SlideShare a Scribd company logo
Development
Lifecycle
• Security Lifecycle Plan Questionnaire
•
•
1) Do you practice version management for any security documents for the tools used?
2) Do you run automatic security scans in your development lifecycle?
• 2.1) Do you have the latest security plugins and tools to provide security suggestions and detection to help improve secure
coding?
• 2.2) Are security experts involved in all steps of software design and QA testing?
1) Do you perform integrity checks on deployed artifacts to make sure the fires were not modified?
2) Do you monitor third party libraries used in the code at a regular interval for known weaknesses and maintainability?
3) Do you perform active checks to confirm that purchased hardware and software is as declared?
4) Have you integrated peer secure code review into the development lifecycle?
5) Do you perform security reviews for existing third-party integrations before incorporation?
6) Do you perform period full whitebox penetration testing?
7) Do you perform external attack simulations at regular intervals to check external attack detection readiness?
8) How do you manage sensitive data when shared on company communication platforms?
9) Do you review non-security related guidelines/protocols/ procedures for possible security loopholes?
1) Do you use 2FA when dealing with user management data platforms?
2) Does each team have a cyber responsibility team member to help oversee security implementation?
3) Do you have a mechanism or a formal procedure which allows sharing with other projects the insecure code patterns and
weakness discovered in a project?
4) Do you have a policy in place to prevent workers to connect their phones or other non-secure devices via USB ports?
5) Do you use logical groups for important assets such as DNS domains and AWS resources to prevent having a single point of
failure?
6) Does each user have different accounts & password for different systems to prevent a single point of failure in case of breach?
• 17.1) Dou you use different accounts/password for staging and production environments?
1) Do you change the KRBTGT built-in active directory user password at regular intervals?
2) Are you enforcing the strong password policy across all machines, systems and apps?
3) Do you try and use automation, when possible, to limit security risks?
4) Are you employing SMB signing and Extended Protection for Authentication (EPA) and try to disable NTLM support in the domain
controllers to protect yourself from various NTLM relay attacks such as the new PetitPotam attack?
5) Do you have a DLP system or any measures to prevent data or code leakage or detect what was leaked?
6) Do you practice application whitelisting and enforcement using a system such as Applocker?
• Do you have an installation folder with allowed programs and packages to be installed which is secured using signatures and hash
1) validation? Do you block/forbid users to download and install arbitrary programs?
2) Do you have periodic backup automation not only for databases, but for all sensitive data, code,
configurations and documents?
3) Do you use 2FA anti-deletion policies in AWS backups?
4) Do you have offline backups for all sensitive data, code, configurations and documents?
5) Do you review which servers and services are publicly accessible and block public network
access to all of those which shouldn’t be publicly accessible and add IP whitelist where
possible?
6) Have you implemented a security mechanism to prevent public access to QA websites which
have debug functionality?
7) Do you practice network separation between the staging and production servers?
8) Are you using Devops automations for all the servers, both Windows and Linux and then
implementing security hardenings and configurations into the automations?
9) Do you perform periodic review of the log management system to make sure sensitive data is
not being logged?
10)Do you have a log collection for all the systems and services?

More Related Content

Similar to Development Lifecycle.pptx for the secure development of apps

100 Security Operation Center Tools.pdf
100 Security Operation Center Tools.pdf100 Security Operation Center Tools.pdf
100 Security Operation Center Tools.pdf
MAHESHUMANATHGOPALAK
 
SOC-BlueTEam.pdf
SOC-BlueTEam.pdfSOC-BlueTEam.pdf
SOC-BlueTEam.pdf
BeratAkit
 
100 Security Operation Center Tools EMERSON EDUARDO RODRIGUES
100 Security Operation Center Tools EMERSON EDUARDO RODRIGUES100 Security Operation Center Tools EMERSON EDUARDO RODRIGUES
100 Security Operation Center Tools EMERSON EDUARDO RODRIGUES
EMERSON EDUARDO RODRIGUES
 
100 Security Operation Center Tools.pdf
100 Security Operation Center Tools.pdf100 Security Operation Center Tools.pdf
100 Security Operation Center Tools.pdf
EMERSON EDUARDO RODRIGUES
 
AppSec How-To: Achieving Security in DevOps
AppSec How-To: Achieving Security in DevOpsAppSec How-To: Achieving Security in DevOps
AppSec How-To: Achieving Security in DevOps
Checkmarx
 
DevOps Architecture
DevOps ArchitectureDevOps Architecture
DevOps Architecture
navyatejavisualpath
 
How To Implement DevSecOps In Your Existing DevOps Workflow
How To Implement DevSecOps In Your Existing DevOps WorkflowHow To Implement DevSecOps In Your Existing DevOps Workflow
How To Implement DevSecOps In Your Existing DevOps Workflow
Enov8
 
