CTICon-2013 : Panel Discussion with Advocate Pavan Duggal (Part 2)

Importance of Secure Software Development Life Cycle

A common delusion is that applications should be secured after they are developed but before deployment to the production environment. Performing a Security Audit after they are completed typically results in a significant amount of Security flaws said Dr. Anup Girdhar, (CEO-Sedulity Groups). Some of these flaws could involve serious technical & architectural issues. In a best case scenario, developers can invest an immense amount of time and effort to fix these flaws. Worst case, the application may require recoding and renovation of its architecture. Performing application security in this manner is incredibly expensive and time consuming. Integrating security into the early phases of the ‘SDLC’ neutralizes this cost and produces more secure applications in comparatively less time.

However, many organizations have not yet formalized their secure software development program and consequently they spend more time reacting to security issues in completed applications rather than pro-actively eliminating issues before the applications are completed. Further, they see the same problems marked themselves time and again in the same applications. This is a clear sign that a strategic approach must be engaged to avoid the endless bug-fix cycle.

Sedulity help organizations to develop a secure SDLC integration program including recommend¬ed policies, guidelines, and knowledge transfer to address the three fundamental areas of people, process, and technology that are critical to a successful development process.

The secure software development gap analysis process can significantly benefit from security reviews of multiple of your applications to create a baseline. This testing could include threat modeling, and penetration testing. Creation of this baseline will allow Sedulity consultants to accurately determine the state of software security within your environment. This in turn helps during the gap analysis and in making recommendations that can truly help your organization improve its software security while still delivering IT projects on time and within budget.

Methodology:

Sedulity Solutions & Technologies will gain a comprehensive under¬standing and analysis of how your development teams work. Thorough interaction, analysis of documented SDLC procedures, and review of any known issues with existing applications, Sedulity Consultants will understand existing practices and be able to identify areas for improvement from a security perspective. A key part of this analysis will include examining existing and proposed touch points and artifacts to identify critical areas for improvement. Sedulity measures the maturity of your application security efforts and helps you determine next steps by evaluating your SSDLC against a baseline of our best practice areas which are as follows:

•    Awareness and Training
•    Assessment and Audit
•    Penetration Testing
•    Development and Quality Assurance
•    Compliance
•    Vulnerability Response
•    Metrics and Accountability
•    Operational Security etc.