Rishi Kant, profile picture
Uploaded byRishi Kant
PPTX, PDF2,175 views

Secure SDLC Framework

The document outlines the S-SDLC (Secure Software Development Life Cycle) frameworks, including waterfall, agile, and CI/CD approaches, with a focus on application security and risk management practices. It emphasizes the importance of addressing security vulnerabilities early in the development process to reduce remediation costs and increase effectiveness. Key statistics highlight the significant percentage of risks not covered by existing tools and the necessity for a structured approach to both secure coding and testing.

Embed presentation

Downloaded 67 times
S-SDLC FRAMEWORK UNKNOWN Rishi Kant
AGENDA About me Pre requirements & Business expectation General DAST Process Effectiveness of AppSec Program AppSec quality improvement approach S-SDLC | Type 1 | Waterfall S-SDLC | Type 2 | Agile S-SDLC | Type 3 | CI/CD Comparison of all 2 approach
ABOUT ME! I am Rishi Kant I am a Security professional with 11+ years of corporate experience in the field of Cyber Security, Information Security, Digital Forensics, GRC, IT Administration, Secure Software Development, Training, and company operations. I worked in various industry verticals such as Utilities, IT/ITES, E- Commerce, Government, BFSI and law-enforcement agencies. https://www.linkedin.com/in/hrishikant
PRE-REQUIREMENTS Knowledge of Waterfall SDLC Knowledge of Agile SDLC Cyber Security approaches Security testing Behaviors Vulnerability Analysis BUSINESS EXPECTATIONS PROCESSES OPTIMIZATION FOR TIME REDUCTION, INCREASE BUSINESS SPEED, REDUCE HUMAN EFFORTS EFFECTIVE RISK MANAGEMENT FRAMEWORK COST REDUCTIVE PROCESS AND LESS CONTROL IMPLEMENTATION COST
GENERAL PROCESS IN TYPICAL ORGANIZATION TIMELINES 2/3 DAYS 10/15 DAYS 1/2 DAYS 1 DAY BUT CYCLIC Understanding the scope Perform tests as per the scope Report generation and clearing the doubts Cyclic phase for re check the issues
RISK SOFTWARE PROJECT PROGRESS IDENTIFY CONTROL IMPLEMEN T CONTROL VALIDATE CONTROL We have jumped straight to validation without identifying the root cause and implementing the appropriate controls to reduce application security risk. TRACKING THE EFFECTIVENESS OF AN APPLICATION SECURITY PROGRAM
46% OF APPLICATION-LEVEL RISKS ARE NOT COVERED BY SAST & DAST TOOLS Source Code SAST & DAST Remediation 30% of total risks found & fixed average time to remediation = 316 days* 54% of risks found* 46% of risks are not found 70% of risks unaddressed 24% of risks found, not fixed 54% remediation rate* *Adapted from: National Institute of Standards and Technology. “Report on the Static Analysis Tool Exposition IV”. Gartner for Technical Professionals. “Application Security Think Big and Start with What Matters”. Veracode. “State of Software Security”, 2016. WhiteHat Security. “Web Applications Security Statistics Report”.
Source Code SAST & DAST Remediation 30% of total risks found & fixed average time to remediation = 316 days* 54% of risks found* 46%of risks are not found 70% of risks unaddressed 24% of risks found, not fixed 54% remediation rate* *Adapted from: National Institute of Standards and Technology. “Report on the Static Analysis Tool Exposition IV”. Gartner for Technical Professionals. “Application Security Think Big and Start with What Matters”. Veracode. “State of Software Security”, 2016. WhiteHat Security. “Web Applications Security Statistics Report”. 46% OF APPLICATION-LEVEL RISKS ARE NOT COVERED BY SAST & DAST TOOLS
Source: Applied Software Measurement, Capers Jones, 1996 • Cost of remediation is always lesser in coding phases irrespective to number of bugs found. • Impact on services, risk delta is always increases as the SDLC phases increases. • Increase in effectiveness of controls help to decrease the number of bugs found and remediation costs. • Decrease the impact on reputation, brand, business, reliability. STATISTICS ANALYSIS OF REMEDIATION COST PER STAGES “The cost of removing an application security vulnerability during the design phase ranges from 30-60 times less than if removed during production.” NIST, IBM, and Gartner Group
