Many attacks take advantage of various vulnerabilities in software applications which require secure software development best practices in the SDLC such as patching to prevent and detect cyberattacks. A Secure Software Development Framework (SSDF) is a set of guidelines outlining secure as well as efficient software development techniques. In the April 2020 NIST Cybersecurity Whitepaper, an efficient SSDF is divided into the following categories:
- Prepare the Organization (PO)
- Protect the Software (PS)
- Produce Well-Secured Software (PW)
- Respond to Vulnerabilities (RV)
Secure Software Development Best Practices
Alternatively, in their April 2018 whitepaper “Framework for Improving Critical Infrastructure Cybersecurity”, the outline includes the following steps: Identify (ID), Protect (PR), Detect (DE), Respond (RS), and Recover (RC). While the steps essentially follow the same process of finding, addressing, and recovering from vulnerabilities, some steps are consolidated to simplify the processes.
Preparing the Organization (PO)
The first step in secure software development best practices is to prepare the organization using the system for any security risks as well as the range of functionality designed to protect them. A well-prepared organization is less likely to make critical security errors that cause harm to their clients’ sensitive data. An informed organization will also be well-trained in order to deal with any system malfunctions that may arise in a timely manner. Factors of a well-structured organization include clearly defined roles and responsibilities that dictate each developer’s specific designations, as well as ample amounts of tools and resources to make implementation easier and more secure for the development team.
Defining Security Requirements (PO1)
It is vital that software developers understand the security risks that they face before starting the development process, in order to develop around them. Software developed with all relevant security risks and legality in mind will be better suited for security and compliance, ensuring the safety of all parties involved.
Implementing Clear Roles and Responsibilities (PO2)
A clear set of roles and responsibilities makes the development process more efficient as well as more transparent. Any malfunctions in the system can be more easily traced back to the source if the members of the development team are held accountable. Accountability also enables developer roles to be updated in accordance with their work. In an organization where everyone’s roles are evaluated and updated accordingly, the team will work more efficiently and logically.
Implementing a Supporting Toolchain (PO3)
Organizations can implement automated toolchains to enable more secure and accurate security protocols for their developers. The process of automation relieves humans from needing to constantly survey and update the system. Toolchains may be implemented at any level of development (system-wide or simply localized to one project) to assist in the software security process.
Defining Criteria for Software Security Checks (PO4)
Even with automation, it is necessary to manually verify the system on occasion. The checker must know what the code should look like and how it should function, what data should be on it, and be able to identify major security risks. Any accessible data should be used to strengthen this process.
Protecting Software (PS)
During the development cycle, it is critical that all precautions are taken in order to protect the software being worked on. The threats software faces range from internal leaks of private code to attacks on networks to steal data. The code and network must be watched to ensure nothing like this can happen.
Protecting Code from Tampering (PS1)
Code must be protected from unauthorized tampering at all times. This tampering can be malicious in nature, such as a developer looking to steal or leak private software or just ignorant, such as a developer unintentionally adding code that creates a security risk. In order to prevent unauthorized tampering, hierarchical systems of authority can be implemented so that only certain levels of developer can access the entire code, or specific necessary lines. Developers may utilize version control features to review every change made the code or prevent someone from making a new version with authorization.
Providing a Mechanism for Verifying Software Integrity (PS2)
A mechanism must be implemented and made available to the public to verify a software’s legitimacy. This helps consumers ensure that the software they’re using is legitimate and hasn’t been tampered with. This verified integrity creates a level of trust between the consumer and the software, as well as the developers who made it.
Archiving and Protecting Each Software Release (PS3)
After each update or new release of a software, it is necessary to archive and store the code in a secure manner. This prevents tampering with old code as well as securing existing code to check its legitimacy. If a code repository is stored offline or safely on a third-party system, developers can crosscheck the current version against an archive to ensure the code has not been tampered with at all.
Producing Well-Secured Software (PW)
After implementing a secure archiving protocol, scanning to the code for malicious lines or tampering, and preparing a development team for the security obstacles they may face, it is crucial to ensure the software itself is produced securely.
Designing Software to Mitigate Security Risks (PW1)
In order to make the software development process more secure, each component must be checked for security requirement compliance and any additional risks. All risks posed by the software in question must be figured out and solved before finalization. The software’s design should be able to safely avoid security risks in an efficient manner by determining when the security measures can be waived or relaxed.
