。

(sdlc model for website development).Use threat information source,Better understanding of how often the vulnerability is used

BSA: VM.1-3, VM.3

BSIMM10: CMVM1.2, CMVM3.4

PCISSLRAP: 3.4, 4.1, 9.1

SAMM15: IM1-A

SCAGILE: Operational Security Task 5

SCTPC: 3.2.4

SP800181: K0009, K0038, K0040, K0070, K0161, K0362; S0078

RV.1.2:an examination、analyze,and/Or test software code,Discover or confirm the previous undetected vulnerability。

.Configuration toolchain,Perform automation code analysis and test regularly。

(sdlc model for website development).[refer toInspect/Or analyze artificial readable code,Discover vulnerability,Verification and security meet the requirements(PW.7)]

.[refer toTest executable code,Discover vulnerability,Verification and security meet the requirements(PW.8)]

BSA: VM.1-2

ISO27034: 7.3.6

PCISSLRAP: 3.4, 4.1

SP800181: SP-DEV-002; K0009, K0039, K0153

(sdlc model for website development)[See (PW.7)]

(sdlc model for website development)[See (PW.8)]


RV.1.3:Response of teams and processes handling vulnerability reports and events。

.Develop strategies to solve vulnerability exposure and repair,Implement the necessary process support strategy。

.Safe Response Manual,Handling the vulnerability of common reports,Zero-day report,Used vulnerability,Main continuous events involving multiple parties。

BSA: VM.1-1, VM.2, VM.2-3

MSSDL: Practice 12

SAMM15: IM1-B, IM2-A, IM2-B

SCFPSSD: Vulnerability Response and Disclosure

SP800160: 3.3.8

SP800181: K0041, K0042, K0151, K0292, K0317; S0054; A0025


practice

Task

Example

refer to

evaluate、Determine priority and repair vulnerability(RV.2):Help to ensure that the loophole is repaired as soon as possible,Reduce the opportunity window of the attacker。

RV.2.1:Analysis of each vulnerability,Collect enough information,Plan its repair。

(sdlc model for website development).Use problem tracking software(Some words use existing software)Record each vulnerability。

.How much workload repair vulnerability is estimated。

.Potential impact of estimating vulnerability。

.If it is not yet implemented,Estimated resources required for weapons vulnerability。

(sdlc model for website development).Estimation of other related factors for planning vulnerability repair。

(sdlc model for website development)BSA: VM.2, VM.2-1, VM.2-2

PCISSLRAP: 4.2

SCAGILE: Tasks Requiring the Help of Security Experts 10

SP80053: SA-10

SP800160: 3.3.8

SP800181: K0009, K0039, K0070, K0161, K0165; S0078


RV.2.2:Development implementation and repair plan for each vulnerability。

.For each vulnerability,Do risk-based decisions,Do you need repair or otherwise solved(E.g,Risk Acceptance and Risk Transfer)。

.Vulnerabilities that need to be repaired,Decide to fix priority。

.If the vulnerability is not permanent resolution,How to temporarily ease before long-term solutions,And add temporary restoration measures to the plan。

BSA: VM.1-1, VM.2-3, VM.2-4

PCISSLRAP: 4.1, 4.2

(sdlc model for website development)SCAGILE: Operational Security Task 2

(sdlc model for website development)SCFPSSD: Fix the Vulnerability, Identify Mitigating Factors or Workarounds

SP800181: T0163, T0229, T0264; K0009, K0070




practice

Task

(sdlc model for website development)Example

refer to

Analysis vulnerability,Determine the root cause(RV.3):Helps to reduce the frequency of future vulnerabilities。

RV.3.1:Analyze all discovered vulnerabilities,Determine the root cause of each vulnerability。

.Record the root cause of each discovery problem。

.In the knowledge base that developers can access and search,Record the lessons learned from the root cause analysis。

BSA: VM.2-1

(sdlc model for website development)PCISSLRAP: 4.2

SAMM15: IM3-A

(sdlc model for website development)SP800181: T0047, K0009, K0039, K0070, K0343


RV.3.2:Analysis of the root cause over time changes,Determine characteristics,For example, when specific security coding practices have not been followed。

.In the knowledge base that developers can access and search,Record the lessons learned from the root cause analysis。

.Increase toolchain automation detection of the mechanism of similar examples。

BSA: VM.2-1, PD.1-3

MSSDLPG52: Phase Two: Design

(sdlc model for website development)PCISSLRAP: 4.2

SP800160: 3.3.8

SP800181: T0111, K0009, K0039, K0070, K0343

RV.3.3:Other instances of reporting issues,Check software,Take the initiative,Not waiting for external reporting。

.[refer toInspect/Or analyze artificial readable code,Discover vulnerability,Verify that conformity needs(PW.7)]

.[refer toGenerate source code in accordance with secure coding practice(PW.5)]

BSA: VM.2

PCISSLRAP: 4.2

SP800181: SP-DEV-001, SP-DEV-002; K0009, K0039, K0070

RV.3.4:an examinationSDLC流程,process,阻止(Update as needed)类似原因再发生。

.Prevent,记录从根本原因分析中得到的教训。

.or reduce the likelihood。

BSA: PD.1-3

BSIMM10: CMVM3.2

MSSDL: Practice 2

(sdlc model for website development)PCISSLRAP: 2.6, 4.2

SP800181: K0009, K0039, K0070

(完)

Recurrence of similar reasons:安全行者老霍

In a developer-accessible and searchable knowledge base:
https://mp.weixin.qq.com/s/osdf3hZ-UW7TdtFcjS-dGw

如有侵权,Document lessons learned from root cause analysis~

返回列表
更多新闻资讯

website development company american fork

2022-03-15

website development company american fork Florida, USA,What is the cost of a dynamic e-commerce website??At the data exitWe are e-commerce website designersThe company provides the best professional web design for small or large companies in

quality management plan for website development

2022-03-15

quality management plan for website development Website as a facade in the Internet promotion,Is the display of corporate image,The importance is self-evident。So how to build a high quality website?What issues need to pay attention to during websit

how to choose website development company

2022-03-15

how to choose website development company In today's fast-developing economy,Small and medium-sized enterprises have realized the importance of enterprise website to enterprise development。However,The website building market is polarized。Some