Secure SDLC Implementation
It is simply not enough to address security only at the end of the development lifecycle, for instance by comissioning pentests. There are a couple of reasons for that: (1) Costs for fixing a security issue are rapidly increasing the later I do it within an application lifecycle. (2) The architecture builds the fundament of a secure application. If an application is build upon a insecure fundament, it will never reach a really high level of security.
Therefore, security needs to be adressed troughout the whole software development lifecycle. In this context we often speak about building a Secure SDLC or Secure Development Lifecycle (SDL), that mapps security activities on an existing Software Development Lifecycle (SDLC).
We support you with all activities required to integrate application security into your development and procurement processes and to establish a working management system around it.
The best approach for this is setting up an application security program (ASP) that usually divide into three phases:
- Phase 1: As-Is Assessment & Planing (study, 3 – 6 months)
- Phase 2: Implementation & Piloting (6 months – 1 year)
- Phase 3: Rollout (usually in different stages)
Based on the results of phase 1 and the identified security goals of your company, we then with actually establishing the Secure SDLC based on four workstreams:
- Requirements: Specifying new as well as adapting existing standards and guidelines.
- Processes: Establishing security gates within development and procurement processes as well as specifying required roles for that.
- Qualification: Training and coaching of developers and stakeholders.
- Tools: Selecting and integrating required tools automating security checks.
A crucial part of this project is of course the management of it. Our consultants are all working in this industry for many years professional expierence from a large number of customer projects.