SlideShare a Scribd company logo

Lecture Course Outline and Secure SDLC.ppt

Download as ppt, pdf
D
DrBasemMohamedElomda

This document outlines a secure software development course. The course goals are to explain computer security needs and requirements, introduce security best practices, and present techniques for evaluating security solutions. It will be graded through exams, assignments, and a final exam. The course material will include a delivered textbook. The timeline shows the course content by week, covering topics like risk assessment, secure design patterns, threat modeling, and security testing. The document also provides the lecturer's contact information and defines key terms like information security risks and software security.

1 of 40
Download to read offline
Secure Software Development
Course Goals It explains the need for computer security Explains how security requirements can be met with well-established techniques Risks can be addressed though novel technologies and techniques Introduces Security Design Best Practices Explains the scope of the available technical solutions Presents techniques for evaluating security solutions
Course Lecturer’s Contact • E-mail: • Office hours:
Course Grading System 7th week 20 marks on exam 10 marks on section Continuous Assessment 12th week 10 marks on exam 10 marks on section Final Exam 10 marks on sections 40 marks on exam
Course Material Delivered Textbook .
Course Timeline by weeks 6 4 2 Security Requirements Planning: Risk Assessment Design: Architectural Risk Analysis Course Outline and Secure SDLC Requirements: Misuse Cases Design: Secure Design Patterns EXAM
Course Timeline by weeks 13 11 9 Implementation: defensive coding practices Design: Threat Modelling Security Testing: Penetration Testing, Risk- based Security Testing EXAM 15 Assessment: CVSS Assessment: CWSS Revision Projects’ Review
Lecture 1 • Secure SDLC • The Security Development Lifecycle: Proactive vs. Reactive
Glosarry • Information Security Risks: the probability that a particular threat-source will exercise a particular information system vulnerability and the resulting impact if this should occur (NIST publication 800-27) • Software Security: a way to defend against software exploits by building software to be secure (McGraw Exploiting Software) • Application Security: a way to defend against software exploits in a post-facto way after deployment is complete (McGraw Exploiting Software)
What is at risk?
How we approach risk?
What Is Secure SDLC and Why Is Important? • Security System Development Life Cycle is defined as the series of processes and procedures in the software development cycle, designed to enable development teams create software and applications in a manner that significantly • reduces security risks, • eliminate security vulnerabilities • reducing costs. • The process, like the traditional Systems Development Life Cycle, is divided into a number of phases.
What Is Secure SDLC and Why Is Important?
What Is Secure SDLC and Why Is Important? • Development teams use different models such as Waterfall, Iterative or Agile. However, all models usually follow these phases: • Planning and requirements • Architecture and design • Test planning • Coding • Testing the code and results • Release and maintenance
What Is Secure SDLC and Why Is Important? • Developers usually performed security-related tasks only at the testing stage, resulting in discovering issues too late or not at all. • With time, teams started to integrate security activities to catch vulnerabilities early in the development cycle. • With this in mind, the concept of secure SDLC started. • Secure SDLC integrates activities such as penetration testing, code review, and architecture analysis into all steps of the development process.
Benefits of adopting a secure SDLC • The main benefits of adopting a secure SDLC include: • Makes security a continuous concern—including all stakeholders in the security considerations • Helps detect flaws early in the development process—reducing business risks for the organization • Reduces costs—by detecting and resolving issues early in the lifecycle
How Does Secure SDLC work? • Most companies will implement a secure SDLC simply by adding security- related activities to their development process already in place. • For example, they can perform an architecture risk analysis during the design phase. • There are seven phases in most SDLCs although they may vary according to the methodology used, such as Agile or Waterfall: • Concept • Planning • Design and Development • Testing • Release • Sustain • Disposal
How Does Secure SDLC work? • For example, a development team implementing the waterfall methodology may follow the following scheme:
How Does Secure SDLC work? • Each security activity should correspond with a phase in the SDLC, as follows:
How Does Secure SDLC work?
How Does Secure SDLC work?
Considerations when implementing a Secure SDLC (1) SDL Discovery • The goal should be to determine: • the security objectives required by the software, • what are the possible threats and • what regulations the organization needs to follow. • When working on the scope of the SDL, a development team should focus on deliverables such as: • security milestones, • required certifications, • risk assessments, • key security resources, and • required third-party resources.
Considerations when implementing a Secure SDLC (2) Security Baselines • Here you should list what are the requirements your product need to comply with. • For example, only using approved cryptography and libraries or using multifactor authentication. • A Gap Analysis, contrasting the product’s features against the baseline, is useful to identify the areas not complying with the security baseline. • When finding a gap, this needs to be addressed as early as possible in the lifecycle. • Since companies release a product based on the percentage of compliance with the baseline, is important to work on gaps through the development process.
Considerations when implementing a Secure SDLC (3) Security Training and Awareness • The company should provide security training sessions for developers, designers, architects, and QA. • They can focus on secure design principles, security issues, web security or encryption. • Security awareness sessions are not geared specifically for the development team, involving everyone that is connected to the project within the organization. • Sessions should be easy in terms of technical level and can include topics such as the various cybersecurity threats or risk impact and management.
Considerations when implementing a Secure SDLC (4) Threat Modeling • Modeling the software components to identify and manage threats early in the development lifecycle. • This helps the team to develop an incident response plan from the beginning, planning the appropriate mitigations early before the damage becomes more complicated to manage. • Typically follows four steps: preparation, analysis, determine mitigations and validation. • This activity can have different approaches such as protecting specific critical processes, exploit weaknesses or focus on the system design.
Considerations when implementing a Secure SDLC (5) Third-Party Software Tracking • Since third-party software can be open source or commercial use, the team needs to list all third-party tools used in the project. • This inventory should be done in the early stages of the development cycle. • There are software tools that track and list the third-party components, sending you an alert if any component needs upgrading or has licensing issues.
Considerations when implementing a Secure SDLC (6) Security Design and Peer Review • The development team should ensure the software is built with the most secure features. • When reviewing the functional feature design, the developer should include a security design review, thinking like an attacker to discover the feature vulnerabilities. • When reviewing the code, developers need to be aware of the most common coding security pitfalls. • They can follow a checklist for secure coding, for example, that ensures that important security events are logged, check the penetrability of the authentication process, or validate the user input.
Considerations when implementing a Secure SDLC (7) Security Testing • While code review focus on functionality, security testing checks how vulnerable is the new product to attacks. Some of the testing activities include: • Static Analysis—identifies the exact location of weaknesses by analyzing the software without executing it. • Dynamic Analysis—identifies weaknesses by running the software, helping find infrastructure flaws and patch errors. • Vulnerability Scanning—injects malicious inputs against running software to check how the program reacts. Mostly used to scan applications with a web interface. • Fuzzing—involves giving invalid, random data to a program, to check for access protocols and file formats. The test helps find bugs that humans often miss by generating random input and try all possible variations. • Third-party penetration testing—the tester simulates an attack to discover coding or system configuration flaws, and discover vulnerabilities a real attacker can exploit. It is required that the tester is an external party not connected to the team.
Considerations when implementing a Secure SDLC (8) Data Disposal and Retention • Usually at the end of a product’s life companies dispose of old products, or data that they don’t need to use anymore. • Many companies delete or overwrite encryption keys, in a process called “crypto- shredding”. • While getting rid of outdated data is a necessity, there are concerns when comes to keep the confidentiality of the information. • Some regulations such as General Data Protection Regulation (GDPR) have specific requirements for data disposal and retention.
Software Security Frameworks
The Security Development Lifecycle: Proactive vs. Reactive • Setting up an SDLC can be divided into two major approaches: proactive and reactive. • The proactive approach concerns preventing all possible flaws and breaches at the very beginning of the project, implementing solutions in a secure way. • The reactive approach aims to ensure security before the release, and to maintain it throughout the product’s existence.
The Proactive Approach • Banks use thick steel and concrete vaults with advanced electronic systems to prevent and detect break-ins • Many companies use cameras to record business activities, the idea being that cameras both deter theft and help identify perpetrators when thefts do occur • Some organizations have started using Intrusion Detection and Response Systems (IDRSes) to try to detect computer intrusions and then activate defensive measures when an attack is detected.
Lecture Course Outline and Secure SDLC.ppt
The Proactive Approach • It’s worth mentioning that the proactive approach is always preferred. • The consequences of finding a bug are much less serious if the bug is discovered in the development stage, before release. • It is cheaper, easier, and faster to fix the bug when the product is under development, which leads to the idea that security should be implemented on the very beginning of the project. • The best option is to consider security before the actual development is even underway, to train staff on security practices. • When people understand the importance of security procedures and how to implement them correctly, they are better able to keep their products secure.
The Proactive Approach Requirements and Design • The first two stages in the proactive approach—requirements and design—are most important. • In these stages, all security and privacy requirements are formed, quality measurements are defined, and possible attack vectors are identified. • This is the moment the "technical task" is formed. The full, detailed technical task is created, with all functions described in detail, acceptable levels of quality, and explained risks and mitigations. Static Code Analysis • The next step is the actual implementation of the project. • Throughout this step, the main idea is to use only approved tools, safe function, and, most importantly, regular static code analysis. • There are some tools to help in this challenging task, like IBM AppScan or CheckMarx, and with some effort they can be used for continuous integration with your project.
The Reactive Approach • If everything has already been built, and security needs to be implemented retroactively, the product requires a reactive approach to the SDLC. • Examples of reactive approaches include: • Disaster Recovery Plans • Use of private investigation services and loss recovery specialists • Reinstallation of operating systems and applications on compromised systems • Switching to alternate systems in other locations
The Security Development Lifecycle: Proactive vs. Reactive
The Reactive Approach Penetration Testing • One of the most interesting techniques, for a security engineer, is to do a penetration testing of the application. • Here, the work of a real hacker is imitated to uncover security flaws and issues, check the authentication and authorization management, input validation, and many other aspects of the product. Dynamic Code Analysis • Contrary to static analysis, dynamic analysis is executed while the application is in operation, and continuously monitors functional behavior, response time, system memory, and overall performance. • This approach could be easily used in continuous integration, as well as in static analysis. While automated tools cannot replace humans, it helps to accelerate and improve the work of engineers.
The Reactive Approach Web Application Firewall • A web application firewall (WAF) is a specially designed application firewall that works over HTTP protocol. • It’s comparable to a very light version of IDS (intrusion detection system), but specific to HTTP. WAF contains rules against common attacks such as SQL injection or XSS (cross site scripting). • Today popular solutions include using WAFs that are already within DDoS protection services, to kill two birds with one stone. Incident Response Plan • Before the release of the product, one important thing has to be done: an incident response plan has to be created. • The incident response plan includes all appropriate persons to contact in an emergency and the sequence of steps to perform in order to eliminate the breach. • The final security review must be done before the release.
Thank You.
Ad

