Security is critical to the connected systems that underpin the drive for technological development in many domains such as aerospace, defence, automotive, healthcare and industrial control. When networked together, intelligent electronic devices form smart systems that impact almost all aspects of our lives. A secure software development lifecycle (SSDLC) is a key component of any defence in depth strategy.Within these connected systems, application software resides both on the IT infrastructure associated with the cloud, and on the embedded applications running on endpoint devices. In either case, developers often face sufficient external pressures for application security to slip down their list of priorities.Cybersecurity is primarily concerned with the protection of data. However, in developing a secure application, it is easy to forget that providing such protection involves more than just the data itself. It also demands that the system is designed to safeguard that data against aggressors, and to defend interfaces to the system.Traditional practice for secure code verification is largely reactive, meaning that code is developed in accordance with relatively loose guidelines and then tested by means of performance, penetration, load, and functional testing to identify vulnerabilities prior to their being addressed (Figure 1)
Figure 1: The traditional approach to secure code development
A better, proactive approach is to ensure that code is secure by design. That implies a systematic development process, where the code is written in accordance with secure coding standards, is traceable to security requirements, and is tested to demonstrate compliance with those requirements as development progresses.
Figure 2: The proactive approach to secure code development
This proactive approach integrates security related best practices into the traditional Software Development Life Cycle (SDLC). The resulting Secure Software Development Life Cycle (sSDLC) represents the state-of-the-art for application developers, and is a practical approach to ensuring that vulnerabilities are designed out of the system or addressed in a timely and thorough manner.