Figure 14-6 Secure Development
As you can see in the figure, the SDLC includes these
steps:
Training: Training helps get everyone on the project teams into a
security frame of mind. Teach and train developers on the team to
analyze the business application attack surface as well as the associated
potential threats. Not just developers but all team members should
understand the exposure points of their applications (user inputs,
front-facing code, exposed function calls, and so on) and take steps to
design more secure systems wherever possible.
Threat modeling: For every component and module in a system, ask
the “what-how-what” questions: What can go wrong? How can
someone try to hack into it? What can we do to prevent this from
happening? Various frameworks for threat modeling are available,
including the following:
STRIDE (Spoofing, Tampering, Repudiation, Information Leak,
DoS, Elevation of Privilege)
PASTA (Process for Attack Simulation and Threat Analysis)
VAST (Visual, Agile, and Simple Threat Modeling)
Secure coding: Build and use code libraries that are already secured
or approved by an official committee. The industry has several
guidelines for secure coding, and we have listed some of the standard
ones here:
Validating inputs