Security Development Lifecycle (SDL) Overview

Slides:



Advertisements
Similar presentations
Configuration Management
Advertisements

A BPM Framework for KPI-Driven Performance Management
Roadmap for Sourcing Decision Review Board (DRB)
1 Requirements and the Software Lifecycle The traditional software process models Waterfall model Spiral model The iterative approach Chapter 3.
(Insert Title of Project Here) Kickoff Meeting (Month Date, Year)
Ahsan Kabir Project Manager Ahsan Kabir Project Manager ………………………….
Stepan Potiyenko ISS Sr.SW Developer.
Viewpoint Consulting – Committed to your success.
Lecture 2b: Software Project Management CSCI102 - Introduction to Information Technology B ITCS905 - Fundamentals of Information Technology.
Stephen S. Yau CSE , Fall Security Strategies.
Release & Deployment ITIL Version 3
Effective Methods for Software and Systems Integration
Challenges Faced in Developing Audit Plans and Programs 21 st March, 2013.
SEC835 Database and Web application security Information Security Architecture.
S/W Project Management
University of Palestine software engineering department Testing of Software Systems Fundamentals of testing instructor: Tasneem Darwish.
-Nikhil Bhatia 28 th October What is RUP? Central Elements of RUP Project Lifecycle Phases Six Engineering Disciplines Three Supporting Disciplines.
Demystifying the Business Analysis Body of Knowledge Central Iowa IIBA Chapter December 7, 2005.
Problem Identification
Module N° 8 – SSP implementation plan. SSP – A structured approach Module 2 Basic safety management concepts Module 2 Basic safety management concepts.
Certification and Accreditation CS Phase-1: Definition Atif Sultanuddin Raja Chawat Raja Chawat.
What is a Business Analyst? A Business Analyst is someone who works as a liaison among stakeholders in order to elicit, analyze, communicate and validate.
CHECKPOINTS OF THE PROCESS Three sequences of project checkpoints are used to synchronize stakeholder expectations throughout the lifecycle: 1)Major milestones,
University of Sunderland CIFM03Lecture 2 1 Quality Management of IT CIFM03 Lecture 2.
© Mahindra Satyam 2009 Configuration Management QMS Training.
1-2 Training of Process Facilitators 3-1. Training of Process Facilitators 1- Provide an overview of the role and skills of a Communities That Care Process.
Business Analysis. Business Analysis Concepts Enterprise Analysis ► Identify business opportunities ► Understand the business strategy ► Identify Business.
Requisite Skills for IS Management and Interpersonal Skills.
High Assurance Products in IT Security Rayford B. Vaughn, Mississippi State University Presented by: Nithin Premachandran.
1 CP586 © Peter Lo 2003 Multimedia Communication Multimedia Development Team.
RUP RATIONAL UNIFIED PROCESS Behnam Akbari 06 Oct
What is a software? Computer Software, or just Software, is the collection of computer programs and related data that provide the instructions telling.
Scrum Overview. Agenda What is scrum…and what it isn’t Scrum’s Characteristics The Scrum Process Scrum Phases Measurements Key Practices Backlogs Sprint.
Organizations of all types and sizes face a range of risks that can affect the achievement of their objectives. Organization's activities Strategic initiatives.
IS&T Project Reviews September 9, Project Review Overview Facilitative approach that actively engages a number of key project staff and senior IS&T.
Software Engineering — Software Life Cycle Processes — Maintenance
Configuration Management
Office 365 Security Assessment Workshop
Business System Development
Software Project Configuration Management
Software Quality Control and Quality Assurance: Introduction
Using Games to Effect Organizational Change
Workplace Projects.
BIL 424 NETWORK ARCHITECTURE AND SERVICE PROVIDING.
CallTower Implementation Process Overview
The Five Secrets of Project Scheduling A PMO Approach
Chapter 10 Software Quality Assurance& Test Plan Software Testing
Evaluating Existing Systems
Project Management Processes
Identify the Risk of Not Doing BA
Configuration Management
Evaluating Existing Systems
EOB Methodology Overview
Hyper-V Cloud Proof of Concept Kickoff Meeting <Customer Name>
Description of Revision
Requirements and the Software Lifecycle
CMMI – Staged Representation
Vision Facilitation Template
Guidance notes for Project Manager
IS&T Project Reviews September 9, 2004.
By Jeff Burklo, Director
Project Management Process Groups
Project Management Processes
Portfolio, Programme and Project
Engineering Processes
ISSUE MANAGEMENT PROCESS MONTH DAY, YEAR
{Project Name} Organizational Chart, Roles and Responsibilities
(Insert Title of Project Here) Kickoff Meeting
Presentation transcript:

Security Development Lifecycle (SDL) Overview Ronald Tafoya, CISSP, CE|H, PMP Technologist In Residence, High Desert Discovery District (HD3)

Agenda Overview. Security Development Lifecycle (SDL)

Basic Terminology Security condition of a system that results from the establishment and maintenance of measures to protect the system. Security is an aspect of a product, not a feature Privacy The right of an entity (normally a person), acting in its own behalf, to determine the degree to which it will interact with its environment, including the degree to which the entity is willing to share information about itself with others Trustworthy built to meet security and privacy goals; worthy of customer trust with respect to privacy and security Introduce concept of ‘Trustworthy’ product development

Design Vectors Power Performance Area Reliability Security Product developers must recognize The importance of Security And add it as a design vector Lead in Security vs. React

Security Design Vector Establishing security as a design vector requires: Individuals are empowered and accountable owners for each product Organizations to build the required development capabilities (this is Design for Security – DFS) Projects to follow the appropriate steps throughout execution (this is Security Development Life Cycle –SDL) Products show results by delivering to security and privacy requirements

Need for a Security Development Lifecycle Security is different Security is a process, not a product or particular feature Security of a product must be a system aspect Attackers find the path of least resistance, even if it’s outside the scope of your product To get it right, Security must be part of all stages of development The security profile of your product changes constantly due to changing assumptions, periodic decisions, and newly discovered information resulting from analysis. SeCoE and SDL help you deal with this through prescriptive guidance (prevent), continual analysis (detect), regular checkpoints (review), and PSIR (survive). Consistent security and privacy analysis is not being applied. SDL wants to change that.

