An optimally designed and implemented Systems Development Life Cycle (SDLC) provides a logical framework to govern the development, guide the construction, define the verification activities, and monitor the ongoing operations of critical business applications. Typically, vulnerabilities identified via any of the other assessment activities discussed herein are traceable to a breakdown of the SDLC.
Key activities include:
- Conducting interviews and reviewing artifacts to assess the efficacy of the SDLC as it related to Strategy & Metrics, Policy & Compliance, Education & Guidance, Threat Assessment, Security Requirements, Secure Architecture, Design Review, Code Reviews, Security Testing, Systems Hardening & Operational Enablement;
- Benchmarking of the organization's SDLC against Open SAMM; and,
- Formal reporting on the process, gap analysis, relevant findings, and mitigation roadmap. Where possible, the report will also include: root cause analysis, peer-group benchmarking, good practice benchmarking, executive summaries, and technical summaries.
The predominant benefits realized by an Application Security Development Life Cycle Assessment are:
- Root Cause analysis of the issues identified in other assessment activities;
- Baselines the organization's SDLC practices against prevailing good practices;
- Supports the evolution of a balanced software security program in well-defined iterations;
- Provides a logical mechanism to demonstrate continuous improvement; and
- Provides assurance that the processes governing the development, deployment, and operations of a critical application are in place, operating as intended, and likely to achieve critical security objectives.
Application Security Development Life Cycle Assessments are best used:
- As part of a compliance management program a to demonstrate compliance with the organizations SDLC and prevailing good practice, and,
- As part of a broader "certification and accreditation" exercise to provide a higher level of assurance for critical applications.