Recommended

4_25655_SE731_2020_1__2_1_Lecture 1 - Course Outline and Secure SDLC.ppt
4_25655_SE731_2020_1__2_1_Lecture 1 - Course Outline and Secure SDLC.ppt4_25655_SE731_2020_1__2_1_Lecture 1 - Course Outline and Secure SDLC.ppt
4_25655_SE731_2020_1__2_1_Lecture 1 - Course Outline and Secure SDLC.ppt
gealehegn
 
Week 4.1 Building security into the software development lifecycle copy.pptx
Week 4.1 Building security into the software development lifecycle copy.pptxWeek 4.1 Building security into the software development lifecycle copy.pptx
Week 4.1 Building security into the software development lifecycle copy.pptx
azida3
 
Security Culture from Concept to Maintenance: Secure Software Development Lif...
Security Culture from Concept to Maintenance: Secure Software Development Lif...Security Culture from Concept to Maintenance: Secure Software Development Lif...
Security Culture from Concept to Maintenance: Secure Software Development Lif...
Dilum Bandara
 
An integrated security testing framework and tool
An integrated security testing framework and toolAn integrated security testing framework and tool
An integrated security testing framework and tool
Moutasm Tamimi
 
Reduce Third Party Developer Risks
Reduce Third Party Developer RisksReduce Third Party Developer Risks
Reduce Third Party Developer Risks
Kevo Meehan
 
Enumerating software security design flaws throughout the SSDLC
Enumerating software security design flaws throughout the SSDLCEnumerating software security design flaws throughout the SSDLC
Enumerating software security design flaws throughout the SSDLC
John M. Willis
 
Enumerating software security design flaws throughout the ssdlc cosac - 201...
Enumerating software security design flaws throughout the ssdlc cosac - 201...Enumerating software security design flaws throughout the ssdlc cosac - 201...
Enumerating software security design flaws throughout the ssdlc cosac - 201...
John M. Willis
 
