We are trying to implement "Security by Design" within our Software Development Life Cycle (SDLC). At what specific stages should we be performing penetration testing and vulnerability scanning? We want to move away from treating security as a final step before release and instead bake it into the entire product lifecycle from the requirements phase.
3 answers
Security by Design starts with "Threat Modeling" during the design phase, before a single line of code is written. In the development phase, you should use Static Application Security Testing (SAST) tools that run every time a developer commits code. As the product moves to the testing phase, Dynamic Application Security Testing (DAST) should be used on the running application. Penetration testing is best performed on a release candidate that is feature-complete. By shifting security left, you identify vulnerabilities when they are cheapest to fix, rather than discovering a major flaw right before deployment.
Do you have a dedicated security team to oversee this, or are you expecting your developers to handle the security scans themselves?
Automation is your best friend here. If the security checks aren't part of the automated pipeline, they will likely be skipped.
Anthony is right. Manual security checks are a bottleneck. Automation ensures consistency across every single release in the lifecycle.
Matthew, we are training "Security Champions" within each dev team. We don't have enough dedicated security staff, so we want the developers to be the first line of defense using automated tools that we provide for them.