Despite widespread awareness of the risks as compared with only five years ago, it is unfortunate that applications are still frequently the weak points in system security. This is backed up by the findings of an independently commissioned study conducted by Forrester Consulting. The study interviewed a number of development, security and risk professionals across both the US and UK, and found that while companies feel they understand the business criticality of their various application portfolios, they actually have little confidence in the quality of the security of the applications.
- Only 13% of respondents are confident in the security quality of applications which are critical to the business
- Only 34% of organisations surveyed had comprehensive SDLC processes incorporating security considerations
- At least 57% of organisations surveyed did not have effective training programmes addressing security training for developers
In today’s environment, time-to-market is critical for application development. There is always a delicate balance between functional requirements, business needs, and security risk. Organisations are understandably focused on ensuring that business functional requirements are delivered by developers. In this environment, it is too easy to overlook critical flaws in design or underlying vulnerabilities in the commercial-off-the-shelf components that are inevitably part of the application, or part of the environment in which it operates.
Ideally, a client will engage the services of Commissum’s assurance specialists at the earliest phases of a project; it is significantly more cost effective to design with best practice security in mind from the start. However, the knowledge and skills of the Commissum team can be applied at any or all stages.
Our standard approach ensures that four key aspects are involved in the SDLC:
- Governance - the essential processes related to how an organisation manages its software development lifecycle
- Development - processes related to how an organisation defines the objectives and requirements for the software, and designs and develops software within projects
- Verification - processes related to an organisation testing elements created throughout development, both prior to and following release
- Deployment - processes related to an organisation managing the release of software it creates to a production environment
- Support – processes related to an organisation managing the through-life support of software through development process change control, patch management, and training
Commissum is able to apply its service portfolio to support the assurance requirements of projects, from large scale turnkey enterprise projects to discrete, single focus development projects; experience here has come from both private and public sectors and can be applied throughout the project lifecycle. Examples include:
- Management Frameworks – assisting in implementing project management frameworks to ensure assurance/security considerations are firmly embedded in the lifecycle. This ensures that Security is involved as early as possible; ideally from the Requirements phase, and through design, to implementation, test, production and through-life support; ensuring appropriate controls are part of and integral to the evolving solution.
- Gap Analysis – essentially a tightly scoped audit against best practice as applied to the processes adopted for managing the security controls for projects. These can either be those applied to the conduct of the overall project, or ensuring that security considerations are appropriately built into the development of project deliverables.
- Project Assurance Support – throughout the lifecycle, appropriate input to the management, design, development and test/acceptance processes. This can include analysis and input to requirements definition, design review at various stages, workshop facilitation, project team training, and test plan development. The key here is that it is more efficient establishing security principles and identifying issues early, than taking later corrective action.
- Security Testing – an area of core competency is our security testing capability, validating the effectiveness of designed and implemented Security controls. This would typically address infrastructure and application layers, albeit often at different sages of development. Testing also confirms that controls provide the right balance between system security and operational effectiveness. As a minimum this usually involves testing of production systems prior to and immediately following go-live. In a SDLC context testing should be planned into the schedule from the early stages.
- Training – according to the report issued by Forrester, 57% of organizations do not have effective training programs addressing security training for their developers. Commissum can provide training from basic awareness of secure development issues to specific technology security training.
- Through-Life Support – ongoing support of systems through monitoring and update. Application of appropriate management frameworks for change control. Commissum will provide advice or a full turnkey service as required.
Involving Commissum and security considerations early in the SDLC results in an overall more efficient development process, significantly reduced time and cost overruns owing to late project redesigns, a secure system and satisfied business stakeholders.
It is worth noting the documented and measured experience of Microsoft in this regard. Microsoft’s Trustworthy Computing SDL was introduced as a new life cycle approach that sought to embrace the critical elements of security to be embedded within the development life cycle; this was to ensure that security was appropriately considered as part of normal development. As a result of this initiative, it is documented that Microsoft reported 60% fewer vulnerabilities in its operating systems released in 2008 than in 2002.