Digital Product Security
Digital Product SecurityDigital Product Security
Digital Product Security
SoftServe
 
Secure Software Design and Secure Programming
Secure Software Design and Secure ProgrammingSecure Software Design and Secure Programming
Secure Software Design and Secure Programming
MustafaAlshekly1
 
5 Ways to Reduce 3rd Party Developer Risk
5 Ways to Reduce 3rd Party Developer Risk5 Ways to Reduce 3rd Party Developer Risk
5 Ways to Reduce 3rd Party Developer Risk
Security Innovation
 
CISSP Domain 08 Software Development Security.pdf
CISSP Domain 08 Software Development Security.pdfCISSP Domain 08 Software Development Security.pdf
CISSP Domain 08 Software Development Security.pdf
gealehegn
 
Assessing System Risk the Smart Way
Assessing System Risk the Smart WayAssessing System Risk the Smart Way
Assessing System Risk the Smart Way
Security Innovation
 
Arved sandstrom - the rotwithin - atlseccon2011
Arved sandstrom - the rotwithin - atlseccon2011Arved sandstrom - the rotwithin - atlseccon2011
Arved sandstrom - the rotwithin - atlseccon2011
Atlantic Security Conference
 
C.3.1.E4 ICT404 Lecture Slides 5_A_cybersec.pptx
C.3.1.E4 ICT404 Lecture Slides 5_A_cybersec.pptxC.3.1.E4 ICT404 Lecture Slides 5_A_cybersec.pptx
C.3.1.E4 ICT404 Lecture Slides 5_A_cybersec.pptx
vamsikrishnasomayaju
 
Threat modelling(system + enterprise)
Threat modelling(system + enterprise)Threat modelling(system + enterprise)
Threat modelling(system + enterprise)
abhimanyubhogwan
 
Application Security Testing for Software Engineers: An approach to build sof...
Application Security Testing for Software Engineers: An approach to build sof...Application Security Testing for Software Engineers: An approach to build sof...
Application Security Testing for Software Engineers: An approach to build sof...
Michael Hidalgo
 
Secure Software Development: Best practice and strategies.pdf
Secure Software Development: Best practice and strategies.pdfSecure Software Development: Best practice and strategies.pdf
Secure Software Development: Best practice and strategies.pdf
Nexflare Dynamics
 
Owasp Summit - Wednesday evening briefing master
Owasp Summit - Wednesday evening briefing masterOwasp Summit - Wednesday evening briefing master
Owasp Summit - Wednesday evening briefing master
Dinis Cruz
 
Introduction to the Microsoft Security Development Lifecycle (SDL).ppsx
Introduction to the Microsoft Security Development Lifecycle (SDL).ppsxIntroduction to the Microsoft Security Development Lifecycle (SDL).ppsx
Introduction to the Microsoft Security Development Lifecycle (SDL).ppsx
MardhaniAR
 
Vulnerability Management: A Comprehensive Overview
Vulnerability Management: A Comprehensive OverviewVulnerability Management: A Comprehensive Overview
Vulnerability Management: A Comprehensive Overview
Steven Carlson
 
System development life cycle(SDLC) .pdf
System development life cycle(SDLC) .pdfSystem development life cycle(SDLC) .pdf
System development life cycle(SDLC) .pdf
NipunVindula
 
ОЛЬГА АКСЬОНЕНКО «Безпечна розробка програмного забезпечення в Agile проектах...
ОЛЬГА АКСЬОНЕНКО «Безпечна розробка програмного забезпечення в Agile проектах...ОЛЬГА АКСЬОНЕНКО «Безпечна розробка програмного забезпечення в Agile проектах...
ОЛЬГА АКСЬОНЕНКО «Безпечна розробка програмного забезпечення в Agile проектах...
QADay
 
Lecture 10.pptx
Lecture 10.pptxLecture 10.pptx
Lecture 10.pptx
MuhammadRehan856177
 
7.2-0-D8-October2021 (Software Development Security).pptx
7.2-0-D8-October2021 (Software Development Security).pptx7.2-0-D8-October2021 (Software Development Security).pptx
7.2-0-D8-October2021 (Software Development Security).pptx
roongrus
 
Security's DevOps Transformation
Security's DevOps TransformationSecurity's DevOps Transformation
Security's DevOps Transformation
Michele Chubirka
 
Security Services and Approach by Nazar Tymoshyk
Security Services and Approach by Nazar TymoshykSecurity Services and Approach by Nazar Tymoshyk
Security Services and Approach by Nazar Tymoshyk
SoftServe
 
Sdlc model
Sdlc modelSdlc model
Sdlc model
Dhilsath Fathima
 
Security in the Software Development Life Cycle (SDLC)
Security in the Software Development Life Cycle (SDLC)Security in the Software Development Life Cycle (SDLC)
Security in the Software Development Life Cycle (SDLC)
Frances Coronel
 
Vannin Healthcare Greencube Electronic Health Record -Modules and Features.pdf
Vannin Healthcare Greencube Electronic Health Record -Modules and Features.pdfVannin Healthcare Greencube Electronic Health Record -Modules and Features.pdf
Vannin Healthcare Greencube Electronic Health Record -Modules and Features.pdf
ovanveen
 
Rackspace-White-Paper-OpenStack-PRI-TSK-11768-5.pdf
Rackspace-White-Paper-OpenStack-PRI-TSK-11768-5.pdfRackspace-White-Paper-OpenStack-PRI-TSK-11768-5.pdf
Rackspace-White-Paper-OpenStack-PRI-TSK-11768-5.pdf
ericnewman522
 
Ad

More Related Content

Similar to Lecture Course Outline and Secure SDLC.ppt (20)

Secure Software Design and Secure Programming
Secure Software Design and Secure ProgrammingSecure Software Design and Secure Programming
Secure Software Design and Secure Programming
MustafaAlshekly1
 
5 Ways to Reduce 3rd Party Developer Risk
5 Ways to Reduce 3rd Party Developer Risk5 Ways to Reduce 3rd Party Developer Risk
5 Ways to Reduce 3rd Party Developer Risk
Security Innovation
 
CISSP Domain 08 Software Development Security.pdf
CISSP Domain 08 Software Development Security.pdfCISSP Domain 08 Software Development Security.pdf
CISSP Domain 08 Software Development Security.pdf
gealehegn
 
Assessing System Risk the Smart Way
Assessing System Risk the Smart WayAssessing System Risk the Smart Way
Assessing System Risk the Smart Way
Security Innovation
 