APPLICATION SEC. QUALITY IMPROVEMENT APPROACH Definition Pre-Design Design Development Deployment CheckPoint 1 CheckPoint 2 CheckPoint 3 CheckPoint 4 CheckPoint 5 Concepts / Priority Selection of Controls Preliminary Design AGREEMENT Design & Review Approve Build • High Level Security Risk Analysis • Risk Base Security Plan • Selection of Controls • Selection of Service, protocols • Security Design Review • Third part assets control selection • Secure Code review • Data flow review • Vulnerability Assessment • Penetration testing • Third party assessment
WATERFALL APPROACH FOR S-SDLC Business Requirements Application Portfolio Analysis | User Risk Analysis | Security Requirements Analysis Pre-Design Secure Design Analysis | Risk Assessment | Architecture Review Plan | Threat Modeling Design External Security Review | Design Risk Analysis | Architecture Risk Analysis Post-Design Dev. Test Plan | Review of Data Flow charts | Communication channels/Services Development Secure Code Guidelines | Static Code Analysis | Developer Training | Coding Standards Development Testing Security Metrics Development | Test Reviews | Dynamic Code Analysis | DAST Deployment Pre-Implementation Risk Management Maintenance
AGILE APPROACH FOR S-SDLC Initial Phase Application Portfolio Analysis | User Risk Analysis | Required Training Creation User Stories Secure Design Analysis | Risk Assessment | Architecture Review Plan | Security Requirement Analysis Creation Product Backlogs Design Risk Analysis | Architecture Risk Analysis | Threat Modelling Creation Sprint Backlogs Security Metrics Development | Communication channels/Services | Secure Code Guidelines | Coding Standards Development Sprint Lifecycle Static Code Analysis | Developer Training | Dynamic Code Analysis | DAST Finishing Sprint Test Reviews | Pre-Implementation Risk Management Sprint Retrospective Feedbacks | Security Improvement Plan Maintenance
GENERAL AGILE SDLC Client Product Owner Sprint Plan Meeting DevOps Team User Stories Sprint Backlog Sprint Life Cycle Product Backlog Finish of Sprint Sprint Review Sprint Retrospective Feedbacks • Product owner accept the inputs from the Client to conclude the user stories for product backlog. • Every product backlog further divided into sprint backlog as per the group of same type of functionalities. • Every Sprint backlog have the cycle of Coding and testing aligned with daily follow-up scrum meeting with scrum master, product owner, developers. • Scrum meeting is on daily basis for better analysis the growth of the project. • On the finish of Sprint, we need to review followed by Sprint retrospective for feedback to product owner likely for gaps evaluation.
CI/CD APPROACH S-SDLC Continuous Delivery Continuous Integration PRO UAT QA DEV Version Control Developer 1 Developer 1Scrum Master Service Desk 1 2 3 4 5 6 7 Check 4 Changes Fetch Changes Notify issues Send Backlog
WATERFALL | AGILE | CI/CD IN S-SDLC • Waterfall SDLC easy to alignment with Secure SDLC irrespective to Agile & CI/CD methodologies. • Waterfall model follow the consecutive process irrespective to Agile & CI/CD methodologies. • Implementation of Security in waterfall is easier then Agile & CICD but we can use some enhanced criteria for better & secure agile/CI/CD SDLCs Business Require ments Application Portfolio Analysis | User Risk Analysis | Security Requirements Analysis Pre- Design Secure Design Analysis | Risk Assessment | Architecture Review Plan | Threat Modeling Design External Security Review | Design Risk Analysis | Architecture Risk Analysis Post- Design Dev. Test Plan | Review of Data Flow charts | Communication channels/Services Develop ment Secure Code Guidelines | Static Code Analysis | Developer Training | Coding Standards Development Testing Security Metrics Development | Test Reviews | Dynamic Code Analysis | DAST Deploy ment Pre-Implementation Risk Management Secure SDLC in Waterfall Secure SDLC in Agile Secure SDLC in CI/CD * Perfectly aligned with security blocks * Hard to fit as per the security blocks Continuous Delivery Continuous Integration PRO UAT QA DEV Version Control Deve lope r 1 Deve lope r 1 S c r u m M a s t e r S e r v i c e D e s k 1 2 3 4 5 6 7 Check 4 Changes Fetch Changes Notify issues Send Backlog * Hard to fit as per the security blocks
THANK YOU! Any questions? You can also find me at rishi-kant@live.in for any further questions

More Related Content

PPTX
Web Application Security Testing
byAgile Testing Alliance
 
PPTX
Microsoft Security Development Lifecycle
byRazi Rais
 
PDF
Secure Software Design and Secure Programming
byMustafaAlshekly1
 
PPTX
Understanding Application Threat Modelling & Architecture
byPriyanka Aash
 
PPT
Software Security Engineering
byMarco Morana
 
PDF
Secure coding guidelines
byZakaria SMAHI
 
PDF
Secure Coding and Threat Modeling
byMiriam Celi, CISSP, GISP, MSCS, MBA
 
PDF
Secure Software Development Lifecycle - Devoxx MA 2018
byImola Informatica
 
Web Application Security Testing
byAgile Testing Alliance
 
Microsoft Security Development Lifecycle
byRazi Rais
 
Secure Software Design and Secure Programming
byMustafaAlshekly1
 
Understanding Application Threat Modelling & Architecture
byPriyanka Aash
 
Software Security Engineering
byMarco Morana
 
Secure coding guidelines
byZakaria SMAHI
 
Secure Coding and Threat Modeling
byMiriam Celi, CISSP, GISP, MSCS, MBA
 
Secure Software Development Lifecycle - Devoxx MA 2018
byImola Informatica
 

What's hot

PPTX
Secure Software Development Lifecycle
by1&1
 
PDF
Application Security | Application Security Tutorial | Cyber Security Certifi...
byEdureka!
 
PDF
Secure Code Review 101
byNarudom Roongsiriwong, CISSP
 
PDF
Threat Modelling
byn|u - The Open Security Community
 
PPTX
Secure Software Development Life Cycle
byMaurice Dawson
 
PDF
Secure Coding principles by example: Build Security In from the start - Carlo...
byCodemotion
 
PDF
Application Security - Your Success Depends on it
byWSO2
 
PPTX
Patch Management Best Practices
byIvanti
 
PDF
A Big Picture of IEC 62443 - Cybersecurity Webinar (2) 2020
byJiunn-Jer Sun
 
PPTX
NIST CyberSecurity Framework: An Overview
byTandhy Simanjuntak
 
PPTX
Secure coding practices
byMohammed Danish Amber
 
PDF
NIST cybersecurity framework
byShriya Rai
 
PPTX
Secure coding practices
byScott Hurrey
 
PDF
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
byEdureka!
 
PPTX
SABSA overview
bySABSAcourses
 
PPTX
Intro to Security in SDLC
byTjylen Veselyj
 
PDF
Introduction to Cybersecurity
byKrutarth Vasavada
 
PDF
Cybersecurity Roadmap Development for Executives
byKrist Davood - Principal - CIO
 
PPT
Application Security
byflorinc
 
PPTX
Security Training: #3 Threat Modelling - Practices and Tools
byYulian Slobodyan
 
Secure Software Development Lifecycle
by1&1
 
Application Security | Application Security Tutorial | Cyber Security Certifi...
byEdureka!
 
Secure Code Review 101
byNarudom Roongsiriwong, CISSP
 
Threat Modelling
byn|u - The Open Security Community
 
Secure Software Development Life Cycle
byMaurice Dawson
 
Secure Coding principles by example: Build Security In from the start - Carlo...
byCodemotion
 
Application Security - Your Success Depends on it
byWSO2
 
Patch Management Best Practices
byIvanti
 
A Big Picture of IEC 62443 - Cybersecurity Webinar (2) 2020
byJiunn-Jer Sun
 
NIST CyberSecurity Framework: An Overview
byTandhy Simanjuntak
 
Secure coding practices
byMohammed Danish Amber
 
NIST cybersecurity framework
byShriya Rai
 
Secure coding practices
byScott Hurrey
 
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
byEdureka!
 
