Security in the software life cycle
Iñigo Ladrón Morales
The use of applications, services, infrastructures and software services, or based on software, is something that is the order of the day and that we do several hundred times every day, when we use our personal or corporate mobile phone, cloud services, connections to our company and workplace, videoconferences and online meetings, checking our email, when we watch TV, and even when we drive our car.
For this reason, it is vital that all the software on which the services we use are based, in addition to being well implemented and not having problems, failures, 𝗯𝘂𝗴𝘀, or 𝘃𝘂𝗹𝗻𝗲𝗿𝗮𝗯𝗶𝗹𝗶𝗱𝗮𝗱𝗲𝘀, be completely safe.
We have already assumed that the use of 𝗰𝗶𝗯𝗲𝗿𝘀𝗲𝗴𝘂𝗿𝗶𝗱𝗮𝗱 tools, products and services is necessary. But, what? 𝘀𝗲𝗿𝘃𝗶𝗰𝗶𝗼𝘀 𝗾𝘂𝗲 𝘂𝘀𝗮𝗺𝗼𝘀, 𝗱𝗲𝗯𝗲𝗻 𝗱𝗲 𝘀𝗲𝗿 𝘁 𝗮𝗺𝗯𝗶é𝗻 𝗰𝗶𝗯𝗲𝗿𝘀𝗲𝗴𝘂𝗿𝗼𝘀, without security holes, neither 𝗯𝘂𝗴𝘀, nor 𝗽𝘂𝗲𝗿𝘁𝗮𝘀 𝘁𝗿𝗮𝘀𝗲𝗿𝗮𝘀?
Both consumers (individual and corporate users) and companies must demand that manufacturers and suppliers adopt the software development model focused on 𝙙𝙚𝙨𝙙𝙚 𝙚𝙡 𝙙 and throughout the entire country 𝙙𝙚 𝙨𝙤𝙛𝙩𝙬𝙖𝙧𝙚.
It is as important to carry out secure software development as to conceive and define it from the beginning as such, always having on the table the concept “𝙘𝙮𝙗𝙚𝙧𝙨𝙚𝙘𝙪𝙧𝙞𝙩𝙮 𝙛𝙞𝙧𝙨𝙩”.
To achieve secure software development, it is necessary to implement the (y, at that moment, it is also important). This is possible by applying certain secure development methodologies and technologies.
It is essential that the focus on innovation be present from the conception of a new software, service, product or application. That is, whoever defines the software, its characteristics and use cases, must also define how it should be developed so that it ends up being a secure software, product and/or service.
At that moment of identifying characteristics and defining them, possible assets and threats must also be identified, as well as the 𝗾𝘂𝗶𝘀𝗶𝘁𝗼𝘀 𝗱𝗲 𝗰𝗶𝗯𝗲𝗿𝘀𝗲𝗴𝘂𝗿𝗶𝗱𝗮𝗱. There are some methodologies and frameworks to help in this task, such as the 𝙘𝙡𝙚 (𝙎𝘿𝙇), or the 𝘽𝙪𝙞𝙡𝙙𝙞𝙣𝙜 𝙎𝙚𝙘𝙪𝙧𝙞𝙩𝙮 𝙄𝙣 𝙈𝙖𝙩𝙪𝙧𝙞 𝙩𝙮 𝙈𝙤𝙙𝙚𝙡 (𝘽𝙎𝙄𝙈𝙈2).
As we said throughout the development, at any time or cycle thereof, the 𝗰𝗶𝗯𝗲𝗿𝘀𝗲𝗴𝘂𝗿𝗶𝗱𝗮𝗱 must be integrated as another component of the implementation, not being a complement.
In the same way that we have heard about and apply the model of 𝙚 (𝙎𝘿𝘾𝙇), by applying cybersecurity as one more component of it, we will be talking about the 𝙘𝙞𝙘𝙡𝙤 𝙙𝙚 𝙙𝙚𝙨𝙖𝙧𝙧𝙤𝙡𝙡𝙤 𝙙𝙚 𝙨𝤙 𝙛𝙩𝙬𝙖𝙧𝙚 𝙨𝙚𝙜𝙪𝙧𝙤 (𝙎𝙎𝘿𝙇𝘾), which forms a framework which ensures the inclusion of security from the beginning to the end of the process.