Arved sandstrom - the rotwithin - atlseccon2011
Arved sandstrom - the rotwithin - atlseccon2011Arved sandstrom - the rotwithin - atlseccon2011
Arved sandstrom - the rotwithin - atlseccon2011
Atlantic Security Conference
 
C.3.1.E4 ICT404 Lecture Slides 5_A_cybersec.pptx
C.3.1.E4 ICT404 Lecture Slides 5_A_cybersec.pptxC.3.1.E4 ICT404 Lecture Slides 5_A_cybersec.pptx
C.3.1.E4 ICT404 Lecture Slides 5_A_cybersec.pptx
vamsikrishnasomayaju
 
Threat modelling(system + enterprise)
Threat modelling(system + enterprise)Threat modelling(system + enterprise)
Threat modelling(system + enterprise)
abhimanyubhogwan
 
Application Security Testing for Software Engineers: An approach to build sof...
Application Security Testing for Software Engineers: An approach to build sof...Application Security Testing for Software Engineers: An approach to build sof...
Application Security Testing for Software Engineers: An approach to build sof...
Michael Hidalgo
 
Secure Software Development: Best practice and strategies.pdf
Secure Software Development: Best practice and strategies.pdfSecure Software Development: Best practice and strategies.pdf
Secure Software Development: Best practice and strategies.pdf
Nexflare Dynamics
 
Owasp Summit - Wednesday evening briefing master
Owasp Summit - Wednesday evening briefing masterOwasp Summit - Wednesday evening briefing master
Owasp Summit - Wednesday evening briefing master
Dinis Cruz
 
Introduction to the Microsoft Security Development Lifecycle (SDL).ppsx
Introduction to the Microsoft Security Development Lifecycle (SDL).ppsxIntroduction to the Microsoft Security Development Lifecycle (SDL).ppsx
Introduction to the Microsoft Security Development Lifecycle (SDL).ppsx
MardhaniAR
 
Vulnerability Management: A Comprehensive Overview
Vulnerability Management: A Comprehensive OverviewVulnerability Management: A Comprehensive Overview
Vulnerability Management: A Comprehensive Overview
Steven Carlson
 
System development life cycle(SDLC) .pdf
System development life cycle(SDLC) .pdfSystem development life cycle(SDLC) .pdf
System development life cycle(SDLC) .pdf
NipunVindula
 
ОЛЬГА АКСЬОНЕНКО «Безпечна розробка програмного забезпечення в Agile проектах...
ОЛЬГА АКСЬОНЕНКО «Безпечна розробка програмного забезпечення в Agile проектах...ОЛЬГА АКСЬОНЕНКО «Безпечна розробка програмного забезпечення в Agile проектах...
ОЛЬГА АКСЬОНЕНКО «Безпечна розробка програмного забезпечення в Agile проектах...
QADay
 
Lecture 10.pptx
Lecture 10.pptxLecture 10.pptx
Lecture 10.pptx
MuhammadRehan856177
 
7.2-0-D8-October2021 (Software Development Security).pptx
7.2-0-D8-October2021 (Software Development Security).pptx7.2-0-D8-October2021 (Software Development Security).pptx
7.2-0-D8-October2021 (Software Development Security).pptx
roongrus
 
Security's DevOps Transformation
Security's DevOps TransformationSecurity's DevOps Transformation
Security's DevOps Transformation
Michele Chubirka
 
Security Services and Approach by Nazar Tymoshyk
Security Services and Approach by Nazar TymoshykSecurity Services and Approach by Nazar Tymoshyk
Security Services and Approach by Nazar Tymoshyk
SoftServe
 
Sdlc model
Sdlc modelSdlc model
Sdlc model
Dhilsath Fathima
 
Security in the Software Development Life Cycle (SDLC)
Security in the Software Development Life Cycle (SDLC)Security in the Software Development Life Cycle (SDLC)
Security in the Software Development Life Cycle (SDLC)
Frances Coronel
 
Secure Software Design and Secure Programming
Secure Software Design and Secure ProgrammingSecure Software Design and Secure Programming
Secure Software Design and Secure Programming
MustafaAlshekly1
 
5 Ways to Reduce 3rd Party Developer Risk
5 Ways to Reduce 3rd Party Developer Risk5 Ways to Reduce 3rd Party Developer Risk
5 Ways to Reduce 3rd Party Developer Risk
Security Innovation
 
CISSP Domain 08 Software Development Security.pdf
CISSP Domain 08 Software Development Security.pdfCISSP Domain 08 Software Development Security.pdf
CISSP Domain 08 Software Development Security.pdf
gealehegn
 
Assessing System Risk the Smart Way
Assessing System Risk the Smart WayAssessing System Risk the Smart Way
Assessing System Risk the Smart Way
Security Innovation
 
Arved sandstrom - the rotwithin - atlseccon2011
Arved sandstrom - the rotwithin - atlseccon2011Arved sandstrom - the rotwithin - atlseccon2011
Arved sandstrom - the rotwithin - atlseccon2011
Atlantic Security Conference
 
C.3.1.E4 ICT404 Lecture Slides 5_A_cybersec.pptx
C.3.1.E4 ICT404 Lecture Slides 5_A_cybersec.pptxC.3.1.E4 ICT404 Lecture Slides 5_A_cybersec.pptx
C.3.1.E4 ICT404 Lecture Slides 5_A_cybersec.pptx
vamsikrishnasomayaju
 
Threat modelling(system + enterprise)
Threat modelling(system + enterprise)Threat modelling(system + enterprise)
Threat modelling(system + enterprise)
abhimanyubhogwan
 
Application Security Testing for Software Engineers: An approach to build sof...
Application Security Testing for Software Engineers: An approach to build sof...Application Security Testing for Software Engineers: An approach to build sof...
Application Security Testing for Software Engineers: An approach to build sof...
Michael Hidalgo
 
Secure Software Development: Best practice and strategies.pdf
Secure Software Development: Best practice and strategies.pdfSecure Software Development: Best practice and strategies.pdf
Secure Software Development: Best practice and strategies.pdf
Nexflare Dynamics
 
Owasp Summit - Wednesday evening briefing master
Owasp Summit - Wednesday evening briefing masterOwasp Summit - Wednesday evening briefing master
Owasp Summit - Wednesday evening briefing master
Dinis Cruz
 
