With today, I had completed integrating security in standard SDLC to prevent security bugs from appearing in released applications. SEI CMMI Version 1.1, Maturity Level 5 Process has been updated with security tests/tools/guidelines/templates to ensure application security is adequately covered and controls are effective throughout the development process. Following is the breif summary outlined here...Click here for download of following.
| SDLC Process |
Requirements & Engineering Management |
Architecture & Design * |
Coding & Unit Testing |
Integration & Testing |
| Entry Criteria |
Business Requirements |
Security requirements |
Threat model |
White Box test results |
| Constraints & assumptions |
High Level Architecture/Design Document
Use cases |
High Level/Low Level Architecture, Design Documents |
|
| Activities |
Determine application risk rank |
Create threat model |
Security development/coding guidelines/best practices |
Automated Application Assessment |
| Identify key compliance objectives |
Review/modify security requirements |
White Box Review & Host review |
Manual/Automated penetration testing |
| Define secure integration with external systems |
Architecture & Design Review |
Static code analyzer |
|
| Deliverables |
Security test strategy |
Threat model |
|
|
| Security integrated into the development process |
Security requirements in all defined components |
White Box Review Report & Sign off |
Black Box Review Report & Sign Off |
| Predictive Risk Ranking |
Architecture & Design Review Report |
|
|
| Tools |
Security consultant |
Threat Model Tool |
Static Code Analyzer |
Automated security tool |
| Security Requirements Review Checklist |
Architecture & Design Review Checklist |
Security Development Guidelines |
|
| Exit |
Test strategy approved |
No Sev 1 & Sev 2 issues exists |
No Sev 1 & Sev 2 issues exists |
No Sev 1 & Sev 2 issues exists |
| Responsibility |
Project Team & Security Team |
Project Team & Security Team |
Project Team & Security Team |
Project Team & Security Team |