Security needs to be addressed throughout the whole software development lifecycle. In this context, we often speak about building a Secure SDLC (SSDLC) or Secure Lifecycle Management System (SSLM).
We support you with all activities required to integrate application security into your development and procurement processes and to establish a working management system around it. The best approach for this is setting up an application (software) security program that is usually divided into three phases:
- Phase 1: As-Is Assessment & planing (study, 3 – 6 months)
- Phase 2: Implementation, quick wins & piloting (6 months – 1 year)
- Phase 3: Rollout (usually in different stages)
An as-is analysis is based on activities such as interviews, architectural reviews, threat and risk assessments as well as of course pentests. Focussing on quick wins at the start is really helpful in order to archive quick success. Have a look at our blog.
Based on the results of phase 1 and the identified security goals of your company, we then with actually establishing the SSDLC based on four workstreams:
- Requirements: Specifying new as well as adapting existing standards and guidelines.
- Processes: Establishing security gates within development and procurement processes as well as specifying required roles for that.
- Qualification: Training and coaching of developers and stakeholders.
- Tools: Selecting and integrating required tools automating security checks.
A crucial part of this project is of course the management of it. Our consultants are all working in this industry with many years of professional experience from a large number of customer projects.