Security Development LifeCycle

A Process for Developing Demostrably More Secure Software

SDL

A Process for Developing Demostrably More Secure Software

What is the Security Development Lifecycle ?

The Security Development Lifecycle (SDL) is a software development process that helps developers build more secure software and address security compliance requirements while reducing development cost

SDL

A Process for Developing Demostrably More Secure Software

Applications under attack...

SDL

A Process for Developing Demostrably More Secure Software

Cybercrime Evolution

SDL

A Process for Developing Demostrably More Secure Software

Attacks are focusing on applications

2008

SDL

A Process for Developing Demostrably More Secure Software

Which apps are required to follow SDL ?

  • Any release commonly used or deployed within an entreprise , business, or organization
  • Any relase that regularly stores, process, or other sensitive customer information
  • Any release that regularly touches or listens on the Internet or other networks
  • Any release that accepts and/or processes data from an unauthenticated source
  • Any functionality that parses any file type that is not protected, (i.e. not limited to system administrators)

SDL

A Process for Developing Demostrably More Secure Software

Secure Software Development requires process improvement

  • Simply "looking for bugs" doesn't make software secure
  • Must reduce the chance vulnerabilities enter into design and code
  • Requires executive commitment
  • Requires ongoing process improvement
  • Requires education & training
  • Requires tools and automation
  • Requires incentives and consequences

Key Concepts

SDL

A Process for Developing Demostrably More Secure Software

Privacy in Software Development

SDL

A Process for Developing Demostrably More Secure Software

What is Privacy?

  • Telling users what data is collected and how it will be used.
  • Giving users a choice when their data will be used for purposes other than originally disclosed.
  • Ensuring data is protected and can only be used for the purposes disclosed.
  • Ensuring data practices comply with Federal, State and International laws.

SDL

A Process for Developing Demostrably More Secure Software

Privacy and Security

Privacy: Empowering users to control collection, use, and distribution of their personal information.

 

Security: Establishing protective measures that defend against hostile acts or influence and provides assurance of defense.

SDL

A Process for Developing Demostrably More Secure Software

Important: The standards that keep a system secure don't necessarily ensure user privacy.

Privacy AND Security are key factors for trust

SDL

A Process for Developing Demostrably More Secure Software

Policy Development Considerations

The Fair Information Practices are the basis of Privacy laws in jurisdictions around the world:

  • Notice
  • Choice/Consent
  • Access
  • Security
  • Data Integrity
  • Onward Transfer
  • Enforcement/Remedy

SDL

A Process for Developing Demostrably More Secure Software

Policy Development Considerations

Other Factors:

  • Laws
  • Industry Standards
  • Regulatory Climate
  • Public Perception
  • Competitor Practice
  • Company Philosophy

SDL

A Process for Developing Demostrably More Secure Software

Privacy Guidelines for Development

SDL

A Process for Developing Demostrably More Secure Software

Data types:

  • Anonymous Data: Is not unique or tied to a specific person.
  • Pseudonymous Data: Unique identifiers does not identify a specific person, but could be associated with an individual.
  • Personally Identifiable Information (PII): Data identifiers (or can be used to contact or locate) a specific individual.
  • Sentive PII: A subset og PII that has special requirements due to higher risk associated with the data

SDL

A Process for Developing Demostrably More Secure Software

Notice and Consent Fundamentals

Types of notice:

  • Prominent
  • Discoverable

Types of consent:

  • Opt-in explicit consent
  • Opt-out explicit consent
  • Implicit consent

SDL

A Process for Developing Demostrably More Secure Software

Explicit Consent

 

Also known as express or direct consent means that an individual is clearly presented with an option to agree or disagree with the collection, use, or disclosure of personal information.

SDL

A Process for Developing Demostrably More Secure Software

Implicit Consent

 

Also known as deemed or indirect consent can mean two things:

  1. You voluntarily personal information for an organization to collect, use, or disclose for purposes that would be considered obvious at the time, or

  2. You provide personal information to an organization and it is used in a way that clearly benefits you and the organization’s expectations are reasonable.

SDL

A Process for Developing Demostrably More Secure Software

Opt-out consent

 

Opt-out consent — also known as giving consent by not declining to give consent — means that an individual is given the option to decline consent. If the individual does not clearly decline consent, consent is granted. Opt-out consent is usually done in writing.

 

Many organizations, especially websites, use opt-out consent as a way to request permission to use your personal information for other purposes.

SDL

A Process for Developing Demostrably More Secure Software

Notice: Privacy Statements

SDL

A Process for Developing Demostrably More Secure Software

Any Question?

Security Developement Lifecycle

By Samil Vargas

Security Developement Lifecycle

Security Developement Lifecycle, good practices, etc

  • 847