PHASE ONE: SDL STRATEGY & PLANNING

Phase One of this approach is strategic in that iSEC Partners staffs software development experts to work with your organization to understand existing SDL elements, business drivers, key stakeholders, etc. At the end of Phase One iSEC Partners delivers a SDL Plan that details which elements of the SDL should be implemented

Creation of Security Development Lifecycle Strategy

At the completion of this effort, iSEC provides a comprehensive plan to roll-out Secure Development Lifecycle best practices. This strategy is outlined in a document that covers the following topics:

• SDL Business Drivers
  Business drivers are the core motivation for investing in security, and are therefore essential in order for SDL to gain traction with both executive management and Development Teams. Furthermore, business drivers form the philosophical basis for choosing which actions to take when “the right thing to do for security” is unclear.

• Long-Term SDL Objectives
  Long-Term SDL Objectives are a reflection of the business drivers. They answer the question: “Given the motivations of our business, what does the software development organization need to provide?” These provide the high-level goals and dictate the plan for rolling out SDL.

• Intermediate SDL Milestones
  Intermediate SDL Milestones provide the tactical basis upon which the software development organization can act. These milestones are prioritized according to their ability to provide immediate impact to the security posture of the software system.

• SDL Metrics
  SDL Metrics are associated with SDL milestones, both in the short and long-term, and with ongoing execution of the SDL process. The metrics are designed to provide meaningful, measurable feedback regarding the security assurance of features and the efficacy of the SDL process.

PHASE TWO: SDL IMPLEMENTATION

Phase Two of the process is focused on implementing the SDL Plan. It can take up to two years to achieve a single round of SDL coverage for a flagship product/suite - depending upon existing processes, the current state of the source code and the complexity of the product.

• Security Awareness Training
  iSEC Partners creates and delivers computer-based and in-person security training materials suitable for the entire staff of the development organization.

• Identify and Implement Tool Opportunities
  iSEC Partners identifies and integrates into the development and test practices the tools required to detect and mitigate security flaws. In some circumstances iSEC Partners will identify and integrate source code and/or web application toolset(s) that apply ongoing quality assurance activities. ISEC Partners ensures that the test staff is trained in the use of the tool and interpretation of results.

• Security Push on Client main site / application
  iSEC Partners performs a full SDL security push on the flagship application with embedded experts to provide technical and managerial depth, tailor the process to the organization and start to cultivate internal competence through experience. This process includes Threat Modeling, Design Review and Penetration Testing.

• Documentation, Metrics and Enforcement
  iSEC Partners creates processes for documenting and recording metrics to guide ongoing efforts. This process includes Secure Test and Coding Policies and Guidelines, Tracking and Reporting Security Metrics and Enforcement.

• Create and Test an Incident Response Plan
  Establish responsibilities and activities for security incident response, including media communication, establishing contacts with relevant governmental agencies, operational responsibilities and advance planning of critical control points for fast technical response. Conduct a test of the plan.

• Create, Train, Expand Security-Aware Internal Test Team
  iSEC Partners typically provides staff augmentation services to give our Clients full or part time assistance building out their internal team.