SDL+

Over the last decade application security has evolved in leaps and bounds with sophisticated tools and methodologies to carry out attacks, test for vulnerabilities and defend against potential attacks. Freely available resources have led to the possibility of complex attacks carried out by script kiddies. With almost every company across various sectors carrying out their business over the Internet, protecting data and business operations has never been more important. Frequent breaches now make building secure software a high priority rather than considering security as an afterthought.

Many organizations solely rely on vulnerability scanners alone to build their application security profile. Not only do several gaping security holes escape under the scanner but rarely are any counter measures applied to the vulnerabilities that are actually detected. The number of false positives reported, further add to several hours spent on validation. Other approaches include penetration testing and code review. Defensive measures include implementation of a web application firewall.

Challenge to developers:

The most efficient solution to managing one’s application security risk is to take security into consideration right from the very beginning of the software development process and ensure that security is built in at every phase of the adopted software development lifecycle (SDLC).

The challenge most development teams face is the absence of any tool that enables them to perform their role to maximum efficiency while guiding them on designing and developing secure software. There are several secure development methodologies which espouse best practices in software development but these remain a theoretical exercise without any actionable output.

SDL+

SDL+ is a framework which enables building security in software at every stage of the SDLC, integrates seamlessly in the development workflow and facilitates collaboration between all stakeholders in the process even with little or no security experience. Furthermore SDL+ being methodology agnostic allows an organization to produce actionable output at each of the touch-points as suggested by the methodology thus further putting an emphasis on a collaborative effort towards secure software development.

Below are the various security touch-points that SDL+ incorporates in the various stages of a typical development workflow:

Requirements:

  • Using SDL+, a user can associate business requirements, risk classification and data elements with a project.
  • In the design phase, data elements are mapped to functional components that carry out operations on them. This helps the security team analyze data exposure and the security posture of high value targets.
  • The business requirements associated with a project are used to perform business impact analysis.
  • Risk classification enables management to prioritize their threat mitigation efforts

Design:

  • With a feature based software centric approach to threat modeling, an architect can design an application while SDL+ auto-generates threats with its Intelligent Threat Engine.
  • A comprehensive list of secure design and architecture guidelines and best practices provides the architect a reference to ensure security controls are in place. This checklist is an exhaustive collection of security guidelines which if adhered to, can ensure that security controls have been put in place prior to any code written and the application has been built securely.
  • SDL+ allows building intelligence which can be reused by the design and development teams.

Development:

  • SDL+ provides the developer with resources to write secure code. It also provides guidelines on using industry accepted security enhanced APIs.
  • Abuse case modeling illustrates the threat and the means by which a specific component can be misused by an attacker along with the security controls which mitigate the impact of a threat.
  • It includes a comprehensive threat library with resources from well-known public databases as well as counter measures comprehensible by the developers themselves as well as reusable code snippets. The threat library is customizable, allowing the organization to implement threat mitigation steps by the means they see applicable to minimizing their risk.

Testing / Security Review:

  • Integration with static analysis and vulnerability management tools automates the security team’s efforts in verifying vulnerabilities.
  • The Threat Management Console helps reviewing vulnerabilities in real time and verifying whether they have been mitigated.
  • Automatic generation of attack trees help in targeted testing.

Deployment:

  • Industry standard hardening checklists can be associated with infrastructure components to ensure that the technology stack on which the application is running has been secured.
  • The threat modeling interface can also be used to create an infrastructure threat model which helps auditors and the security team perform testing on individual infrastructure components.

Additional Features:

  • SDL+ also provides a Threat Dashboard for executives to analyze their application security risks and prioritize their mitigation efforts.
  • An easily navigable threat management console enables the security team to collaborate with the development teams to validate threats. Secure Design and Architecture guidelines help audit the architecture for implementation of security controls.
  •  The report generation framework allows generation of reports based on:
    • Top Ten threats / Vulnerabilities
    • Risk Profile
  • SDL+ is scalable and can be integrated in software development processes such as AGILE where the reusable component library complements the AGILE methodology and this can further be extended to build reusable templates based on the type of application and business functionality it caters to.
  • SDL+ includes a comprehensive library of threats including MITRE CAPEC library and other open vulnerability databases such as WASC and OWASP as well as research at MyAppSecurity to cover latest attack vectors that are not yet updated in other libraries. Mitigation steps provided include code snippets and references to:
  • SDL+ Intelligent Threat Engine dynamically generates threats, attack trees as well as provides an organization wide application risk profile.
  • Customizability is a key feature of SDL+. In addition to the exhaustive library provided, the security team can build their own library of threats, mitigation steps, components, etc. to customize the security according to the organization.
    • OWASP Secure Coding Quick Reference Guide
    • OWASP Developer Guide
    • OWASP ESAPI
    • Microsoft Enterprise Library
    • Microsoft Anti-XSS Library

The advantage in using SDL+ is that it is a framework that remains methodology and technology agnostic. This allows for seamless integration with any SDLC processes (AGILE, Waterfall, RUP, etc.) and produce relevant and actionable results irrespective of the technology used and the level of security knowledge across stakeholders.