Implementing SSDLC¶
Secure SDLC involves instilling security processes at all lifecycle phases. From security testing tools to writing security requirements alongside functional requirements.
Security posture¶
Understanding the gaps and current state is critical for successfully introducing a new tool, solution, or change.
To help grasp what the current security posture is, start by doing the following:
Perform a gap analysis to determine what activities and policies exist in the organisation and how effective they are. For example, ensuring policies are in place (what the team does) with security procedures (how the team executes those policies).
Create Software Security Initiatives (SSI) by establishing realistic and achievable goals with defined metrics for success. For example, this could be a Secure Coding Standard, playbooks for handling data, etcetera are tracked using project management tools.
Formalise processes for security activities within your SSI. After starting a program or standard, it is essential to spend an operational period helping engineers get familiarised with it and gather feedback before enforcing it. When performing a gap analysis, every policy should have defined procedures to make them effective.
Invest in security training for engineers as well as appropriate tools. Ensure people are aware of new processes and the tools that will come with them to operationalise them, and invest in training early, ideally before using the tool.
SSDLC processes¶
A secure SDLC involves integrating processes like security testing and other activities into
an existing development process: