Protect Your Assets
Showing results for 
Search instead for 
Do you mean 

Fix it before you find out it's broken: Integrating security into your SDLC

ReidAshbridge ‎06-12-2014 08:29 PM - edited ‎06-23-2014 12:51 PM


There is no doubt that Static and Dynamic security testing are an important part of securing your software, but equally important are the steps you take before you start testing your application. If you are responsible for application security in your organization, this blog post will cover some basic steps you can implement in your Software Development Lifecycle (SDLC).  Keep in mind there is no one-size-fits-all solution to integrating security into software development, you may need to tweak some of these to work with the maturity level of your organization’s SDLC.


1. Get involved as early as possible.


Most of the application development in your organization is likely requested by a business unit or project team trying to solve a problem or meet specific business needs.  Getting involved in these early discussions about ideas and concepts for applications is no easy feat, but can have huge benefits to application security.  Your involvement can help the business unit/product team understand what is required to secure their application(s).  You’ll benefit by knowing in advance about what applications are in the development pipeline, being able to prioritize your involvement in these development projects and start to gather some information to threat model the application.


2. Communicate the security requirements.


When the project team starts putting together the application requirements necessary to support the business unit’s request, this is your opportunity to include security requirements.  Security requirements (secure development guidelines), should provide guidelines to the project team on the security controls that are needed to protect the application.  Ideally, your organization has an Application Security Standard or Policy that includes secure development guidelines, who is responsible for implementing them and which vulnerabilities must be fixed before the application can be released.  At a minimum, you should have a set of secure development guidelines that you communicate to the development team.  Establishing security guidelines with the teams developing the application early on will prevent costly and time consuming rework down the road to fix vulnerabilities.


3. Review the Architecture (Threat Model if you have time).


No matter how mature your SDLC process is, someone (usually an Architect or Developer) will need to design the technical components of the application to fulfill the requirements.  Setting up a review session to discuss the architecture of the application will improve your understanding of how the application works and help you refine the security requirements.  You should also use these meetings to make sure critical security mechanism like: authentication, authorization, encryption and access controls are included in the design.  Architectural vulnerabilities are not only costly to fix, but are also difficult to retrofit into your application after it is in production.  Catching these vulnerabilities during the design process is much better than finding out you have architecture vulnerabilities after development is complete and you’ve started testing your application.


If you can integrate these 3 steps into your SDLC, you’ll improve the security of your application, and save your organization money, time and frustration by being involved early.



About HP Fortify on Demand

HP Fortify on Demand is a cloud-based application security testing solution. We perform multiple types of manual and automated security testing, including: web assessments, mobile application assessments, thick client testing, ERP testing, and more. We do this both statically and dynamically, both in the cloud and on premise. 

0 Kudos
About the Author


27 Feb - 2 March 2017
Barcelona | Fira Gran Via
Mobile World Congress 2017
Hewlett Packard Enterprise at Mobile World Congress 2017, Barcelona | Fira Gran Via Location: Hall 3, Booth 3E11
Read more
Each Month in 2017
Software Expert Days - 2017
Join us online to talk directly with our Software experts during online Expert Days. Find information here about past, current, and upcoming Expert Da...
Read more
View all