Continous delivvery devops Tools Technologies.pptx
Continous delivvery devops Tools  Technologies.pptxContinous delivvery devops Tools  Technologies.pptx
Continous delivvery devops Tools Technologies.pptx
projectsasd125
 
chap-1 : Vulnerabilities in Information Systems
chap-1 : Vulnerabilities in Information Systemschap-1 : Vulnerabilities in Information Systems
chap-1 : Vulnerabilities in Information Systems
KashfUlHuda1
 
Build Security into the Software with Sparrow
Build Security into the Software with SparrowBuild Security into the Software with Sparrow
Build Security into the Software with Sparrow
Jason Sohn
 
C days2015
C days2015C days2015
C days2015
Nuno Loureiro
 
Question 11.1 You are working on a DevOps project that involves .pdf
Question 11.1 You are working on a DevOps project that involves .pdfQuestion 11.1 You are working on a DevOps project that involves .pdf
Question 11.1 You are working on a DevOps project that involves .pdf
farhanafurniture
 
Coverity Data Sheet
Coverity Data SheetCoverity Data Sheet
Coverity Data Sheet
Jon Lundquist
 
A journey into Application Security
A journey into Application SecurityA journey into Application Security
A journey into Application Security
Christian Martorella
 
Module 4 qui parle de la sécurisation des applications
Module 4 qui parle de la sécurisation des applicationsModule 4 qui parle de la sécurisation des applications
Module 4 qui parle de la sécurisation des applications
EwenBenana
 
Shifting the conversation from active interception to proactive neutralization
Shifting the conversation from active interception to proactive neutralization Shifting the conversation from active interception to proactive neutralization
Shifting the conversation from active interception to proactive neutralization
Rogue Wave Software
 
AppSec in an Agile World
AppSec in an Agile WorldAppSec in an Agile World
AppSec in an Agile World
David Lindner
 
Software Security Assurance for Devops
Software Security Assurance for DevopsSoftware Security Assurance for Devops
Software Security Assurance for Devops
Jerika Phelps
 
Software Security Assurance for DevOps
Software Security Assurance for DevOpsSoftware Security Assurance for DevOps
Software Security Assurance for DevOps
Black Duck by Synopsys
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOps
abhimanyubhogwan
 

Similar to Development Lifecycle.pptx for the secure development of apps (20)

100 Security Operation Center Tools.pdf
100 Security Operation Center Tools.pdf100 Security Operation Center Tools.pdf
100 Security Operation Center Tools.pdf
 
SOC-BlueTEam.pdf
SOC-BlueTEam.pdfSOC-BlueTEam.pdf
SOC-BlueTEam.pdf
 
100 Security Operation Center Tools EMERSON EDUARDO RODRIGUES
100 Security Operation Center Tools EMERSON EDUARDO RODRIGUES100 Security Operation Center Tools EMERSON EDUARDO RODRIGUES
100 Security Operation Center Tools EMERSON EDUARDO RODRIGUES
 
100 Security Operation Center Tools.pdf
100 Security Operation Center Tools.pdf100 Security Operation Center Tools.pdf
100 Security Operation Center Tools.pdf
 
AppSec How-To: Achieving Security in DevOps
AppSec How-To: Achieving Security in DevOpsAppSec How-To: Achieving Security in DevOps
AppSec How-To: Achieving Security in DevOps
 
DevOps Architecture
DevOps ArchitectureDevOps Architecture
DevOps Architecture
 
How To Implement DevSecOps In Your Existing DevOps Workflow
How To Implement DevSecOps In Your Existing DevOps WorkflowHow To Implement DevSecOps In Your Existing DevOps Workflow
How To Implement DevSecOps In Your Existing DevOps Workflow
 
Continous delivvery devops Tools Technologies.pptx
Continous delivvery devops Tools  Technologies.pptxContinous delivvery devops Tools  Technologies.pptx
Continous delivvery devops Tools Technologies.pptx
 
chap-1 : Vulnerabilities in Information Systems
chap-1 : Vulnerabilities in Information Systemschap-1 : Vulnerabilities in Information Systems
chap-1 : Vulnerabilities in Information Systems
 
Build Security into the Software with Sparrow
Build Security into the Software with SparrowBuild Security into the Software with Sparrow
Build Security into the Software with Sparrow
 
C days2015
C days2015C days2015
C days2015
 
Question 11.1 You are working on a DevOps project that involves .pdf
Question 11.1 You are working on a DevOps project that involves .pdfQuestion 11.1 You are working on a DevOps project that involves .pdf
Question 11.1 You are working on a DevOps project that involves .pdf
 
