Organizations develop custom applications to meet business requirements ranging from internal usage to customer outreach. While applications developed and implemented purely for internal business purposes are safe from being exploited by external actors, they too need to be designed to be robust enough to handle attacks for internal malicious actors. Applications deployed for public access on internet, are subject to much varied range of security threats.
As a standard practice, large organizations employ quality control along with internal cybersecurity experts to ensure basic checks in terms of security loopholes are addressed.
Concept of Secure Software Development Lifecycle (SSDLC) gained prominence as more and more attacks were observed on applications. Concept refers to best practices proposed for any organization developing applications and security concepts to be considered while developing. Security concepts aligned to each stage of SDLC are as depicted below:
At conceptual stage itself, application owner and associated security function owner need to map various security challenges that may present themselves once Application is launched. A Risk register recording all risks identified should be recorded and mitigation should be planned in next stages of Application development.
At Design stage, various integrations and model of these integrations need to be evaluated. This stage also needs to review risks identified during conceptual stage and add/change/remove risks from the risk register. Each module and entire application as a unit needs to be designed aligned to “Secure by Design”.
At testing stage, team should focus on application functionalities along with possible threats faced across Identity, APIs, Database, Middleware, etc. Runtime security vulnerabilities can be observed and recorded during this stage and provide feedback to development team before Application moves to production stage.
While applications might not show any vulnerabilities or gaps during previous stages, it may show challenges during deployment for a customer or during committing it to production. Configuration review before final roll-out of the application can help identify any vulnerabilities and plug them before they are exploited.