Secure Software Development: Actions, Skills, Costs

Secure Software Development - ScienceSoft

In software development since 1989 and in information security since 2003, ScienceSoft develops secure and compliant software and provides cybersecurity consulting services.

What is Secure Software Development: The Gist

Secure software development includes enabling software security (security requirements planning, designing software architecture from a security perspective, adding security features, etc.) and maintaining the security of software and the underlying infrastructure (source code review, penetration testing).

The introduction of security practices will naturally increase the time and effort required for each SDLC stage. For example, strict code reviews lead to up to 20-30% coding time increase in comparison with a usual software development project. At the same time, however, it helps to save millions in the future: the average cost of a data breach was reported to reach $3.86 million in 2020.

Note: While secure software development focuses on applying security in software development life cycles, it is expected that you have also established security across the development infrastructure, information storage policies, human resource and supplier management, assets used, communication channels, physical location, business operations, and more.

Stages of Secure Software Development

The number and the ‘depth’ of security measures will differ depending on the level of security you want to achieve. Below you can find an overview of security aspects and practices ScienceSoft commonly recommends.

Stage 1. Requirements gathering, prioritization and analysis: Mapping security requirements

At the requirements gathering stage, security specialists prepare an application risk profile. The document describes possible entry points for attackers and categorizes security risks by the severity level, including their impact and likelihood.

Tip from ScienceSoft: It’s feasible to concentrate on describing only the most likely or severe risks to optimize the effort and time of planning and implementing countermeasures.

Relying on the risk profile as well as organizational security and privacy policies and standards, regulatory requirements (e.g, of HIPAA, PCI DSS, etc.), business analysts elicit and document security and resilience requirements for future software, including:

  • Identification requirements
  • Authentication requirements
  • Authorization requirements
  • Integrity requirements
  • Non-repudiation requirements
  • Privacy requirements
  • Survivability requirements

Key security deliverable: Prioritized security and privacy software requirements.

Stage 2. Software design: threat modelling, secure architecture, planning security features

Threat modeling takes place after high-level software architecture is designed and the major data flows and data entry points in the future application are established. It includes the following key steps:

  • Decomposing the planned application architecture into functional components, determining threats to each of the components.
  • Threats categorization and prioritization.
  • Planning and prioritizing controls and countermeasures for possible attacks.

Based on the described security and resilience requirements and threat modeling activities, there are planned:

  • Secure software architecture (e.g., employing application partitioning, container-based approach).
  • Security features (cryptography (DES, 3DES, AES, RSA, blowfish), audit/log, user identification, verification and authorization (password-based, multi-factor, certificate-based, token-based, biometrics).

Tip from ScienceSoft: Security should not hinder UX. Users are likely to turn security features off if they’re overwhelming.

  • Test cases to be executed at the testing and maintenance stages.

Threat modeling is typically iterative and spans the entire SDLC cycle, starting with a high-level architecture (interaction between software modules), through detailed architecture design, and implementation (specific code functions and methods).

Key security deliverables: Categorized and ranked security threats, a security risk mitigation plan, and documented secure software architecture.

Stage 3. Software development: Secure coding practices, static analysis, and regular peer review

At this stage, developers need:

  • Employ secure coding practices to mitigate or minimize high-risk implementation-level vulnerabilities.
  • Use only secure development tools (libraries, frameworks, etc.).
  • Perform regular unit tests.
  • Perform automated static code analysis.
  • Conduct language-specific, checklist-based code peer reviews to detect types of vulnerabilities that can’t be identified by automated security review tools.

Note: Application Security Verification Standard Project by OWASP, one of the most authoritative organizations in software security, provides a comprehensive list of secure coding practices and unit tests for developers.

ScienceSoft recommends: Introduce automated gathering of information about the target software. For example, we often add static application security testing (SAST) and dynamic application security testing (DAST) to CI/CD pipelines so that we could consistently scan each build according to the same scenario and detect the points in an application where attack may be introduced.

Key security deliverables: developed security features, documented secure code, described vulnerabilities from an automated security code review and unit testing.