Coverity Data Sheet
Coverity Data SheetCoverity Data Sheet
Coverity Data Sheet
 
A journey into Application Security
A journey into Application SecurityA journey into Application Security
A journey into Application Security
 
Module 4 qui parle de la sécurisation des applications
Module 4 qui parle de la sécurisation des applicationsModule 4 qui parle de la sécurisation des applications
Module 4 qui parle de la sécurisation des applications
 
Shifting the conversation from active interception to proactive neutralization
Shifting the conversation from active interception to proactive neutralization Shifting the conversation from active interception to proactive neutralization
Shifting the conversation from active interception to proactive neutralization
 
AppSec in an Agile World
AppSec in an Agile WorldAppSec in an Agile World
AppSec in an Agile World
 
Software Security Assurance for Devops
Software Security Assurance for DevopsSoftware Security Assurance for Devops
Software Security Assurance for Devops
 
Software Security Assurance for DevOps
Software Security Assurance for DevOpsSoftware Security Assurance for DevOps
Software Security Assurance for DevOps
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOps
 

Recently uploaded

Securing BGP: Operational Strategies and Best Practices for Network Defenders...
Securing BGP: Operational Strategies and Best Practices for Network Defenders...Securing BGP: Operational Strategies and Best Practices for Network Defenders...
Securing BGP: Operational Strategies and Best Practices for Network Defenders...
APNIC
 
Bengaluru Dreamin' 24 - Personal Branding
Bengaluru Dreamin' 24 - Personal BrandingBengaluru Dreamin' 24 - Personal Branding
Bengaluru Dreamin' 24 - Personal Branding
Tarandeep Singh
 
How to make a complaint to the police for Social Media Fraud.pdf
How to make a complaint to the police for Social Media Fraud.pdfHow to make a complaint to the police for Social Media Fraud.pdf
How to make a complaint to the police for Social Media Fraud.pdf
Infosec train
 
HijackLoader Evolution: Interactive Process Hollowing
HijackLoader Evolution: Interactive Process HollowingHijackLoader Evolution: Interactive Process Hollowing
HijackLoader Evolution: Interactive Process Hollowing
Donato Onofri
 
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
3a0sd7z3
 
一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理
一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理
一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理
thezot
 
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
rtunex8r
 
一比一原版(USYD毕业证)悉尼大学毕业证如何办理
一比一原版(USYD毕业证)悉尼大学毕业证如何办理一比一原版(USYD毕业证)悉尼大学毕业证如何办理
一比一原版(USYD毕业证)悉尼大学毕业证如何办理
k4ncd0z
 
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
3a0sd7z3
 
Should Repositories Participate in the Fediverse?
Should Repositories Participate in the Fediverse?Should Repositories Participate in the Fediverse?
Should Repositories Participate in the Fediverse?
Paul Walk
 
Discover the benefits of outsourcing SEO to India
Discover the benefits of outsourcing SEO to IndiaDiscover the benefits of outsourcing SEO to India
Discover the benefits of outsourcing SEO to India
davidjhones387
 
Integrating Physical and Cybersecurity to Lower Risks in Healthcare!
Integrating Physical and Cybersecurity to Lower Risks in Healthcare!Integrating Physical and Cybersecurity to Lower Risks in Healthcare!
Integrating Physical and Cybersecurity to Lower Risks in Healthcare!
Alec Kassir cozmozone
 
办理新西兰奥克兰大学毕业证学位证书范本原版一模一样
办理新西兰奥克兰大学毕业证学位证书范本原版一模一样办理新西兰奥克兰大学毕业证学位证书范本原版一模一样
办理新西兰奥克兰大学毕业证学位证书范本原版一模一样
xjq03c34
 
Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...
Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...
Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...
APNIC
 

Recently uploaded (14)

Securing BGP: Operational Strategies and Best Practices for Network Defenders...
Securing BGP: Operational Strategies and Best Practices for Network Defenders...Securing BGP: Operational Strategies and Best Practices for Network Defenders...
Securing BGP: Operational Strategies and Best Practices for Network Defenders...
 