Need for a Security Development Lifecycle Building trustworthy products requires continuous effort throughout the development lifecycle Trust issues discovered and created as product matures Trust assumptions often change during lifecycle Trust decisions made throughout lifecycle, sometimes accidentally Trustworthy product development is not happening consistently in the industry today The security profile of your product changes constantly due to changing assumptions, periodic decisions, and newly discovered information resulting from analysis. SeCoE and SDL help you deal with this through prescriptive guidance (prevent), continual analysis (detect), regular checkpoints (review), and PSIR (survive). Consistent security and privacy analysis is not being applied. SDL wants to change that.

SDL – Roles and Responsibilities Project Team Project Security SDL Lead Who: Someone in the development team Responsibility: Owns managing the SDL Tasks to see that the appropriate resources are assigned to each and that the tasks are completed on schedule Security Champion Who: The designated Security Champion for the product Responsibility: Owns delivering product that meets security goals (person ultimately accountable for shipping a secure product). Provides security consulting to the product team All project development and deployment team members Who: Everyone who takes part in definition, development, or deployment of the product Responsibility: Follow the SDL, get trained in product security issues relevant to your role, take product security seriously

SDL Roles and Responsibilities (2) Security Analysis Team Security Analyst Team Responsibility: Review trust aspects of the product throughout the lifecycle; provide analysis results at SDL checkpoints Security Champion can help you find solutions. Security consultant Who: there are many 3rd party consultants that can provides security consulting or a separate team in the company Responsibility: work with the project team to help & teach with the SDL implementation and tasks. SDL Program Manager Who: The Security Champion should provide this resource company-wide Responsibility: helps teams follow the SDL; facilitates periodic reviews of trust aspects of product with experts as needed

EXample SDL Product PLC Overlay

Security Reviews Potential INDEPENDENT 3rd party Reviews G0 Review The Product Overview presentation allows the product team to familiarize Review Team with the product, and provides the product team an opportunity to gather initial feedback from the Review Team. This review is appropriate for more complicated technologies and in cases when early security guidance from the Review Team is necessary. G1 Review This review allows the product team to familiarize the Review Team with the early security objectives and security requirements and to seek additional guidance from the Review Team. S1 Review In this review the product teams are expected to discuss their Security Objectives, Security Architecture and Threat Model, and how these address the security concerns that the product team has already examined.  The team should clearly show how the product architecture meets the defined Security Objectives and what security gaps exist.

S0 Assessment Assessment S0 Architecture S1 Design S2 Early implementation S3 Deployment S4 This first phase of the SDL Helps the project team identify the needed SDL activities. The first interaction with the SDL is the SDL assessment (doesn’t mater in what phase the project is) following the assessment the project team will be able to clearly identify the needed SDL activities.

S1 Architecture Concept S0 Architecture S1 Design S2 Early implementation S3 Deployment S4 The S1- Architecture phase ensures that product architecture, requirements, and usage models for security and privacy meet the security and privacy goals and requirements identified at the S0 - Concept phase. At the end of the S1- Architecture, the following should be achieved: Product architecture identifies the security model Product architecture defines an approach for the security and privacy requirements Architectural analysis for security and privacy has been completed on identified risk areas Security and privacy risks have been closed or assigned to an owner for follow-up A preliminary security and privacy validation plan has been drafted and reviewed

S2 Design Concept S0 Architecture S1 Design S2 Early implementation S3 Deployment S4 The S2 - Design phase examines designs to verify the security and privacy models laid out in the requirements and architecture At the end of this phase, the following should be achieved: Design analysis for security and privacy has been completed Survivability mechanisms included in architecture have supporting design in place The design delivers on the expectations from the market and product requirement documents. Evaluation plans appropriate to security and privacy risk areas approved Gaps in design analysis identified and accepted or assigned for follow-up

S3 Early implementation Concept S0 Architecture S1 Design S2 Early implementation S3 Deployment S4 The S3 - Early Implementation phase examines early implementation such as alpha code hardware emulations etc. This ensures that the product maintains the trust models laid out in the architecture and designs It also ensures implementation is on track for delivery of a trustworthy product. At the end of this phase, the following should be achieved: Product implementation is on track to meet the requirements architecture and design security and privacy requirements Product implementation areas for further security and privacy evaluation have been identified. Early implementation flaws and risks have been identified and assigned to owners for closure prior to the next phase S4 – Deployment. A revised security and privacy validation plan to reflect new findings in early security and privacy testing if needed.

S4 Deployment Concept S0 Architecture S1 Design S2 Early implementation S3 Deployment S4 The S4 - Deployment phase ensures the product is ready to ship from a security and privacy perspective At the end of the phase the following should be achieved: Any planned security analysis of the product is complete Survivability mechanisms checked that they are implemented as designed. The implementation delivers on security and privacy requirements as noted in the architecture documents. Security evaluation plans have been completed. Any gaps in the security and privacy of the product identified and accepted.

Backup Material

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.