SABSA overview
bySABSAcourses
 
Intro to Security in SDLC
byTjylen Veselyj
 
Introduction to Cybersecurity
byKrutarth Vasavada
 
Cybersecurity Roadmap Development for Executives
byKrist Davood - Principal - CIO
 
Application Security
byflorinc
 
Security Training: #3 Threat Modelling - Practices and Tools
byYulian Slobodyan
 

Similar to Secure SDLC Framework

PPTX
Introduction of Secure Software Development Lifecycle
byRishi Kant
 
PPTX
Agile & Secure SDLC
byPaul Yang
 
PPT
4_25655_SE731_2020_1__2_1_Lecture 1 - Course Outline and Secure SDLC.ppt
bygealehegn
 
PPT
Lecture Course Outline and Secure SDLC.ppt
byDrBasemMohamedElomda
 
PDF
The Permanent Campaign
byDenim Group
 
PDF
Secure Agile SDLC BSides 14 - 2017 - Raphael Denipotti
byRaphael Denipotti
 
PPTX
ОЛЬГА АКСЬОНЕНКО «Безпечна розробка програмного забезпечення в Agile проектах...
byQADay
 
PDF
S sdlc datasheet q1-2015 v fnl
bySally Chan
 
PDF
Managing Application Security Risk in Enterprises - Thoughts and recommendations
byThierry Zoller
 
PPTX
Secure-Software-Development-lifecycle-lecture02.pptx
byHammadAli989482
 
PDF
Applicaiton Security - Building The Audit Program
byMichael Davis
 
PDF
AppSec in an Agile World
byDavid Lindner
 
PPTX
Secure SDLC in mobile software development.
byMykhailo Antonishyn
 
PPT
Software Security in the Real World
byMark Curphey
 
PPTX
Agile and Secure SDLC
byNazar Tymoshyk, CEH, Ph.D.
 
PPT
Software security engineering
byAHM Pervej Kabir
 
PPT
Software security engineering
byAHM Pervej Kabir
 
PPTX
Cloud application security (CCSP Domain 4)
byAmy Nicewick, CISSP, CCSP, CEH
 
PPTX
Integrating Security Across SDLC Phases
byIshrath Sultana
 
PDF
Codebits 2014 - Secure Coding - Gamification and automation for the win
byTiago Henriques
 
Introduction of Secure Software Development Lifecycle
byRishi Kant
 
Agile & Secure SDLC
byPaul Yang
 
4_25655_SE731_2020_1__2_1_Lecture 1 - Course Outline and Secure SDLC.ppt
bygealehegn
 
Lecture Course Outline and Secure SDLC.ppt
byDrBasemMohamedElomda
 
The Permanent Campaign
byDenim Group
 
Secure Agile SDLC BSides 14 - 2017 - Raphael Denipotti
byRaphael Denipotti
 
ОЛЬГА АКСЬОНЕНКО «Безпечна розробка програмного забезпечення в Agile проектах...
byQADay
 
S sdlc datasheet q1-2015 v fnl
bySally Chan
 
Managing Application Security Risk in Enterprises - Thoughts and recommendations
byThierry Zoller
 
Secure-Software-Development-lifecycle-lecture02.pptx
byHammadAli989482
 
Applicaiton Security - Building The Audit Program
byMichael Davis
 
AppSec in an Agile World
byDavid Lindner
 
Secure SDLC in mobile software development.
byMykhailo Antonishyn
 
Software Security in the Real World
byMark Curphey
 
Agile and Secure SDLC
byNazar Tymoshyk, CEH, Ph.D.
 