Introduction to the Microsoft Security Development Lifecycle (SDL).ppsx
Introduction to the Microsoft Security Development Lifecycle (SDL).ppsxIntroduction to the Microsoft Security Development Lifecycle (SDL).ppsx
Introduction to the Microsoft Security Development Lifecycle (SDL).ppsx
MardhaniAR
 
Vulnerability Management: A Comprehensive Overview
Vulnerability Management: A Comprehensive OverviewVulnerability Management: A Comprehensive Overview
Vulnerability Management: A Comprehensive Overview
Steven Carlson
 
System development life cycle(SDLC) .pdf
System development life cycle(SDLC) .pdfSystem development life cycle(SDLC) .pdf
System development life cycle(SDLC) .pdf
NipunVindula
 
ОЛЬГА АКСЬОНЕНКО «Безпечна розробка програмного забезпечення в Agile проектах...
ОЛЬГА АКСЬОНЕНКО «Безпечна розробка програмного забезпечення в Agile проектах...ОЛЬГА АКСЬОНЕНКО «Безпечна розробка програмного забезпечення в Agile проектах...
ОЛЬГА АКСЬОНЕНКО «Безпечна розробка програмного забезпечення в Agile проектах...
QADay
 
Lecture 10.pptx
Lecture 10.pptxLecture 10.pptx
Lecture 10.pptx
MuhammadRehan856177
 
7.2-0-D8-October2021 (Software Development Security).pptx
7.2-0-D8-October2021 (Software Development Security).pptx7.2-0-D8-October2021 (Software Development Security).pptx
7.2-0-D8-October2021 (Software Development Security).pptx
roongrus
 
Security's DevOps Transformation
Security's DevOps TransformationSecurity's DevOps Transformation
Security's DevOps Transformation
Michele Chubirka
 
Security Services and Approach by Nazar Tymoshyk
Security Services and Approach by Nazar TymoshykSecurity Services and Approach by Nazar Tymoshyk
Security Services and Approach by Nazar Tymoshyk
SoftServe
 
Sdlc model
Sdlc modelSdlc model
Sdlc model
Dhilsath Fathima
 
Security in the Software Development Life Cycle (SDLC)
Security in the Software Development Life Cycle (SDLC)Security in the Software Development Life Cycle (SDLC)
Security in the Software Development Life Cycle (SDLC)
Frances Coronel
 

Recently uploaded (20)

Vannin Healthcare Greencube Electronic Health Record -Modules and Features.pdf
Vannin Healthcare Greencube Electronic Health Record -Modules and Features.pdfVannin Healthcare Greencube Electronic Health Record -Modules and Features.pdf
Vannin Healthcare Greencube Electronic Health Record -Modules and Features.pdf
ovanveen
 
Rackspace-White-Paper-OpenStack-PRI-TSK-11768-5.pdf
Rackspace-White-Paper-OpenStack-PRI-TSK-11768-5.pdfRackspace-White-Paper-OpenStack-PRI-TSK-11768-5.pdf
Rackspace-White-Paper-OpenStack-PRI-TSK-11768-5.pdf
ericnewman522
 
Best Places Buy Verified Cash App Accounts- Reviewed (pdf).pdf
Best Places Buy Verified Cash App Accounts- Reviewed (pdf).pdfBest Places Buy Verified Cash App Accounts- Reviewed (pdf).pdf
Best Places Buy Verified Cash App Accounts- Reviewed (pdf).pdf
Cashapp Profile
 
1911 Gold Corporate Presentation May 2025.pdf
1911 Gold Corporate Presentation May 2025.pdf1911 Gold Corporate Presentation May 2025.pdf
1911 Gold Corporate Presentation May 2025.pdf
Shaun Heinrichs
 
How To Think Like Rick Rubin - Shaan Puri.pdf
How To Think Like Rick Rubin - Shaan Puri.pdfHow To Think Like Rick Rubin - Shaan Puri.pdf
How To Think Like Rick Rubin - Shaan Puri.pdf
Razin Mustafiz
 
The Business Conference and IT Resilience Summit Abu Dhabi, UAE - Shakti Moha...
The Business Conference and IT Resilience Summit Abu Dhabi, UAE - Shakti Moha...The Business Conference and IT Resilience Summit Abu Dhabi, UAE - Shakti Moha...
The Business Conference and IT Resilience Summit Abu Dhabi, UAE - Shakti Moha...
Continuity and Resilience
 
The Business Conference and IT Resilience Summit Abu Dhabi, UAE - Zhanar Tuke...
The Business Conference and IT Resilience Summit Abu Dhabi, UAE - Zhanar Tuke...The Business Conference and IT Resilience Summit Abu Dhabi, UAE - Zhanar Tuke...
The Business Conference and IT Resilience Summit Abu Dhabi, UAE - Zhanar Tuke...
Continuity and Resilience
 
Solving Disintermediation in Ride-Hailing
Solving Disintermediation in Ride-HailingSolving Disintermediation in Ride-Hailing
Solving Disintermediation in Ride-Hailing
xnayankumar
 
How AI Helps HR Lead Better, Not Just Work Faster
How AI Helps HR Lead Better, Not Just Work FasterHow AI Helps HR Lead Better, Not Just Work Faster
How AI Helps HR Lead Better, Not Just Work Faster
Aginto - A Digital Agency
 
Top Solar Panel Manufacturers in India and Photovoltaic Module Manufacturers....
Top Solar Panel Manufacturers in India and Photovoltaic Module Manufacturers....Top Solar Panel Manufacturers in India and Photovoltaic Module Manufacturers....
Top Solar Panel Manufacturers in India and Photovoltaic Module Manufacturers....
Insolation Energy
 
Are you concerned about the safety of your home and family
Are you concerned about the safety of your home and familyAre you concerned about the safety of your home and family
Are you concerned about the safety of your home and family
wasifkhan196986
 
Ibrahim Mardam-Bey on Navigating New Global Finance Trends
Ibrahim Mardam-Bey on Navigating New Global Finance TrendsIbrahim Mardam-Bey on Navigating New Global Finance Trends
Ibrahim Mardam-Bey on Navigating New Global Finance Trends
Ibrahim Mardam-bey
 
Outsourcing Finance and accounting services
Outsourcing Finance and accounting servicesOutsourcing Finance and accounting services
Outsourcing Finance and accounting services
Intellgus
 
