SecureState’s SecSDLC starts with an inventory of the applications in the environment and building a categorized and prioritized list. This is a critical first step that is often overlooked by programs focused on application security. It is impossible to build an application security program unless you know the number of applications in the environment and the regulatory, financial, and operational security requirements of the applications. SecureState gathers this information and gets everyone to the starting line so the application can flow through the rest of the process.
The rest of the process follows the classic phases in a waterfall SDLC as the application moves from having the requirements defined, architecting the application, building and testing the application, deploying the application to production, and maintaining the application in production. During each phases, specific steps need to be taken to properly address application security. Each one of the security components added to the SDLC plays a critical role; therefore it is important to make sure the client or SecureState perform all of the steps.
Below are the general descriptions of each of the 7 phases within the SDLC:
- Phase 0: Identify applications in the environment, determine which application should be addressed first, and determine the level of testing required
- Phase 1: Generate the application security requirements
- Phase 2: Review the application design and its supporting infrastructure to verify it meets security requirements
- Phase 3: Conduct assessments during the coding process to ensure securing requirements are met and secure coding practices are followed
- Phase 4: Perform a security review to test the application for vulnerabilities and ensure it meets security requirements
- Phase 5: Conduct security review to verify the application is securely implemented in production
- Phase 6:Maintain the security of the application while in production, from Deployment until the application is decommissioned