Software security engineering
byAHM Pervej Kabir
 
Software security engineering
byAHM Pervej Kabir
 
Cloud application security (CCSP Domain 4)
byAmy Nicewick, CISSP, CCSP, CEH
 
Integrating Security Across SDLC Phases
byIshrath Sultana
 
Codebits 2014 - Secure Coding - Gamification and automation for the win
byTiago Henriques
 

Recently uploaded

PDF
A "Kill Switch" (Emergency Off Switch) for AI?
byScott M. Graffius
 
PDF
From Compliance to Competitive Advantage Board-Level Cyber Governance Under D...
bySaraDavis91
 
PDF
The_Boardroom_Cyber_Playbook_Research_Edition
bySaraDavis91
 
PDF
Presentation on Four Stroke Engine of Ic engine
bySonam Sherpa
 
PPTX
Lecture 04. about Black heads and Hackerss.pptx
byvinocol222
 
PPTX
Flutter & Firebase Session Slides - GDG VESIT
bygdgcodecellcmpn
 
PPTX
KTU-PEMET413 -MODULE 2-POLYMER MATRIX COMPOSITES - LECTURE 1.pptx
byVINAY B
 
PPTX
Building Real-Time Voice AI — Udaiappa Ramachandran
byUdaiappa Ramachandran
 
PPTX
Unit 1 Introduction of Computer Networks
bySuvarnaSharma5
 
PPTX
TechSprint Kickoff - Everything You Need to Know
bygdgcodecellcmpn
 
PDF
threat-hunters-cookbook for cybersecurity
bylobster6719
 
PDF
SEO in Charleston SC | Local SEO Strategies to Grow Your Business.pdf
bycustomdigitalsolutio1
 
PDF
Higgsfield AI: The New Way to Create Cinematic Video
bytechnologyupside
 
PPTX
DVCON24-IBM ai/ml driven hardware verification
byArun Joseph
 
PDF
oracle_apex_tamil_export_an_application.pdf
byUthamaselvan M
 
PDF
The Cost of Missing Critical Connections in Data - Suspicious Behavior Detect...
byEnterprise Knowledge
 
PPTX
On-Device AI with Gemma 3n and PaliGemma 2 Session Slides - GDG VESIT
bygdgcodecellcmpn
 
PPT
Waste water treatment plant operation and maintenance
byDuggineniRamakrishna
 
PDF
Digital Transformation Services The Key to Futureproofing Your Business
byQuadrafort Technolgies
 
DOCX
Quercus semecarpifolia is widely recognized as a keystone species in alpine a...
byMadan Bhandari university and St. Xavier's college , Maitighar
 
A "Kill Switch" (Emergency Off Switch) for AI?
byScott M. Graffius
 
From Compliance to Competitive Advantage Board-Level Cyber Governance Under D...
bySaraDavis91
 
The_Boardroom_Cyber_Playbook_Research_Edition
bySaraDavis91
 
Presentation on Four Stroke Engine of Ic engine
bySonam Sherpa
 
Lecture 04. about Black heads and Hackerss.pptx
byvinocol222
 
Flutter & Firebase Session Slides - GDG VESIT
bygdgcodecellcmpn
 
KTU-PEMET413 -MODULE 2-POLYMER MATRIX COMPOSITES - LECTURE 1.pptx
byVINAY B
 
Building Real-Time Voice AI — Udaiappa Ramachandran
byUdaiappa Ramachandran
 
Unit 1 Introduction of Computer Networks
bySuvarnaSharma5
 
TechSprint Kickoff - Everything You Need to Know
bygdgcodecellcmpn
 
threat-hunters-cookbook for cybersecurity
bylobster6719
 
SEO in Charleston SC | Local SEO Strategies to Grow Your Business.pdf
bycustomdigitalsolutio1
 
Higgsfield AI: The New Way to Create Cinematic Video
bytechnologyupside
 
DVCON24-IBM ai/ml driven hardware verification
byArun Joseph
 
oracle_apex_tamil_export_an_application.pdf
byUthamaselvan M
 
The Cost of Missing Critical Connections in Data - Suspicious Behavior Detect...
byEnterprise Knowledge
 
On-Device AI with Gemma 3n and PaliGemma 2 Session Slides - GDG VESIT
bygdgcodecellcmpn
 
Waste water treatment plant operation and maintenance
byDuggineniRamakrishna
 
Digital Transformation Services The Key to Futureproofing Your Business
byQuadrafort Technolgies
 
Quercus semecarpifolia is widely recognized as a keystone species in alpine a...
byMadan Bhandari university and St. Xavier's college , Maitighar
 

