Security Development LifeCycle
A Process for Developing Demostrably More Secure Software
SDL
A Process for Developing Demostrably More Secure Software
What is the Security Development Lifecycle ?
The Security Development Lifecycle (SDL) is a software development process that helps developers build more secure software and address security compliance requirements while reducing development cost
SDL
A Process for Developing Demostrably More Secure Software
Applications under attack...
SDL
A Process for Developing Demostrably More Secure Software
Cybercrime Evolution
SDL
A Process for Developing Demostrably More Secure Software
Attacks are focusing on applications
2008
SDL
A Process for Developing Demostrably More Secure Software
Which apps are required to follow SDL ?
- Any release commonly used or deployed within an entreprise , business, or organization
- Any relase that regularly stores, process, or other sensitive customer information
- Any release that regularly touches or listens on the Internet or other networks
- Any release that accepts and/or processes data from an unauthenticated source
- Any functionality that parses any file type that is not protected, (i.e. not limited to system administrators)
SDL
A Process for Developing Demostrably More Secure Software
Secure Software Development requires process improvement
- Simply "looking for bugs" doesn't make software secure
- Must reduce the chance vulnerabilities enter into design and code
- Requires executive commitment
- Requires ongoing process improvement
- Requires education & training
- Requires tools and automation
- Requires incentives and consequences
Key Concepts
SDL
A Process for Developing Demostrably More Secure Software
Privacy in Software Development
SDL
A Process for Developing Demostrably More Secure Software
What is Privacy?
- Telling users what data is collected and how it will be used.
- Giving users a choice when their data will be used for purposes other than originally disclosed.
- Ensuring data is protected and can only be used for the purposes disclosed.
- Ensuring data practices comply with Federal, State and International laws.
SDL
A Process for Developing Demostrably More Secure Software
Privacy and Security
Privacy: Empowering users to control collection, use, and distribution of their personal information.
Security: Establishing protective measures that defend against hostile acts or influence and provides assurance of defense.
SDL
A Process for Developing Demostrably More Secure Software
Important: The standards that keep a system secure don't necessarily ensure user privacy.
Privacy AND Security are key factors for trust
SDL
A Process for Developing Demostrably More Secure Software
Policy Development Considerations
The Fair Information Practices are the basis of Privacy laws in jurisdictions around the world:
- Notice
- Choice/Consent
- Access
- Security
- Data Integrity
- Onward Transfer
- Enforcement/Remedy
SDL
A Process for Developing Demostrably More Secure Software
Policy Development Considerations
Other Factors:
- Laws
- Industry Standards
- Regulatory Climate
- Public Perception
- Competitor Practice
- Company Philosophy
SDL
A Process for Developing Demostrably More Secure Software
Privacy Guidelines for Development
SDL
A Process for Developing Demostrably More Secure Software
Data types:
- Anonymous Data: Is not unique or tied to a specific person.
- Pseudonymous Data: Unique identifiers does not identify a specific person, but could be associated with an individual.
- Personally Identifiable Information (PII): Data identifiers (or can be used to contact or locate) a specific individual.
- Sentive PII: A subset og PII that has special requirements due to higher risk associated with the data
SDL
A Process for Developing Demostrably More Secure Software
Notice and Consent Fundamentals
Types of notice:
- Prominent
- Discoverable
Types of consent:
- Opt-in explicit consent
- Opt-out explicit consent
- Implicit consent
SDL
A Process for Developing Demostrably More Secure Software
Explicit Consent
Also known as express or direct consent means that an individual is clearly presented with an option to agree or disagree with the collection, use, or disclosure of personal information.
SDL
A Process for Developing Demostrably More Secure Software
Implicit Consent
Also known as deemed or indirect consent can mean two things:
-
You voluntarily personal information for an organization to collect, use, or disclose for purposes that would be considered obvious at the time, or
-
You provide personal information to an organization and it is used in a way that clearly benefits you and the organization’s expectations are reasonable.
SDL
A Process for Developing Demostrably More Secure Software
Opt-out consent
Opt-out consent — also known as giving consent by not declining to give consent — means that an individual is given the option to decline consent. If the individual does not clearly decline consent, consent is granted. Opt-out consent is usually done in writing.
Many organizations, especially websites, use opt-out consent as a way to request permission to use your personal information for other purposes.
SDL
A Process for Developing Demostrably More Secure Software
Notice: Privacy Statements
SDL
A Process for Developing Demostrably More Secure Software
Any Question?
Security Developement Lifecycle
By Samil Vargas
Security Developement Lifecycle
Security Developement Lifecycle, good practices, etc
- 847