TechnoFacade Innovating Façade Engineering for the Future of Architecture
TechnoFacade Innovating Façade Engineering for the Future of ArchitectureTechnoFacade Innovating Façade Engineering for the Future of Architecture
TechnoFacade Innovating Façade Engineering for the Future of Architecture
krishnakichu7296
 
Dr Tran Quoc Bao the first Vietnamese CEO featured by The Prestige List - Asi...
Dr Tran Quoc Bao the first Vietnamese CEO featured by The Prestige List - Asi...Dr Tran Quoc Bao the first Vietnamese CEO featured by The Prestige List - Asi...
Dr Tran Quoc Bao the first Vietnamese CEO featured by The Prestige List - Asi...
Ignite Capital
 
Mark Bradley_ Understanding the Psychological Appeal of Vinyl Listening.pdf
Mark Bradley_ Understanding the Psychological Appeal of Vinyl Listening.pdfMark Bradley_ Understanding the Psychological Appeal of Vinyl Listening.pdf
Mark Bradley_ Understanding the Psychological Appeal of Vinyl Listening.pdf
Mark Bradley
 
Banking Doesn't Have to Be Boring: Jupiter's Gamification Playbook
Banking Doesn't Have to Be Boring: Jupiter's Gamification PlaybookBanking Doesn't Have to Be Boring: Jupiter's Gamification Playbook
Banking Doesn't Have to Be Boring: Jupiter's Gamification Playbook
xnayankumar
 
Bloomberg Asia's Power Players in Healthcare - The Visionaries Transforming a...
Bloomberg Asia's Power Players in Healthcare - The Visionaries Transforming a...Bloomberg Asia's Power Players in Healthcare - The Visionaries Transforming a...
Bloomberg Asia's Power Players in Healthcare - The Visionaries Transforming a...
Ignite Capital
 
IT Support Company Profile by Slidesgo.pptx
IT Support Company Profile by Slidesgo.pptxIT Support Company Profile by Slidesgo.pptx
IT Support Company Profile by Slidesgo.pptx
ahmed gamal
 
HyperVerge's journey from $10M to $30M ARR: Commoditize Your Complements
HyperVerge's journey from $10M to $30M ARR: Commoditize Your ComplementsHyperVerge's journey from $10M to $30M ARR: Commoditize Your Complements
HyperVerge's journey from $10M to $30M ARR: Commoditize Your Complements
xnayankumar
 
Vannin Healthcare Greencube Electronic Health Record -Modules and Features.pdf
Vannin Healthcare Greencube Electronic Health Record -Modules and Features.pdfVannin Healthcare Greencube Electronic Health Record -Modules and Features.pdf
Vannin Healthcare Greencube Electronic Health Record -Modules and Features.pdf
ovanveen
 
Rackspace-White-Paper-OpenStack-PRI-TSK-11768-5.pdf
Rackspace-White-Paper-OpenStack-PRI-TSK-11768-5.pdfRackspace-White-Paper-OpenStack-PRI-TSK-11768-5.pdf
Rackspace-White-Paper-OpenStack-PRI-TSK-11768-5.pdf
ericnewman522
 
Best Places Buy Verified Cash App Accounts- Reviewed (pdf).pdf
Best Places Buy Verified Cash App Accounts- Reviewed (pdf).pdfBest Places Buy Verified Cash App Accounts- Reviewed (pdf).pdf
Best Places Buy Verified Cash App Accounts- Reviewed (pdf).pdf
Cashapp Profile
 
1911 Gold Corporate Presentation May 2025.pdf
1911 Gold Corporate Presentation May 2025.pdf1911 Gold Corporate Presentation May 2025.pdf
1911 Gold Corporate Presentation May 2025.pdf
Shaun Heinrichs
 
How To Think Like Rick Rubin - Shaan Puri.pdf
How To Think Like Rick Rubin - Shaan Puri.pdfHow To Think Like Rick Rubin - Shaan Puri.pdf
How To Think Like Rick Rubin - Shaan Puri.pdf
Razin Mustafiz
 
The Business Conference and IT Resilience Summit Abu Dhabi, UAE - Shakti Moha...
The Business Conference and IT Resilience Summit Abu Dhabi, UAE - Shakti Moha...The Business Conference and IT Resilience Summit Abu Dhabi, UAE - Shakti Moha...
The Business Conference and IT Resilience Summit Abu Dhabi, UAE - Shakti Moha...
Continuity and Resilience
 
The Business Conference and IT Resilience Summit Abu Dhabi, UAE - Zhanar Tuke...
The Business Conference and IT Resilience Summit Abu Dhabi, UAE - Zhanar Tuke...The Business Conference and IT Resilience Summit Abu Dhabi, UAE - Zhanar Tuke...
The Business Conference and IT Resilience Summit Abu Dhabi, UAE - Zhanar Tuke...
Continuity and Resilience
 
Solving Disintermediation in Ride-Hailing
Solving Disintermediation in Ride-HailingSolving Disintermediation in Ride-Hailing
Solving Disintermediation in Ride-Hailing
xnayankumar
 
How AI Helps HR Lead Better, Not Just Work Faster
How AI Helps HR Lead Better, Not Just Work FasterHow AI Helps HR Lead Better, Not Just Work Faster
How AI Helps HR Lead Better, Not Just Work Faster
Aginto - A Digital Agency
 
Top Solar Panel Manufacturers in India and Photovoltaic Module Manufacturers....
Top Solar Panel Manufacturers in India and Photovoltaic Module Manufacturers....Top Solar Panel Manufacturers in India and Photovoltaic Module Manufacturers....
Top Solar Panel Manufacturers in India and Photovoltaic Module Manufacturers....
Insolation Energy
 
Are you concerned about the safety of your home and family
Are you concerned about the safety of your home and familyAre you concerned about the safety of your home and family
Are you concerned about the safety of your home and family
wasifkhan196986
 
Ibrahim Mardam-Bey on Navigating New Global Finance Trends
Ibrahim Mardam-Bey on Navigating New Global Finance TrendsIbrahim Mardam-Bey on Navigating New Global Finance Trends
Ibrahim Mardam-Bey on Navigating New Global Finance Trends
Ibrahim Mardam-bey
 
Outsourcing Finance and accounting services
Outsourcing Finance and accounting servicesOutsourcing Finance and accounting services
Outsourcing Finance and accounting services
Intellgus
 
TechnoFacade Innovating Façade Engineering for the Future of Architecture
TechnoFacade Innovating Façade Engineering for the Future of ArchitectureTechnoFacade Innovating Façade Engineering for the Future of Architecture
TechnoFacade Innovating Façade Engineering for the Future of Architecture
krishnakichu7296
 