Stage 4. Software deployment and support: Penetration testing, final security review, and an incident response plan

The suggested set of practices:

  • Conducting penetration testing of the software and its infrastructure (black-box, gray-box and white-box); fixing identified security issues and conducting regression testing. Note: If software development is built iteratively, these activities should be performed in every build.
  • Final Security Review (FSR) by subject-matter security experts to verify that security risks identified in the course of the previous security activities have been properly addressed (fixed or have a mitigation plan in place).
  • Creating an incident response procedure.
  • Setting application security monitoring, performing manual and automated security regression testing.
  • (if applicable) Submitting your application for external validation to officially attest compliance with industry regulations.
  • Establishing a feedback process and tools for users, white hat hackers, etc. to report on revealed vulnerabilities.

Key deliverables: security testing results report describing the uncovered security issues, their risk level, impact, and ways to eliminate them; security monitoring and incident response plan.

The entire secure software development process is kept in-house

Pros:

  • Full control over the development process, infrastructure, and security measures.

Cons:

  • Re-training existing resources or hiring additional staff since specific software security and resilience knowledge and skills are needed.

Partial outsourcing of secure software development project

Pros:

  • Security expertise of qualified outsourced resources helps to implement security at each stage of SDLC – security requirements planning, secure architecture design, secure coding practices implementation, professional pentesting, continuous security monitoring and more.

Cons:

  • Partial or total project team coordination, quality control and risk management are required from your side.
  • Comprehensive vendor security audit is needed.
  • Audit of all digital points between you and the vendor (security and infrastructure environment through which software development will flow) is required, especially, in highly collaborative Agile scenarios.

Full outsourcing of the secure software development process

Pros:

  • A vendor assumes full responsibility for the security across the whole development infrastructure (incl., information storage, asset management, HR management, communication) team assembly and management and the quality of the project results.
  • Established secure software development practices and methodologies for each SDLC stage.

Cons:

  • High vendor risks.
  • Comprehensive vendor security audit is needed.

Project manager

  • Plans time and budget to ensure that security and resilience requirements are thoroughly handled through the software development life cycle.

Business Analyst (BA)

  • Gathers and documents functional and non-functional (including security and resilience) requirements from all software stakeholders.
  • Helps with threat and countermeasure identification and assessment due to deep understanding of specific business processes and data.
  • Determines the value of the data to be collected, stored and transmitted by planned software.

Security engineer / DevSecOps

  • Identifies software security flaws at all SDLC stages.
  • Prepares the application’s risk profile.
  • Performs static and dynamic software analysis; automates these types of analysis, Helps to integrate security tools into CI/CD pipelines.
  • Configures and implements computer security and networking diagnostic and monitoring tools.
  • Identifies security risks to the infrastructure.
  • Prepares incident response plans.
  • Manages log analytics tools.

System architect

  • Designs software architecture in accordance with security and resilience requirements.

Software engineer

  • Develops secure backend and frontend employing secure coding practices.

Compliance (PCI DSS, HIPAA, etc.) expert

  • Assumes ownership of all compliance requirements.
  • Performs compliance audits and compiles reports.
  • Documents compliance-related processes.

Pentester

  • Plans and creates penetration scripts and tests.
  • Simulates cyberattacks to expose and report weaknesses in security.
  • Creates reports to document pentesting findings.

Want to Build Secure Software Fast?

ScienceSoft offers end-to-end development of highly secure applications with minimized security risks at each SDLC stage.

OWASP Zed Attack Proxy (ZAP)

Best for: automated pentesting and security regression testing

Description

An open-source penetration testing tool designed specifically for testing web applications in the CI/CD pipeline.

  • Can be used as a stand-alone application and as a daemon process.
  • Can be configured to connect to another network proxy (if there is one already in use).
  • Has versions for all major OSs and Docker.
  • Core features include Intercepting Proxy, Active and Passive Scanners, Traditional and AJAX Spiders, Brute Force Scanner, Port Scanner.
  • Additional functionality is freely available from a variety of add-ons in the ZAP Marketplace, accessible from within the ZAP client.
  • Can be automated via Quick Start command line, Docker Packaged Scans, GitHub Actions, a dedicated Automation Framework (not tied to any container technology), API and Daemon mode.

Pricing

Pricing: free.

Arachni

Best for: vulnerability assessment

Description

Ruby framework for penetration testers and DevOps engineers to evaluate the security of web applications.

