RE: Collaboration in a Secure Development Process
In the June issue of the Information Security Bulletin there is an article examining specific ways that the security and development teams can collaborate while software is being designed and developed as opposed to only patching software once it has been deployed. The article explores how software is extremely malleble in the design and development phase, once the architectural layers, tiers and distribution models are set and the application is deployed, then the cost and complexity of making changes rises dramatically.
My favorite part of the article is the clarity it gives in a table of the Software Development Activities and Artifacts. It clearly relates development processes and security-specific artifacts. Basically it looks something like this:
Phase Activity Standard Software Development Process Artifact Security-specific artifact Analysis Use Case Misuse Case Functional and non-functional requirements Glossary Design Object modeling Threat Modeling Design Patterns Data Classification Security Integration Design Coding Unit Tests Unit Hacks Code Development Countermeasure and detection development Deployment Build and configuration Security Baseline Operational processes Response processes Integration to Overall Security Architecture Table 1- Software Development Activities and Artifacts Anyways, this was part one of a series on the topic. Will be interesting to read the next installment. If you are into secure programming, this article might be an interesting read to pass along to your dev team partners.