A Survey on Secure Software Development Lifecycles

A Survey on Secure Software Development Lifecycles

José Fonseca (DEI/CISUC, University of Coimbra/UDI, Polytechnic Institute of Guarda, Portugal) and Marco Vieira (DEI/CISUC, University of Coimbra, Portugal)
DOI: 10.4018/978-1-4666-4301-7.ch002
OnDemand PDF Download:
$37.50

Abstract

This chapter presents a survey on the most relevant software development practices that are used nowadays to build software products for the web, with security built in. It starts by presenting three of the most relevant Secure Software Development Lifecycles, which are complete solutions that can be adopted by development companies: the CLASP, the Microsoft Secure Development Lifecycle, and the Software Security Touchpoints. However it is not always feasible to change ongoing projects or replace the methodology in place. So, this chapter also discusses other relevant initiatives that can be integrated into existing development practices, which can be used to build and maintain safer software products: the OpenSAMM, the BSIMM, the SAFECode, and the Securosis. The main features of these security development proposals are also compared according to their highlights and the goals of the target software product.
Chapter Preview
Top

Software Development And Security

One important metric of software quality is assurance: “a level of confidence that software is free from vulnerabilities, either intentionally designed into the software or accidentally inserted at any time during its lifecycle, and that the software functions in the intended manner” (CNSS Secretariat, 2006). To achieve software assurance developers need to build assured software: “Software that has been designed, developed, analyzed and tested using processes, tools, and techniques that establish a level of confidence in its trustworthiness appropriate for its intended use” (CNSS Secretariat, 2006). To achieve this goal, developers must rethink the software development process and address all the phases of the SDL: design, code and documentation (Howard & LeBlanc, 2003). This is like applying the defense-in-depth strategy to the various phases of the software development lifecycle making it more security aware.

Complete Chapter List

Search this Book:
Reset