Dr Tran Quoc Bao the first Vietnamese CEO featured by The Prestige List - Asi...
Dr Tran Quoc Bao the first Vietnamese CEO featured by The Prestige List - Asi...Dr Tran Quoc Bao the first Vietnamese CEO featured by The Prestige List - Asi...
Dr Tran Quoc Bao the first Vietnamese CEO featured by The Prestige List - Asi...
Ignite Capital
 
Mark Bradley_ Understanding the Psychological Appeal of Vinyl Listening.pdf
Mark Bradley_ Understanding the Psychological Appeal of Vinyl Listening.pdfMark Bradley_ Understanding the Psychological Appeal of Vinyl Listening.pdf
Mark Bradley_ Understanding the Psychological Appeal of Vinyl Listening.pdf
Mark Bradley
 
Banking Doesn't Have to Be Boring: Jupiter's Gamification Playbook
Banking Doesn't Have to Be Boring: Jupiter's Gamification PlaybookBanking Doesn't Have to Be Boring: Jupiter's Gamification Playbook
Banking Doesn't Have to Be Boring: Jupiter's Gamification Playbook
xnayankumar
 
Bloomberg Asia's Power Players in Healthcare - The Visionaries Transforming a...
Bloomberg Asia's Power Players in Healthcare - The Visionaries Transforming a...Bloomberg Asia's Power Players in Healthcare - The Visionaries Transforming a...
Bloomberg Asia's Power Players in Healthcare - The Visionaries Transforming a...
Ignite Capital
 
IT Support Company Profile by Slidesgo.pptx
IT Support Company Profile by Slidesgo.pptxIT Support Company Profile by Slidesgo.pptx
IT Support Company Profile by Slidesgo.pptx
ahmed gamal
 
HyperVerge's journey from $10M to $30M ARR: Commoditize Your Complements
HyperVerge's journey from $10M to $30M ARR: Commoditize Your ComplementsHyperVerge's journey from $10M to $30M ARR: Commoditize Your Complements
HyperVerge's journey from $10M to $30M ARR: Commoditize Your Complements
xnayankumar
 