  • Can audit client-side code.
  • Supports complicated web applications, which make heavy use of such technologies as JavaScript, HTML5, DOM manipulation and AJAX.
  • Can be deployed as a Ruby library, a CLI scanner, WebUI, and a distributed system using remote agents.
  • Detects all popular risks, including XSS, SQL injection, NoSQL injection, file inclusion.
  • Supports all major operating systems (Windows, Mac OS X, and Linux) and is distributed via portable packages which allow for instant deployment.
  • A wide choice of add-on modules, e.g., individually selected Checks to add to the scan, SQL injection, NoSQL injection, etc., plugins (passive proxy, form-based login, script-based login, dictionary attacker for HTTP Basic Authentication, cookie collector, and more), Reporters (to store scan results in a suitable format).
  • High performance due to asynchronous HTTP requests for lightweight concurrency and fast communications, clustered browser environments for parallel JavaScript/DOM operations, supporting multi-instance scans.
  • Detailed, well-structured reports generated in different formats HTML (zip), Text, JSON, XML, YAML, Marshal, AFR (Arachni Framework Report file).

Pricing

Pricing: free.

Burp Suite

Best for: pentesting

Description

An integrated platform for security testing of web applications.

  • Automated, manual and semi-automated security scanning.
  • Scheduled, recurring, and triggered scans.
  • Testing for OWASP Top 10 vulnerabilities as well as the latest hacking techniques.
  • Burp Proxy for intercepting HTTP requests and responses.
  • Complete toolbox for penetration testing, including Burp Scanner, Burp Intruder, Burp Repeater, and Burp Sequencer.
  • 250+ Burp Extensions (BApps) for customizing pentesting workflows.
  • Browser-powered scanning using embedded Chromium browser.
  • Ability to interact with the BurpSuit functionality and data from third-party software via REST API.
  • HTML or XML scan reports.

Pricing

Professional edition - $399 per year.

Enterprise edition:

  • 5 scanning agents - $5,595 per year
  • 20 scanning agents - $11,580 per year
  • 50+ scanning agents - $23,550 per year

1 scanning agent = 1 scan at a time. Agents can be reassigned across any websites, applications and URLs.

More about pricing.

Where you spend

Introduction of secure software development practices requires additional skills and efforts (usually 20-80% added effort), which obviously makes such projects more costly than those focused ‘common’ software development.

To calculate the costs of secure development, different cost estimation models can be used. For example, the COCOMO-II model that estimates costs of incorporated security features:

ΔE (the additional effort required to develop secure software) = E (with security) - E (without security), where E is the level of effort in person/month (PM).

Read more about security cost

The cost of security depends on:

  • Additional skills and roles to be included in the project team.
  • The change in source code size from adding security protection.
  • The estimated complexity (from very low to very high) of the software project before and after security is added.
  • The amount of software documentation required before and after security measures are introduced.
  • The familiarity of the project team with tools that are required to add security to the software project.
  • The change in required development time.
  • The level of required software reliability (from very low to very high).

Hide

Where you win

Organizations that apply secure software development practices and eliminate vulnerabilities as early in the SDLC as possible:

  • Spend less time on software repair.
  • Optimize software development costs by reducing cycle times and avoiding costs associated with delayed releases and.

Overall, the return on establishing secure software engineering framework is around 20%.

  • Avoid big data penalties and fines.

Secure Software Development Services by ScienceSoft

In software development since 1989, ScienceSoft’s qualified teams help companies efficiently build and implement secure software.

Secure software development consulting

  • Helping shape software vision, eliciting and structuring software requirements, including security requirements.
  • Designing secure software architecture, helping choose a tech stack.
  • Developing a business case.
  • Delivering PoC.
  • Delivering a detailed development roadmap.
  • Planning a DevSecOps strategy.

Secure software development

  • Software requirements engineering, including security requirements.
  • Secure software design.
  • Development using the best practices of secure coding.
  • Regular code reviews by security experts.
  • Post-commit penetration testing (automated/manual).
  • Establishing secure CI/CD pipelines.

About ScienceSoft

In software development since 1989, ScienceSoft is an established IT consulting and software development company headquartered in McKinney, Texas. 16-year experience in cybersecurity and a vast pool of experienced security engineers, compliance experts, software architects and developers trained in secure software design coding empower ScienceSoft to plan and deliver resilient and compliant software.