In the case of 𝙘𝙞𝙘𝙡𝙤 𝙙𝙚 𝙙𝙚𝙨𝙖𝙧𝙧𝙤𝙡𝙡𝙤 𝙙𝙚 𝙨𝙤𝙛𝙩𝙬𝙖𝙧𝙚 (in any mode, waterfall, agile, etc.) we talk about the following stages, in which the , something that is “checked” at the end:
- Definition and Planning
- Analysis
- Design
- Programming / Implementation
- Testing / Quality
- Deployment
- Maintenance
- Documentation
However, in the case of the 𝙛𝙩𝙬𝙖𝙧𝙚, embedded in the traditional stages of software development, we will also have:
- 𝗜𝗱𝗲𝗻𝘁𝗶𝗳𝗶𝗰𝗮𝗰𝗶ó𝗻, 𝗱𝗲𝗳𝗶𝗻𝗶𝗰𝗶ó𝗻 𝘆 𝗮𝗻á𝗹𝗶𝘀𝗶 ?? 𝗯𝗲𝗿𝘀𝗲𝗴𝘂𝗿𝗶𝗱𝗮𝗱, which combines functional and non-functional requirements, with specific security/cybersecurity requirements.
- 𝗗𝗶𝘀𝗲ñ𝗼 𝘀𝗲𝗴𝘂𝗿𝗼/𝗰𝗶𝗯𝗲𝗿𝘀𝗲𝗴𝘂𝗿𝗼, where the definition of the operating model of each feature must apply 𝗰𝗶𝗯𝗲 criteria as the 𝙞𝙠 𝙛𝙪𝙣𝙙𝙞𝙙𝙖𝙙.
- 𝗜𝗺𝗽𝗹𝗲𝗺𝗲𝗻𝘁𝗮𝗰𝗶ó𝗻, 𝗽𝗿𝗼𝗴𝗿𝗮𝗺𝗮𝗰𝗶ó𝗻, 𝗼 𝗰𝗼𝗱𝗶 𝗳𝗶𝗰𝗮𝗰𝗶ó𝗻 𝘀𝗲𝗴𝘂𝗿𝗮/𝗰𝗶𝗯𝗲𝗿𝘀𝗲𝗴𝘂𝗿𝗮, in which programmers apply secure coding techniques and habits, such as 𝙡𝙟 𝙚𝙨𝙤, or the analysis and mitigation of 𝘃𝘂𝗹𝗻𝗲𝗿𝗮𝗯𝗶𝗹𝗶𝗱𝗮𝗱𝗲𝘀.
- 𝗣𝗿𝘂𝗲𝗯𝗮𝘀 𝗱𝗲 𝗰𝗮𝗹𝗶𝗱𝗮𝗱 𝗱𝗲 𝘀𝗲𝗴𝘂𝗿𝗶𝗱𝗮𝗱/𝗰𝗶 𝗯𝗲𝗿𝘀𝗲𝗴𝘂𝗿𝗶𝗱𝗮𝗱 which, like the quality tests of the development itself, are based on testing whether said development can be violated or not, if it has security holes, 𝗶𝗱𝗮𝗱𝗲𝘀 and how robust it is, through certain 𝙥𝙧𝙪𝙚𝙗𝙖𝙨 𝙙𝙚 𝙥𝙚𝙣𝙚𝙩𝙧𝙖𝙘𝙞ó𝙣, testing 𝙞𝙙𝙖𝙙𝙚𝙨, etc.
- 𝗖𝗼𝗻𝘁𝗿𝗼𝗹 𝗱𝗲 𝗰𝗮𝗹𝗶𝗱𝗮𝗱 𝗱𝗲 𝘀𝗲𝗴𝘂𝗿𝗶𝗱𝗮𝗱/𝗰𝗶 𝗯𝗲𝗿𝘀𝗲𝗴𝘂𝗿𝗶𝗱𝗮𝗱, where, once the software has been tested and the necessary corrective measures have been applied, it is verified that the developed software also complies with the defined security/cybersecurity standards to which it must adhere.
