In a perfect world, security risks would arise at only one point in the software development lifecycle, and engineers could address them through a single set of tools and practices.
But that, unfortunately, is not the world we live in. Instead, the software development lifecycle – which means the set of processes that teams perform to design, implement, test and deploy software – consists of multiple stages. Multiple types of security threats can arise at each one.
That’s why securing the software development lifecycle requires a multi-pronged, multi-layered security strategy. This article discusses what that strategy should entail by identifying the various risks that arise across the software development lifecycle and explaining which processes and tools can help mitigate each one.
Software development lifecycle security risks
As we’ve noted, the software development lifecycle involves multiple stages, and each stage comes with its own security risks.
Software design security challenges
The first stage of software development is the planning stage. This is when developers design a new application or application update.
There are no active security threats at this stage because no code has been written yet. Still, developers should take steps during application planning and design to assess the security posture of the code they plan to write.
They should think, for example, about how the number of microservices that they plan to implement, and the way those microservices interact, could impact the attack surface of the application. They should also think about how they will enforce best practices like zero trust and micro segmentation within the application architecture they are planning. And they should consider how third-party dependencies (such as open source libraries or modules) that they plan to use could introduce security vulnerabilities into their codebase.
Coding security challenges
The next stage of the development lifecycle is coding. This is when developers write new code to implement the application functionality they designed in the first stage of the SDLC.
Because code during this stage is typically not exposed to third-party access, the risks of active attack are low. Nonetheless, it’s critical to ensure that strong access controls are in place within the Continuous Integration servers, source code management systems, and other development tools that developers use during this stage. Otherwise, there is a risk that attackers could compromise the development environment and insert malicious code into the application – as happened, for example, in the SolarWinds attack.
Secrets vaults, too, can be useful for securing code during the development stage. Secrets vaults provide a secure means of managing passwords, access keys, and other sensitive data developers may use during the development lifecycle. Without secrets vaults, this data could end up in plaintext form within source code, which is vulnerable to unauthorized third-party access.
Testing and software security
After code is written, developers test it within a staging environment. This stage is the best opportunity for teams to identify security risks that linger within their code prior to deploying it into production.
There are two main types of security checks to perform during this stage:
- Software Composition Analysis, or SCA, which identifies zero-day application security risks like vulnerable open source libraries. SCA works by scanning applications for known security risks.
- Dynamic Application Security Testing, or DAST, which involves evaluating inputs and outputs from a running application. DAST can detect security risks, such as data injection vulnerabilities, that might not be obvious from scanning static application files.
Ideally, a comprehensive suite of SCA and DAST tests will be run against the application during the testing stage of the software development lifecycle.
Deployment security risks
The final major stage of the development lifecycle is deployment. At this stage, the new or updated application is deployed into a production environment and exposed to end-users.
Because there is always a possibility that some vulnerabilities will remain undetected until after an application is in production, it’s a best practice to continue performing SCA and DAST testing during and after the deployment stage as part of a “shift-right” security strategy. Teams can also use Security Information and Event Management (SIEM) and Security Orchestration, Automation and Response (SOAR) tools during the deployment stage to monitor production environments and detect risks based on behavioral anomalies.
In addition, engineers should address security risks that may arise from the way infrastructure is configured during the deployment stage. For example, they should scan cloud Identity and Access Management (IAM) policies to ensure that access control to the application’s host environment is properly locked down. They should also examine network policies to make sure they enforce micro segmentation. Cloud Security Posture Management (CSPM) tools, which automatically scan infrastructure configurations for security risks, can be useful for this purpose.
The many stages of SDLC security
Just as the software development lifecycle itself includes multiple stages and multiple tools, SDLC security requires a many-layered approach. Modern development teams should have solutions in place to mitigate the risk of introducing security vulnerabilities into their application in the first place, while also maximizing their ability to detect the risks that may slip in despite their best efforts.