A SDL means something different to each organizations. For a company like Microsoft, the SDL is a very comprehensive framework with many checks and gates and for good reason. Their software is the biggest and used by the most people and they are constantly under attack. For others, it doesn't need to be that extensive and just incorporate best practices and some checks. We fall somewhere in between, so I decided to come up with the basic framework of a SDL, look at the different methodologies and then apply a maturity rating for our applications to determine how extensive we would be for the tasks in the model.
Basic Framework
The basic framework of a SDL is composed of seven distinct processes that run in parallel with the SDLC:
- Training
- Requirements
- Design
- Implementation
- Verification
- Release
- Response
Each process has security specific component to it even though they are consistent with other activities in the SDLC.
Methodologies
While there may be other methodologies, I really only looked at a couple:
- Open SAMM - this was probably the best of the ones I looked at because it is an open framework to help you put security into software development, without being overly prescriptive.
- Microsoft SDL - this is the most comprehensive, but it is still a framework and can be adaptable depending on your needs. The tough part is once adapted to fit your work, you keep going back and trying to add the other processes, which then gets it back to the original.
There are various degrees of what will be done for all of those models, so to determine what tasks we would do for a particular application, we do a maturity evaluation of the application.
Maturity
We came up with a questionnaire to assess an application and give it a maturity level, based on answers for exposure, patient data, architecture and other criteria. I kept the maturity levels to four:
- Low risk - internally developed or use, no personal or company information, not web-enabled
- Medium risk - web-enabled internal use, with some private information (Intranet)
- High risk - web-enabled external use with private but not sensitive information (Quality Center)
- Critical - web enabled external use with sensitive information (customer portal)
In another post, I'll write about how to put the people, process and technology into the SDL.