July 22, 2004

Collaboration in a Secure Development Process

In the June issue of the Information Security Bulletin there is an article examining specific ways that the security and development teams can collaborate while software is being designed and developed as opposed to only patching software once it has been deployed. The article explores how software is extremely malleble in the design and development phase, once the architectural layers, tiers and distribution models are set and the application is deployed, then the cost and complexity of making changes rises dramatically.

My favorite part of the article is the clarity it gives in a table of the Software Development Activities and Artifacts. It clearly relates development processes and security-specific artifacts. Basically it looks something like this:

Phase ActivityStandard Software Development Process ArtifactSecurity-specific artifact
AnalysisUse CaseMisuse Case
 Functional and non-functional requirements 
 Glossary 
DesignObject modelingThreat Modeling
 Design PatternsData Classification
  Security Integration Design
CodingUnit TestsUnit Hacks
 Code DevelopmentCountermeasure and detection development
Deployment Build and configurationSecurity Baseline
 Operational processesResponse processes
  Integration to Overall Security Architecture
Table 1- Software Development Activities and Artifacts

Anyways, this was part one of a series on the topic. Will be interesting to read the next installment. If you are into secure programming, this article might be an interesting read to pass along to your dev team partners.

Posted by SilverStr at July 22, 2004 08:48 AM | TrackBack