Download as PDF, PPTX
Uploaded byJerod Brennen
Embedding Security in the SDLC
The document outlines 4 steps for embedding security into the software development lifecycle (SDLC): 1. Introduce automated security scanning tools like SonarQube and OWASP ZAP to find vulnerabilities and train developers on common risks. 2. Incorporate OWASP's proactive controls into the SDLC to shift from reactive scanning to secure coding. 3. Implement the OWASP Application Security Verification Standard (ASVS) to manage security based on risk levels. 4. Use the OWASP Software Assurance Maturity Model (SAMM) for a maturity-based approach to securing the SDLC and optimizing resources.
More Related Content
![[OWASP Poland Day] Embedding security into SDLC + GDPR](https://cdn.slidesharecdn.com/ss_thumbnails/owaspday2017-michalkurek-171003211147-thumbnail.jpg?width=640&height=640&fit=bounds)
Similar to Embedding Security in the SDLC
Embedding Security in the SDLC
- 1. Embedding Security inthe SDLC Jerod Brennen Founder & Principal Consultant, Brennen Consulting
- 2. Software security is apositive indicator of software quality.
- 3. Step 1: Introduceautomated software security scanning Train developers on the OWASP Top 10 Web Application Security Risks ● OWASP Juice Shop Static Application Security Testing (SAST) ● SonarQube Community Edition ● Codacy ($180/yr) Dynamic Application Security Testing (DAST) ● OWASP ZAP ● Burp Suite ($399/yr)
- 4. Step 2: IntroduceOWASP proactive controls into the SDLC C1: Define Security Requirements C2: Leverage Security Frameworks and Libraries C3: Secure Database Access C4: Encode and Escape Data C5: Validate All Inputs C6: Implement Digital Identity C7: Enforce Access Controls C8: Protect Data Everywhere C9: Implement Security Logging and Monitoring C10: Handle All Errors and Exceptions
- 5. Step 3: Implementthe OWASP Application Security Verification Standard (ASVS) Level 1 - First steps, automated, or whole of portfolio view Level 2 - Most applications Level 3 - High value, high assurance, or high safety Map to data classification requirements and business criticality Validate compliance using the OWASP Web Security Testing Guide
- 6. Step 4: Implementthe OWASP Software Assurance Maturity Model (SAMM) Each business function maps to multiple practices Perform a maturity self-assessment Train stakeholders on the SAMM model Governance Design Implementation Verification Operations
- 7. Reiterating the value Step1 provides immediate visibility to higher risk vulnerabilities that could be present in your applications today. Step 2 allows you to shift from reactive scanning to proactive secure coding. Step 3 ensures that you’re managing software security activity (people, processes, and technologies) based on risk. Step 4 enables you to transition to a maturity-based approach to securing the SDLC, optimizing people, time, and resource allocation.
- 8.
- 9.
- 10.
- 11.