- 𝗗𝗲𝘀𝗽𝗹𝗶𝗲𝗴𝘂𝗲 𝘆 𝗲𝗻𝘁𝗿𝗲𝗴𝗮 𝘀𝗲𝗴𝘂𝗿𝗮/𝗰𝗶𝗯𝗲𝗿 𝘀𝗲𝗴𝘂𝗿𝗮, since the software itself is as important as the delivery and implementation mechanisms for its definitive use.
Some of the frameworks, recommendations, tools and certifications to take into account for the 𝗱𝗲𝘀𝗮𝗿𝗿𝗼𝗹𝗹𝗼 𝘀𝗲𝗴𝘂𝗿𝗼, are the following:
- The 𝗼𝘀, which allows the use of static and dynamic scanning tools for the identification of 𝗰ó𝗱𝗶𝗴𝗼 𝗳𝘂𝗲 𝗻𝘁𝗲 developed and in the configuration of what was developed. The 𝙉𝙄𝙎𝙏 𝙧𝙙𝙨 𝙖𝙣𝙙 𝙏𝙚𝙘𝙝𝙣𝙤𝙡𝙤𝙜𝙮) helps in this regard with recommendations, guidelines and standards for the security analysis of software and applications.
- El 𝙎𝙤𝙛𝙩𝙬𝙖𝙧𝙚 𝘼𝙨𝙨𝙪𝙧𝙖𝙣𝙘𝙚 𝙈𝙖𝙩𝙪𝙧𝙞𝙩𝙮 𝙈𝙤𝙙𝙚𝙡 (𝙎𝘼𝙈𝙈), o el 𝙊𝙥𝙚𝙣 𝙎𝙤𝙛𝙩𝙬𝙖𝙧𝙚 𝘼𝙨𝙨𝙪𝙧𝙖𝙣𝙘𝙚 𝙈𝙖𝙩𝙪𝙧𝙞𝙩𝙮 𝙈𝙤𝙙𝙚𝙡 (𝙊𝙥𝙚𝙣𝙎𝘼𝙈𝙈),
- 𝙊𝙥𝙚𝙣 𝙒𝙚𝙗 𝘼𝙥𝙥𝙡𝙞𝙘𝙖𝙩𝙞𝙤𝙣 𝙋𝙧𝙤 𝙟𝙚𝙘𝙩 (𝙊𝙒𝘼𝙎𝙋), provides a structured model to evaluate software security, incorporating process evaluation, training and KPIs or metrics.
- The 𝙚𝙡 (𝘽𝙎𝙄𝙈𝙈 𝙮 𝘽𝙎𝙄𝙈𝙈2), which allows comparing the maturity of an organization in terms of secure software development with other organizations in different sectors.
¿𝗧𝘂 𝗲𝗺𝗽𝗿𝗲𝘀𝗮 𝘁𝗶𝗲𝗻𝗲 𝗰𝗮𝗽𝗮𝗰𝗶𝗱𝗮𝗱 𝘆 𝗱𝗲𝘀𝘁𝗿𝗲𝘇𝗮 𝗽𝗮𝗿𝗮 𝗿𝗲𝗮𝗹𝗶𝘇𝗮𝗿 𝗰𝗶𝗰𝗹𝗼𝘀 𝗱𝗲 𝗱𝗲𝘀𝗮𝗿𝗿𝗼𝗹𝗹𝗼 𝘀𝗲𝗴𝘂𝗿𝗼 𝗱𝗲 𝘀𝗼𝗳𝘁𝘄𝗮𝗿𝗲?
Does your company need help with IT? 𝗮𝗿𝗿𝗼𝗹𝗹𝗼 𝘀𝗲𝗴𝘂𝗿𝗼, like the ones we offer at 𝗭𝗲𝗿𝗼𝗹𝘆𝗻𝘅: 𝘿𝙚𝙨𝙖𝙧𝙧𝙤𝙡𝙡𝙤 𝙎𝙚𝙜𝙪𝙧𝙤.
You can expand details about our services visiting the page of THIS
If you prefer, contact us and we talked.
