Software Development

How does the Security by Design principle fit into the SDLC?

KA Asked by Karen Lewis · 15-01-2024
0 upvotes 7,235 views 0 comments
The question

We are trying to implement "Security by Design" within our Software Development Life Cycle (SDLC). At what specific stages should we be performing penetration testing and vulnerability scanning? We want to move away from treating security as a final step before release and instead bake it into the entire product lifecycle from the requirements phase. 

3 answers

0
MA
Answered on 20-02-2024

Security by Design starts with "Threat Modeling" during the design phase, before a single line of code is written. In the development phase, you should use Static Application Security Testing (SAST) tools that run every time a developer commits code. As the product moves to the testing phase, Dynamic Application Security Testing (DAST) should be used on the running application. Penetration testing is best performed on a release candidate that is feature-complete. By shifting security left, you identify vulnerabilities when they are cheapest to fix, rather than discovering a major flaw right before deployment. 

0
MA
Answered on 25-02-2024

Do you have a dedicated security team to oversee this, or are you expecting your developers to handle the security scans themselves? 

KA 01-03-2024

Matthew, we are training "Security Champions" within each dev team. We don't have enough dedicated security staff, so we want the developers to be the first line of defense using automated tools that we provide for them.

0
AN
Answered on 05-03-2024

Automation is your best friend here. If the security checks aren't part of the automated pipeline, they will likely be skipped.

MA 10-03-2024

Anthony is right. Manual security checks are a bottleneck. Automation ensures consistency across every single release in the lifecycle.

Share your thoughts

Your email address will not be published. Required fields are marked (*)

Professional Counselling Session

Still have questions?
Schedule a free counselling session

Our experts are ready to help you with any questions about courses, admissions, or career paths. Get personalized guidance from industry professionals.

Request a Call Back

Search Online

We Accept

We Accept

Follow Us

"PMI®", "PMBOK®", "PMP®", "CAPM®" and "PMI-ACP®" are registered marks of the Project Management Institute, Inc. | "CSM", "CST" are Registered Trade Marks of The Scrum Alliance, USA. | COBIT® is a trademark of ISACA® registered in the United States and other countries.

Book Free Session