Secure SDLC Framework

  • 1.
  • 2.
    AGENDA About me Pre requirements& Business expectation General DAST Process Effectiveness of AppSec Program AppSec quality improvement approach S-SDLC | Type 1 | Waterfall S-SDLC | Type 2 | Agile S-SDLC | Type 3 | CI/CD Comparison of all 2 approach
  • 3.
    ABOUT ME! I amRishi Kant I am a Security professional with 11+ years of corporate experience in the field of Cyber Security, Information Security, Digital Forensics, GRC, IT Administration, Secure Software Development, Training, and company operations. I worked in various industry verticals such as Utilities, IT/ITES, E- Commerce, Government, BFSI and law-enforcement agencies. https://www.linkedin.com/in/hrishikant
  • 4.
    PRE-REQUIREMENTS Knowledge of WaterfallSDLC Knowledge of Agile SDLC Cyber Security approaches Security testing Behaviors Vulnerability Analysis BUSINESS EXPECTATIONS PROCESSES OPTIMIZATION FOR TIME REDUCTION, INCREASE BUSINESS SPEED, REDUCE HUMAN EFFORTS EFFECTIVE RISK MANAGEMENT FRAMEWORK COST REDUCTIVE PROCESS AND LESS CONTROL IMPLEMENTATION COST
  • 5.
    GENERAL PROCESS INTYPICAL ORGANIZATION TIMELINES 2/3 DAYS 10/15 DAYS 1/2 DAYS 1 DAY BUT CYCLIC Understanding the scope Perform tests as per the scope Report generation and clearing the doubts Cyclic phase for re check the issues
  • 6.
    RISK SOFTWARE PROJECT PROGRESS IDENTIFY CONTROL IMPLEMEN TCONTROL VALIDATE CONTROL We have jumped straight to validation without identifying the root cause and implementing the appropriate controls to reduce application security risk. TRACKING THE EFFECTIVENESS OF AN APPLICATION SECURITY PROGRAM
  • 7.
    46% OF APPLICATION-LEVELRISKS ARE NOT COVERED BY SAST & DAST TOOLS Source Code SAST & DAST Remediation 30% of total risks found & fixed average time to remediation = 316 days* 54% of risks found* 46% of risks are not found 70% of risks unaddressed 24% of risks found, not fixed 54% remediation rate* *Adapted from: National Institute of Standards and Technology. “Report on the Static Analysis Tool Exposition IV”. Gartner for Technical Professionals. “Application Security Think Big and Start with What Matters”. Veracode. “State of Software Security”, 2016. WhiteHat Security. “Web Applications Security Statistics Report”.
  • 8.
    Source Code SAST& DAST Remediation 30% of total risks found & fixed average time to remediation = 316 days* 54% of risks found* 46%of risks are not found 70% of risks unaddressed 24% of risks found, not fixed 54% remediation rate* *Adapted from: National Institute of Standards and Technology. “Report on the Static Analysis Tool Exposition IV”. Gartner for Technical Professionals. “Application Security Think Big and Start with What Matters”. Veracode. “State of Software Security”, 2016. WhiteHat Security. “Web Applications Security Statistics Report”. 46% OF APPLICATION-LEVEL RISKS ARE NOT COVERED BY SAST & DAST TOOLS
  • 9.
    Source: Applied SoftwareMeasurement, Capers Jones, 1996 • Cost of remediation is always lesser in coding phases irrespective to number of bugs found. • Impact on services, risk delta is always increases as the SDLC phases increases. • Increase in effectiveness of controls help to decrease the number of bugs found and remediation costs. • Decrease the impact on reputation, brand, business, reliability. STATISTICS ANALYSIS OF REMEDIATION COST PER STAGES “The cost of removing an application security vulnerability during the design phase ranges from 30-60 times less than if removed during production.” NIST, IBM, and Gartner Group
  • 10.
    APPLICATION SEC. QUALITYIMPROVEMENT APPROACH Definition Pre-Design Design Development Deployment CheckPoint 1 CheckPoint 2 CheckPoint 3 CheckPoint 4 CheckPoint 5 Concepts / Priority Selection of Controls Preliminary Design AGREEMENT Design & Review Approve Build • High Level Security Risk Analysis • Risk Base Security Plan • Selection of Controls • Selection of Service, protocols • Security Design Review • Third part assets control selection • Secure Code review • Data flow review • Vulnerability Assessment • Penetration testing • Third party assessment
