• ADVISORY & MANAGED SERVICES

SSDLC

Developing Secured Applications

What is SSDLC?

SSDLC (Secure Software Development Life Cycle) is a process model used by organizations to build secure applications. The SSDLC process defines how to integrate security into the software development process. 

Integrating the SSDLC process into the overall development process results in:

 – Reducing/preventing damage caused by cyber attacks.

–  Reducing the costs of addressing information security weaknesses in 
    applications, due to early identification of potential vulnerabilities.

 –  Significantly fewer remaining vulnerabilities when the application is ready to 
     go live, thereby reducing delays in the go-live process.

 
Share on linkedin
Share on facebook
Share on twitter

Client's Problems

In the past, most organizations performed security activities only after completing the application’s development, i.e. only a few days or weeks before they deploy the application to production. It might be too late at that point and this could result in:

–  High cost to fix a vulnerability found in the design of the software or its core
    function. 

–  Release of a less secure application for public use due to a lack of time to fix all
    vulnerabilities.

–  Missed business goals due to the delay in deploying the release to production

–  The application may have several unknown vulnerabilities due to time limitations and limited numbers of tests performed.

 

 Comsec's Solution

Comsec’s professionals will guide the organization in establishing an SSDLC process to integrate security into the overall software development timeline. Comsec will help with definition and performance of the following SSDLC framework topics:

• Defining the SSDLC process itself

• Conducting secure development training sessions for developers

• Architecture analysis

• Design review

• Code review

• Penetration testing

Why Comsec's

Many organizations which tried to implement an SSDLC process by themselves had limited success despite significant internal efforts. This is due to their approach of taking SSDLC best practices from free sources on the internet and trying to implement them in the organization as-is.

At Comsec, we are experienced and understand that the SSDLC process must be suited to the organization. In most cases, an SSDLC process that was successful for one organization will not be appropriate for other organizations. 

 

Comsec’s consultants, with a background in both development and application security, will guide you and tailor the SSDLC process to be suited and appropriate for your organization.

 Appendix: But why is it so important?
 Let’s say that your company manufactures cars.
1. Would it be reasonable to design them only according to the features that customers request, such as colour, air-conditioning, etc., without considering safety requirements such as brakes, airbags, mirrors, etc.?
2. Would it be reasonable if there were no warning indicators such as for engine temperature, and the only warning would be large quantities of smoke and flames?
3. Would it be reasonable for safety tests to consider frontal impact only?
4. Would it be reasonable if the employees were very proficient in making the cars drive fast, and implementing a perfect multimedia system with an amazing UI, but wouldn’t know how to connect the brakes or install the airbags?
 
It’s the same with application development:
1. As with cars, it would not be reasonable to define only the application’s features and functionality without considering security requirements.
2. It would not be reasonable if the only indication of a system hack is when a customer calls you and tells you that someone hacked their account.
3. It would not be reasonable to only test login to the application.
4. It would not be reasonable if the developers have no knowledge of application security and how they should protect the application.
 
Close Menu