40 likes | 235 Vues
Security Development Lifecycle. Core security training. An undetected software requirement defect can cost 50 to 200 times as much to fix when discovered later in the development or post-development process. Establish security requirements Analyze security & privacy risk
E N D
Security Development Lifecycle • Core security training An undetected software requirement defect can cost 50 to 200 times as much to fix when discovered later in the development or post-development process. • Establish security requirements • Analyze security & privacy risk • Define quality gates & bug bars • Establish design requirements • Attack surface analysis • Threat modeling One hour of software QA activities can save between 3 and 10 hours of post-release remediation work. • Specify tools • Enforce banned functions • Static analysis • Dynamic/fuzz testing & analysis • Verify threat models & attack surface A defect found and fixed during a code review would cost 10 to 100 times as much to fix when discovered later in the development or post-development process. • Incident response plan • Final security review • Execute incident response plan • Goals: • Protect customers • Reduce the number of vulnerabilities • Reduce the severity of vulnerabilities • Principles: • Prescriptive, practical, proactive • Eliminate security problems early • Secure by design