  • 11.
    WATERFALL APPROACH FORS-SDLC Business Requirements Application Portfolio Analysis | User Risk Analysis | Security Requirements Analysis Pre-Design Secure Design Analysis | Risk Assessment | Architecture Review Plan | Threat Modeling Design External Security Review | Design Risk Analysis | Architecture Risk Analysis Post-Design Dev. Test Plan | Review of Data Flow charts | Communication channels/Services Development Secure Code Guidelines | Static Code Analysis | Developer Training | Coding Standards Development Testing Security Metrics Development | Test Reviews | Dynamic Code Analysis | DAST Deployment Pre-Implementation Risk Management Maintenance
  • 12.
    AGILE APPROACH FORS-SDLC Initial Phase Application Portfolio Analysis | User Risk Analysis | Required Training Creation User Stories Secure Design Analysis | Risk Assessment | Architecture Review Plan | Security Requirement Analysis Creation Product Backlogs Design Risk Analysis | Architecture Risk Analysis | Threat Modelling Creation Sprint Backlogs Security Metrics Development | Communication channels/Services | Secure Code Guidelines | Coding Standards Development Sprint Lifecycle Static Code Analysis | Developer Training | Dynamic Code Analysis | DAST Finishing Sprint Test Reviews | Pre-Implementation Risk Management Sprint Retrospective Feedbacks | Security Improvement Plan Maintenance
  • 13.
    GENERAL AGILE SDLC Client Product Owner SprintPlan Meeting DevOps Team User Stories Sprint Backlog Sprint Life Cycle Product Backlog Finish of Sprint Sprint Review Sprint Retrospective Feedbacks • Product owner accept the inputs from the Client to conclude the user stories for product backlog. • Every product backlog further divided into sprint backlog as per the group of same type of functionalities. • Every Sprint backlog have the cycle of Coding and testing aligned with daily follow-up scrum meeting with scrum master, product owner, developers. • Scrum meeting is on daily basis for better analysis the growth of the project. • On the finish of Sprint, we need to review followed by Sprint retrospective for feedback to product owner likely for gaps evaluation.
  • 14.
    CI/CD APPROACH S-SDLC ContinuousDelivery Continuous Integration PRO UAT QA DEV Version Control Developer 1 Developer 1Scrum Master Service Desk 1 2 3 4 5 6 7 Check 4 Changes Fetch Changes Notify issues Send Backlog
  • 15.
    WATERFALL | AGILE| CI/CD IN S-SDLC • Waterfall SDLC easy to alignment with Secure SDLC irrespective to Agile & CI/CD methodologies. • Waterfall model follow the consecutive process irrespective to Agile & CI/CD methodologies. • Implementation of Security in waterfall is easier then Agile & CICD but we can use some enhanced criteria for better & secure agile/CI/CD SDLCs Business Require ments Application Portfolio Analysis | User Risk Analysis | Security Requirements Analysis Pre- Design Secure Design Analysis | Risk Assessment | Architecture Review Plan | Threat Modeling Design External Security Review | Design Risk Analysis | Architecture Risk Analysis Post- Design Dev. Test Plan | Review of Data Flow charts | Communication channels/Services Develop ment Secure Code Guidelines | Static Code Analysis | Developer Training | Coding Standards Development Testing Security Metrics Development | Test Reviews | Dynamic Code Analysis | DAST Deploy ment Pre-Implementation Risk Management Secure SDLC in Waterfall Secure SDLC in Agile Secure SDLC in CI/CD * Perfectly aligned with security blocks * Hard to fit as per the security blocks Continuous Delivery Continuous Integration PRO UAT QA DEV Version Control Deve lope r 1 Deve lope r 1 S c r u m M a s t e r S e r v i c e D e s k 1 2 3 4 5 6 7 Check 4 Changes Fetch Changes Notify issues Send Backlog * Hard to fit as per the security blocks
  • 16.
    THANK YOU! Any questions? Youcan also find me at rishi-kant@live.in for any further questions