SSDLC methodologies

Microsoft’s SDL

SDL principles:

  • Secure by Design: Security is a built-in quality attribute affecting the whole software lifecycle.

  • Security by Default: Software systems are constructed to minimise potential harm caused by attackers, e.g. software is deployed with the least necessary privilege.

  • Secure in Deployment: software deployment is accompanied by tools and guidance supporting users and administrators.

  • Communications: software developers are prepared for occurring threats by communicating openly and timely with users and administrators

SDL is a collection of mandatory security activities grouped by the traditional software development lifecycle phases. Data is collected to assess training effectiveness. In-process metrics are used to confirm process compliance. Post-release metrics are used to guide future changes. SDL places heavy emphasis on understanding the cause and effect of security vulnerabilities. A development team must complete the mandatory security activities to comply with the Microsoft SDL process.

OWASP’s S-SDLC

S-SDLC Principles

  • SDL is a collection of mandatory security activities grouped by the traditional software development lifecycle phases.

  • Data is collected to assess training effectiveness.

  • In-process metrics are used to confirm process compliance.

  • Post-release metrics are used to guide future changes.

  • SDL places heavy emphasis on understanding the cause and effect of security vulnerabilities.

  • A development team must complete the sixteen mandatory security activities to comply with the Microsoft SDL process.

OWASP S-SDLC aims to build “security quality gates”, to support quality and secure software made throughout the pipeline. This is done by following an Agile Security approach, where sprints are dedicated to security. Examples of Sprints can include: Code reviews, authentication, authorisation, input validation, and assessing technical risks like code injections. The gates comprise sprints focusing on similar building blocks like those seen in Microsoft SDL. OWASP S-SDLC Agile approach is heavily influenced and based on a “Maturity Model” approach, in particular OWASP SAMM.

The Software Assurance Maturity Model (SAMM)

The Software Assurance Maturity Model (SAMM) is an open framework to help organisations formulate and implement a software security strategy tailored to the organisation’s specific risks. It helps to evaluate an organisation’s existing software security practices, build a software security assurance program, demonstrate improvements to that program, and define and measure security activities for an organisation. SAMM helps explain objectives, actions, results, success metrics, costs etc. An example would be a security scorecard for gap analysis, for instance, in a particular area, like endpoint protection. It aims to answer “How well are we doing and where do we want to get to?”.

Building Security In Maturity Model (BSIMM)

BSIMM is a study of real-world software security initiatives and reflects the current state of software security. BSIMM can be described as a “measuring stick” to understand your security posture by providing a comparison of other companies’ security states. In other words, it does not tell you what you should do but rather what you are doing wrong. There are hundreds of organisations involved

Resources