Secure SDLC Implementation

It is simply not enough to address security only at the end of the development lifecycle, for instance by comissioning pentests. There are a couple of reasons for that: (1) Costs for fixing a security issue are rapidly increasing the later I do it within an application lifecycle. (2) The architecture builds the fundament of a secure application. If an application is build upon a insecure fundament, it will never reach a really high level of security.

Therefore, security needs to be adressed troughout the whole software development lifecycle. In this context we often speak about building a Secure SDLC or Secure Development Lifecycle (SDL), that mapps security activities on an existing Software Development Lifecycle (SDLC).

We support you with all activities required to integrate application security into your development and procurement processes and to establish a working management system around it.

The best approach for this is setting up an application security program (ASP) that usually divide into three phases:

  • Phase 1: As-Is Assessment & Planing (study, 3 – 6 months)
  • Phase 2: Implementation & Piloting (6 months – 1 year)
  • Phase 3: Rollout (usually in different stages)

 
An as-is analysis is based on activities such as interviews, architectural reviews, threat and risk assessments as well as of course pentests.

Based on the results of phase 1 and the identified security goals of your company, we then with actually establishing the Secure SDLC based on four workstreams:

 
A crucial part of this project is of course the management of it. Our consultants are all working in this industry for many years professional expierence from a large number of customer projects.