Bengaluru Dreamin' 24 - Personal Branding
Bengaluru Dreamin' 24 - Personal BrandingBengaluru Dreamin' 24 - Personal Branding
Bengaluru Dreamin' 24 - Personal Branding
 
How to make a complaint to the police for Social Media Fraud.pdf
How to make a complaint to the police for Social Media Fraud.pdfHow to make a complaint to the police for Social Media Fraud.pdf
How to make a complaint to the police for Social Media Fraud.pdf
 
HijackLoader Evolution: Interactive Process Hollowing
HijackLoader Evolution: Interactive Process HollowingHijackLoader Evolution: Interactive Process Hollowing
HijackLoader Evolution: Interactive Process Hollowing
 
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
 
一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理
一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理
一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理
 
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
 
一比一原版(USYD毕业证)悉尼大学毕业证如何办理
一比一原版(USYD毕业证)悉尼大学毕业证如何办理一比一原版(USYD毕业证)悉尼大学毕业证如何办理
一比一原版(USYD毕业证)悉尼大学毕业证如何办理
 
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
 
Should Repositories Participate in the Fediverse?
Should Repositories Participate in the Fediverse?Should Repositories Participate in the Fediverse?
Should Repositories Participate in the Fediverse?
 
Discover the benefits of outsourcing SEO to India
Discover the benefits of outsourcing SEO to IndiaDiscover the benefits of outsourcing SEO to India
Discover the benefits of outsourcing SEO to India
 
Integrating Physical and Cybersecurity to Lower Risks in Healthcare!
Integrating Physical and Cybersecurity to Lower Risks in Healthcare!Integrating Physical and Cybersecurity to Lower Risks in Healthcare!
Integrating Physical and Cybersecurity to Lower Risks in Healthcare!
 
办理新西兰奥克兰大学毕业证学位证书范本原版一模一样
办理新西兰奥克兰大学毕业证学位证书范本原版一模一样办理新西兰奥克兰大学毕业证学位证书范本原版一模一样
办理新西兰奥克兰大学毕业证学位证书范本原版一模一样
 
Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...
Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...
Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...
 

Development Lifecycle.pptx for the secure development of apps

  • 2. • Security Lifecycle Plan Questionnaire • • 1) Do you practice version management for any security documents for the tools used? 2) Do you run automatic security scans in your development lifecycle? • 2.1) Do you have the latest security plugins and tools to provide security suggestions and detection to help improve secure coding? • 2.2) Are security experts involved in all steps of software design and QA testing? 1) Do you perform integrity checks on deployed artifacts to make sure the fires were not modified? 2) Do you monitor third party libraries used in the code at a regular interval for known weaknesses and maintainability? 3) Do you perform active checks to confirm that purchased hardware and software is as declared? 4) Have you integrated peer secure code review into the development lifecycle? 5) Do you perform security reviews for existing third-party integrations before incorporation? 6) Do you perform period full whitebox penetration testing? 7) Do you perform external attack simulations at regular intervals to check external attack detection readiness? 8) How do you manage sensitive data when shared on company communication platforms? 9) Do you review non-security related guidelines/protocols/ procedures for possible security loopholes?
  • 3. 1) Do you use 2FA when dealing with user management data platforms? 2) Does each team have a cyber responsibility team member to help oversee security implementation? 3) Do you have a mechanism or a formal procedure which allows sharing with other projects the insecure code patterns and weakness discovered in a project? 4) Do you have a policy in place to prevent workers to connect their phones or other non-secure devices via USB ports? 5) Do you use logical groups for important assets such as DNS domains and AWS resources to prevent having a single point of failure? 6) Does each user have different accounts & password for different systems to prevent a single point of failure in case of breach? • 17.1) Dou you use different accounts/password for staging and production environments? 1) Do you change the KRBTGT built-in active directory user password at regular intervals? 2) Are you enforcing the strong password policy across all machines, systems and apps? 3) Do you try and use automation, when possible, to limit security risks? 4) Are you employing SMB signing and Extended Protection for Authentication (EPA) and try to disable NTLM support in the domain controllers to protect yourself from various NTLM relay attacks such as the new PetitPotam attack? 5) Do you have a DLP system or any measures to prevent data or code leakage or detect what was leaked? 6) Do you practice application whitelisting and enforcement using a system such as Applocker? • Do you have an installation folder with allowed programs and packages to be installed which is secured using signatures and hash
  • 4. 1) validation? Do you block/forbid users to download and install arbitrary programs? 2) Do you have periodic backup automation not only for databases, but for all sensitive data, code, configurations and documents? 3) Do you use 2FA anti-deletion policies in AWS backups? 4) Do you have offline backups for all sensitive data, code, configurations and documents? 5) Do you review which servers and services are publicly accessible and block public network access to all of those which shouldn’t be publicly accessible and add IP whitelist where possible? 6) Have you implemented a security mechanism to prevent public access to QA websites which have debug functionality? 7) Do you practice network separation between the staging and production servers? 8) Are you using Devops automations for all the servers, both Windows and Linux and then implementing security hardenings and configurations into the automations? 9) Do you perform periodic review of the log management system to make sure sensitive data is not being logged? 10)Do you have a log collection for all the systems and services?