Ad

Lecture Course Outline and Secure SDLC.ppt

  • 2. Course Goals It explains the need for computer security Explains how security requirements can be met with well-established techniques Risks can be addressed though novel technologies and techniques Introduces Security Design Best Practices Explains the scope of the available technical solutions Presents techniques for evaluating security solutions
  • 3. Course Lecturer’s Contact • E-mail: • Office hours:
  • 4. Course Grading System 7th week 20 marks on exam 10 marks on section Continuous Assessment 12th week 10 marks on exam 10 marks on section Final Exam 10 marks on sections 40 marks on exam
  • 6. Course Timeline by weeks 6 4 2 Security Requirements Planning: Risk Assessment Design: Architectural Risk Analysis Course Outline and Secure SDLC Requirements: Misuse Cases Design: Secure Design Patterns EXAM
  • 7. Course Timeline by weeks 13 11 9 Implementation: defensive coding practices Design: Threat Modelling Security Testing: Penetration Testing, Risk- based Security Testing EXAM 15 Assessment: CVSS Assessment: CWSS Revision Projects’ Review
  • 8. Lecture 1 • Secure SDLC • The Security Development Lifecycle: Proactive vs. Reactive
  • 9. Glosarry • Information Security Risks: the probability that a particular threat-source will exercise a particular information system vulnerability and the resulting impact if this should occur (NIST publication 800-27) • Software Security: a way to defend against software exploits by building software to be secure (McGraw Exploiting Software) • Application Security: a way to defend against software exploits in a post-facto way after deployment is complete (McGraw Exploiting Software)
  • 10. What is at risk?
  • 12. What Is Secure SDLC and Why Is Important? • Security System Development Life Cycle is defined as the series of processes and procedures in the software development cycle, designed to enable development teams create software and applications in a manner that significantly • reduces security risks, • eliminate security vulnerabilities • reducing costs. • The process, like the traditional Systems Development Life Cycle, is divided into a number of phases.
  • 13. What Is Secure SDLC and Why Is Important?
  • 14. What Is Secure SDLC and Why Is Important? • Development teams use different models such as Waterfall, Iterative or Agile. However, all models usually follow these phases: • Planning and requirements • Architecture and design • Test planning • Coding • Testing the code and results • Release and maintenance
  • 15. What Is Secure SDLC and Why Is Important? • Developers usually performed security-related tasks only at the testing stage, resulting in discovering issues too late or not at all. • With time, teams started to integrate security activities to catch vulnerabilities early in the development cycle. • With this in mind, the concept of secure SDLC started. • Secure SDLC integrates activities such as penetration testing, code review, and architecture analysis into all steps of the development process.
  • 16. Benefits of adopting a secure SDLC • The main benefits of adopting a secure SDLC include: • Makes security a continuous concern—including all stakeholders in the security considerations • Helps detect flaws early in the development process—reducing business risks for the organization • Reduces costs—by detecting and resolving issues early in the lifecycle
  • 17. How Does Secure SDLC work? • Most companies will implement a secure SDLC simply by adding security- related activities to their development process already in place. • For example, they can perform an architecture risk analysis during the design phase. • There are seven phases in most SDLCs although they may vary according to the methodology used, such as Agile or Waterfall: • Concept • Planning • Design and Development • Testing • Release • Sustain • Disposal
  • 18. How Does Secure SDLC work? • For example, a development team implementing the waterfall methodology may follow the following scheme:
  • 19. How Does Secure SDLC work? • Each security activity should correspond with a phase in the SDLC, as follows:
  • 20. How Does Secure SDLC work?
  • 21. How Does Secure SDLC work?
  • 22. Considerations when implementing a Secure SDLC (1) SDL Discovery • The goal should be to determine: • the security objectives required by the software, • what are the possible threats and • what regulations the organization needs to follow. • When working on the scope of the SDL, a development team should focus on deliverables such as: • security milestones, • required certifications, • risk assessments, • key security resources, and • required third-party resources.
  • 23. Considerations when implementing a Secure SDLC (2) Security Baselines • Here you should list what are the requirements your product need to comply with. • For example, only using approved cryptography and libraries or using multifactor authentication. • A Gap Analysis, contrasting the product’s features against the baseline, is useful to identify the areas not complying with the security baseline. • When finding a gap, this needs to be addressed as early as possible in the lifecycle. • Since companies release a product based on the percentage of compliance with the baseline, is important to work on gaps through the development process.
  • 24. Considerations when implementing a Secure SDLC (3) Security Training and Awareness • The company should provide security training sessions for developers, designers, architects, and QA. • They can focus on secure design principles, security issues, web security or encryption. • Security awareness sessions are not geared specifically for the development team, involving everyone that is connected to the project within the organization. • Sessions should be easy in terms of technical level and can include topics such as the various cybersecurity threats or risk impact and management.
  • 25. Considerations when implementing a Secure SDLC (4) Threat Modeling • Modeling the software components to identify and manage threats early in the development lifecycle. • This helps the team to develop an incident response plan from the beginning, planning the appropriate mitigations early before the damage becomes more complicated to manage. • Typically follows four steps: preparation, analysis, determine mitigations and validation. • This activity can have different approaches such as protecting specific critical processes, exploit weaknesses or focus on the system design.
  • 26. Considerations when implementing a Secure SDLC (5) Third-Party Software Tracking • Since third-party software can be open source or commercial use, the team needs to list all third-party tools used in the project. • This inventory should be done in the early stages of the development cycle. • There are software tools that track and list the third-party components, sending you an alert if any component needs upgrading or has licensing issues.
  • 27. Considerations when implementing a Secure SDLC (6) Security Design and Peer Review • The development team should ensure the software is built with the most secure features. • When reviewing the functional feature design, the developer should include a security design review, thinking like an attacker to discover the feature vulnerabilities. • When reviewing the code, developers need to be aware of the most common coding security pitfalls. • They can follow a checklist for secure coding, for example, that ensures that important security events are logged, check the penetrability of the authentication process, or validate the user input.
  • 28. Considerations when implementing a Secure SDLC (7) Security Testing • While code review focus on functionality, security testing checks how vulnerable is the new product to attacks. Some of the testing activities include: • Static Analysis—identifies the exact location of weaknesses by analyzing the software without executing it. • Dynamic Analysis—identifies weaknesses by running the software, helping find infrastructure flaws and patch errors. • Vulnerability Scanning—injects malicious inputs against running software to check how the program reacts. Mostly used to scan applications with a web interface. • Fuzzing—involves giving invalid, random data to a program, to check for access protocols and file formats. The test helps find bugs that humans often miss by generating random input and try all possible variations. • Third-party penetration testing—the tester simulates an attack to discover coding or system configuration flaws, and discover vulnerabilities a real attacker can exploit. It is required that the tester is an external party not connected to the team.
  • 29. Considerations when implementing a Secure SDLC (8) Data Disposal and Retention • Usually at the end of a product’s life companies dispose of old products, or data that they don’t need to use anymore. • Many companies delete or overwrite encryption keys, in a process called “crypto- shredding”. • While getting rid of outdated data is a necessity, there are concerns when comes to keep the confidentiality of the information. • Some regulations such as General Data Protection Regulation (GDPR) have specific requirements for data disposal and retention.
  • 31. The Security Development Lifecycle: Proactive vs. Reactive • Setting up an SDLC can be divided into two major approaches: proactive and reactive. • The proactive approach concerns preventing all possible flaws and breaches at the very beginning of the project, implementing solutions in a secure way. • The reactive approach aims to ensure security before the release, and to maintain it throughout the product’s existence.
  • 32. The Proactive Approach • Banks use thick steel and concrete vaults with advanced electronic systems to prevent and detect break-ins • Many companies use cameras to record business activities, the idea being that cameras both deter theft and help identify perpetrators when thefts do occur • Some organizations have started using Intrusion Detection and Response Systems (IDRSes) to try to detect computer intrusions and then activate defensive measures when an attack is detected.
  • 34. The Proactive Approach • It’s worth mentioning that the proactive approach is always preferred. • The consequences of finding a bug are much less serious if the bug is discovered in the development stage, before release. • It is cheaper, easier, and faster to fix the bug when the product is under development, which leads to the idea that security should be implemented on the very beginning of the project. • The best option is to consider security before the actual development is even underway, to train staff on security practices. • When people understand the importance of security procedures and how to implement them correctly, they are better able to keep their products secure.
  • 35. The Proactive Approach Requirements and Design • The first two stages in the proactive approach—requirements and design—are most important. • In these stages, all security and privacy requirements are formed, quality measurements are defined, and possible attack vectors are identified. • This is the moment the "technical task" is formed. The full, detailed technical task is created, with all functions described in detail, acceptable levels of quality, and explained risks and mitigations. Static Code Analysis • The next step is the actual implementation of the project. • Throughout this step, the main idea is to use only approved tools, safe function, and, most importantly, regular static code analysis. • There are some tools to help in this challenging task, like IBM AppScan or CheckMarx, and with some effort they can be used for continuous integration with your project.
  • 36. The Reactive Approach • If everything has already been built, and security needs to be implemented retroactively, the product requires a reactive approach to the SDLC. • Examples of reactive approaches include: • Disaster Recovery Plans • Use of private investigation services and loss recovery specialists • Reinstallation of operating systems and applications on compromised systems • Switching to alternate systems in other locations
  • 37. The Security Development Lifecycle: Proactive vs. Reactive
  • 38. The Reactive Approach Penetration Testing • One of the most interesting techniques, for a security engineer, is to do a penetration testing of the application. • Here, the work of a real hacker is imitated to uncover security flaws and issues, check the authentication and authorization management, input validation, and many other aspects of the product. Dynamic Code Analysis • Contrary to static analysis, dynamic analysis is executed while the application is in operation, and continuously monitors functional behavior, response time, system memory, and overall performance. • This approach could be easily used in continuous integration, as well as in static analysis. While automated tools cannot replace humans, it helps to accelerate and improve the work of engineers.
  • 39. The Reactive Approach Web Application Firewall • A web application firewall (WAF) is a specially designed application firewall that works over HTTP protocol. • It’s comparable to a very light version of IDS (intrusion detection system), but specific to HTTP. WAF contains rules against common attacks such as SQL injection or XSS (cross site scripting). • Today popular solutions include using WAFs that are already within DDoS protection services, to kill two birds with one stone. Incident Response Plan • Before the release of the product, one important thing has to be done: an incident response plan has to be created. • The incident response plan includes all appropriate persons to contact in an emergency and the sequence of steps to perform in order to eliminate the breach. • The final security review must be done before the release.
  翻译: