Everyone agrees that information security is important. But the problem is that many organizations only perform security activities like penetration testing after they’ve already developed the application and when it’s only weeks, or sometimes just days, before production.
If this sounds like your organization, keep reading. This important misstep could have profoundly negative ramifications for your company:
- Penetration testing normally only finds 50%-80% of the vulnerabilities, leaving other vulnerabilities you’re not even aware of
- High cost of fixing any vulnerability found in the design of the software or its core function at such a late stage
- Release of a less secure application because there isn’t enough time to fix all the vulnerabilities
- Missed business goals caused by the delay in deploying the release to production
So what’s SSDLC and why do I need it?
SSDLC (Secure Software Development Life Cycle) is a process model used by organizations to build secure applications. It defines how to integrate security into the overall software development process.
Here are 5 reasons why you should implement an SSDLC process in your organization:
Reason 1: Security
Systems developed by an SSDLC process are more secure. Security features are defined by the requirements of the software, the design and the development. Because security is an integral part of the overall development process, any vulnerabilities in the software will be much easier to detect than with just basic penetration testing.
Below is a great example of the statistical improvements Microsoft enjoyed over time.
Reason 2: Save money
The earlier you find a security bug in the software development, the less costly it is to repair it. So if you perform security activities like penetration testing only at the end of the development process, you’re looking at more money to repair the bug than if you were to find it earlier on.
Reason 3: Save time
It’s more or less the same in every organization: You developed some great software, you perform penetration testing, you have a report with a long list of vulnerabilities, BUT you only have a few days to fix them. If your vulnerabilities aren’t critical, you might just risk it and release the software to production with those vulnerabilities and then mitigate them as soon as you can. If the vulnerabilities ARE critical, you have to delay the release. When you perform SSDLC, the majority of the vulnerabilities will be found in early stages. So most of the time, there will only be a few minor vulnerabilities when the time comes for release.
Reason 4: Regulations
Nowadays, more and more regulations and standards such as GDPR, ISO and others require organizations to have a SSDLC process in place In other cases, it might be something that your customer requires from you. Either way, regulations are regulations.
Reason 5: The Chief Information Security Officer (CISO) problem
Most CISOs have to deal with the same issues. If you’re a CISO, then you likely have in-depth knowledge of information security firewalls, networking and other infrastructure products but you probably don’t have expertise in guiding development teams in how to develop their products in a secure way. And if you’re from the development side, you probably know a lot about software development, but you don’t have enough knowledge in application security. So an SSDLC is the solution that addresses these knowledge gaps!
At the end of the day, organizations which integrate an SSDLC process into their overall development process benefit from:
- Reduced damage from cyber-attacks
- Lower costs of addressing information security weaknesses in applications due to early identification of potential vulnerabilities
- Significantly fewer vulnerabilities when the application is ready to go live, thereby reducing delays in the go-live process
How can I get started?
Comsec’s professionals will guide your organization in establishing an SSDLC process to integrate security into your overall software development timeline. We’ll help with definition and performance of all the SSDLC framework activities and you can also use our off-the-shelf SSDLC document for small organizations and startups.
What are you waiting for?