Reviewing Software Design to Ensure Compliance with Security Requirements (PW2)
During development, the software should be checked to make sure it complies with the organization’s safety standards as well as local regulation. Compliance under both of these categories guarantees a decrease in vulnerability. These checks must be done by an independent third party that had no hand in the software development for fairness and integrity. This prevents tampered or unsafe code from being approved and brings a fresh perspective.
Verifying Third Party Software to Ensure Compliance (PW3)
If any third-party software is being deployed–whether it be in conjunction with the developed software or as a separate mechanism entirely–it must also be checked for security and regulatory compliance. If the third-party development is in communication with the main organization, the organization must make the third party aware of all necessary security and legislative procedures before development. If the organization is acquiring existing software, they must check its compliance themselves.
Reusing Existing Secured Software (PW4)
In order to lower the cost of development, the developer organization may acquire existing software if it has been secured and checked for non-compliant code. The code may come from any source (private, open source, commissioned) but they all fall under the same security requirements. Developers may also modify code or build on it to better integrate it into their module.
Creating Source Code that Complies with Code Security (PW5)
Another practice to reduce costs during the development period is secured source code. If the source code isn’t well developed with security in mind, it negates the influence of the previous steps. When vulnerabilities are weeded out early in the development cycle, it saves resources down the line. This step requires coders to analyze their own human-readable code numerous times while scrutinizing it, testing it, and doing further research into their methods. Sometimes, it can also be helpful to have a different coder test and analyze the code for full clarity and trust.
Configuring Build Process to Improve Executable Security (PW6)
Another cost reduction factor in the development process is to verify the code’s security before testing begins. Usually, a mechanism is implemented in the build and execution process to measure software security before the testing even begins. Removing any potential security violations before the testing process saves immense amounts of time and money, as less unknown problems have to be dealt with later on.
Reviewing Code to Verify Compliance (PW7)
Before deploying software, it is vital that developers check for weaknesses that could be exploited upon release. Depending on the organization, the checking process may be automated for speed and efficiency or manually to ensure exact precision. All security checks, whether automated or not, must be performed in conjunction with the organization’s security practices as well as local regulation.
Testing Code to Verify Compliance (PW8)
After the testing process is complete, any executable code must be reviewed for vulnerabilities before deployment. The organization in charge of development must determine which type of executable code testing is right for their purposes. The tools for checking must be designed by the organization to ensure security requirements are met.
Configuring the Software to Have Security Settings Defaulted (PW9)
To ensure the highest caliber of security, the most secure settings of a software should be enabled by default. This reduces the risk of exploitation upon installation of the software by protecting the uninformed user. The default group of settings should be made known to the security administrators who can verify if the settings are appropriate for the organization or not. All parties agreeing on the most secure settings from installation not only protects the consumer upon installation, but the software and development team as well.
Responding to Vulnerabilities (RV)
The most critical step of the secure software development best practices and cycle is reduction and response to vulnerabilities found in the source code. Some vulnerabilities are inherent to how the code is built or executed, so the proper action may be to respond to it with a solution instead of removing it entirely. This response can be addressed in a security setting that is enabled by default or some other authorization mechanism that prevents an exploit from being used.
Identifying and Confirming Vulnerabilities on an Ongoing Basis (RV1)
Even after release of the software, it is necessary for the development team to regularly check for vulnerabilities. This ensures that existing exploits are found quickly and before anyone else can find them. It also allows new exploits to be discovered immediately after every version release. With the data gathered in this step, a team should be prepared to analyze the code and respond in a timely matter to any discrepancies that are found.
Assessing, Prioritizing, and Remediating Vulnerabilities (RV2)
After identification of a vulnerability, the next step in the secure software development best practices is to analyze the problem and devise a solution as quickly as possible, to deter exploits. The analysis of a vulnerability should aim to gather as much relevant data as possible to understand the issue. After sufficient evidence is collected, a remediation plan must be devised to deal with the situation. Depending on the type of vulnerability as well as the severity, the plan may include removal of the code that created the exploit, additional code being implemented to fix it, or some alternative mechanism to alleviate the pressure presented by the exploit.
Analyze Vulnerabilities to Identify Their Root Causes (RV3)
After a plan has been set in place to deal with vulnerabilities that have been identified, a software plan must also be put in place to ensure a similar occurrence won’t happen in the future. First, the root causes of the issue must be identified to understand the nature of the issue. If the problem occurs in other ways throughout the code, the rest of the code must be checked to ensure another vulnerability doesn’t exist. The secure software development best practices in the SDLC (Software Development Life Cycle) process may also be updated to prevent any similar future occurrences.