Secure Development Lifecycle Service

The Secure Development Lifecycle (SDL) is a balanced approach to integrate security during the application development process. Today many organizations follow this strategy to provide high level of security assurance in their commercial and non-commercial applications. Beside that, training to the developers provides a cost effective way to let them understand the security requirements and their assessment criteria before deploying security-centric components in their future applications. SDL as an industry-leading software security assurance process, introduced by Microsoft in 2004 provide best security practices in regard of application design, implementation and testing phases. SDL is designed to suit different business models and development environments, and thus promote its capabilities to recognize and remediate against any security issues raised during the development process.

Some of the core elements of SDL process are also available as a separate set of services by Cipher Storm. We deliver the SDL service under industry accepted guidelines for training, security analysis and assessment to discover application security threats and vulnerabilities and strengthen any such weaknesses. Our qualified consultants assess the code in the automated and manual fashion, perform threat modeling, gap analysis and fuzzy testing to footprint the security of the software. These activities will ensure the assessment of poor design and implementation and will reveal any design or implementation flaws in the existing product.

SDL Process

Typically SDL process follows secure design principals and coding practices to eliminate any security bugs with the fraction of time and cost. If these design tactics are not followed during the application development, can leave a huge amount of load on developers to re-engineer the application addressing security issues and bug fixes. Cipher Storm consultants help its clients to address these issues by integrating security best practice into their regular development process and provide a comprehensive training to build secure architecture which could resist against application attack vectors (i.e. buffer overflows, SQL injection, command injection, denial of service, process control, XML/Xpath injection). Our substantial experience in the application security helps your organization to clearly understand the methodology of SDL process and its integration.

Cipher Storm - Secure Development Lifecycle (SDL) Process

Security Training

• Introduction to Secure Development Lifecycle
• Formal concepts and practices of SDL within your application
• Understanding the Threat Modeling process

Requirements

• Gathering security requirements that should comply with industry standards.
• Gathering and validating the technical design requirements.
• Creating the abuse cases to assess the appropriate security measures.

Design

• Perform the risk analysis on the basis of requirements.
• Threat modeling for security centric components using STRIDE classification scheme.
• Identify and eliminate the potential attack vectors to reduce the attack surface.

Test Planning

• Plan the test-scenarios based on the previous requirements and design.
• Simulate the tests with random inputs (e.g. event driven inputs, character driven inputs) to check the integrity of expected results.

Implementation

• Identify the appropriate security assessment tools relevant to the project.
• Perform the static code analysis and identify the security vulnerabilities, false positives or negatives and inappropriate quality issues.
• Avoid the use of unsafe functions and prohibited libraries and apply the safe APIs for best practices.

Testing

• Perform the additional code reviews based on dynamic analysis techniques.
• Fuzzy testing the application for security threats using customized fuzzer.
• Manually review the suspected part of source code to discover security vulnerabilities.
• Identify the threat modeling deficiencies within your completed project.

Release

• Create the incident response plan for the current project.
• Final security review provides a final outlook into threat models, code assessment results, and the unfixed security bugs.
• Execution of the final project for customers delivery.

Feedback

• Get the operational security and non-security feedback from existing clients.
• Take necessary steps to eliminate any inappropriate bugs.

Benefits

• Reduces a cost on fixing the security bugs during development as compared to the real-world production environment.
• Identify and prioritized all possible threats and vulnerabilities.
• Address the highly rated threats with appropriate countermeasures.
• Verify all misuse or abuse cases for the application.
• Automated and manual code reviews using advanced tools and techniques.
• Translation of technical risk to the business impact.
• Follow the standard methodology to identify and evaluate threats during development process.
• Generate and test the application-specific countermeasures.
• Provide security awareness to the development team, advances their knowledge for future software projects.