Security in the SDLC - A Real World Perspective

Intro

It is important to understand why it is critical to consider security in the early phases of the SDLC. Whether the system is out of the box or a custom developed system, vulnerabilities can arise in each stage of the life cycle. Evidence suggests that the payoff for eliminating security flaws, or vulnerabilities, early on in the life cycle is high.   As the diagram suggests below (data gathered from Microsoft), the earlier - the better.

Initiation & Requirements & Design		Build/Configure/Test		Go Live/Post Go Live & Sunset
1X	5X	10X	15X	30X
Figure 2:  Example of the acceleration of cost of flaw repairs NOTE: X is a normalized unit of cost and can be expressed in terms of person-hours, dollars, etc.

The earlier the vulnerabilities (or their sources) are identified, the more time there is for corrective actions. The longer a flaw exists within a system, the more costly it is to repair or mitigate. During the undetected period, other system components might be developed based on the flawed assumption — to undo entire layers of system design is a costly proposition. The National Institute of Standards and Technology (NIST) estimates that system flaw re-work or repairs performed after implementation can result in 30 times the cost of fixes performed during the design phase.

Roles and Responsibilities

Many participants have a role in information systems development. The names for the roles and titles will vary among organizations. Not every participant works on every activity within a phase. The determination of which participants need to be consulted in each phase is as unique to the organization as the system development. With any systems development project, it is important to involve the appropriate information security personnel as early as possible, preferably in the planning phase.  The table below is an example 

Role	Responsibilities
IT Program Leader/Business VP	The Business VP is senior management or executive has the authority to formally assume responsibility for operating an information system at an acceptable level of risk to organization operations and assets, individuals, and other organizations. To do this, the approver relies primarily on the completed security assessment report and security plan of action for reducing or eliminating information system vulnerabilities.
Chief Information Officer (CIO)	Responsible for the organization’s information system planning, budgeting, investment, performance, and acquisition. As such, the CIO provides advice and assistance to senior organization personnel in acquiring the most efficient and effective information system to fit the organization’s enterprise architecture.
Director, Global IT Configuration and Change Management	The CM manager is responsible for managing the effects of changes or differences in configurations on an information system or network. Thus, the CM manager assists in streamlining change management processes and prevents changes that could detrimentally affect the security posture of a system before they happen.
GSO Purchasing Agent	The Contracting Officer is the person who has the authority to enter into, administer, and/or terminate contracts and make related determinations and findings.
Director, Global IT Security	Responsible for ensuring the security of an information system throughout its life cycle.
IT Security Assessor	Responsible for conducting the security assessment and focal point for security related matters.
Director, Risk and Compliance	Responsible for ensuring that the services or system being procured meet existing regulatory requirements, IT standards and corporate policies
Risk and Compliance Assessor	Responsible for conducting the compliance and risk assessment and focal point for risk and compliance related matters.
IT Project Manager	This person represents business and programmatic interests in the information system during the SDLC process. The program manager plays an essential role in security and is, ideally, intimately aware of functional system requirements.
Business Program Leader	Represents the business, is responsible for providing the business requirements and understand the existing process.
Business Executive (VP or SVP)	Responsible for the procurement, development, integration, modification, operation, and maintenance of an information system. Has the authority to formally assume responsibility for operating an information system at an acceptable level of risk to his/her organization.
VP (CISO), Global IT Security, Risk, Compliance and Change Management	Responsible for promulgating policies on security integration in the SDLC and developing enterprise standards for information security. This individual plays a leading role in introducing an appropriate structured methodology to help identify, evaluate, and minimize information security risks to the organization.
Enterprise Architect	As the overall designer and integrator of the Enterprise Architecture, the architect is responsible for creating the overall design architecture and for maintaining the conceptual integrity of the architecture throughout the project life cycle and ensuring cohesiveness among other projects and systems. The Enterprise Architect is also responsible for ensuring the quality of technical work products delivered by the project team, including designs, specifications, procedures, and documentation.
Other Participants	The list of SDLC roles in an information system development can grow as the complexity increases. It is vital that all development team members work together to ensure that a successful development is achieved. Because information security officials must make critical decisions throughout the development process, they should be included as early as possible in the process. System users may assist in the development by helping the program manager to determine the need, refine the requirements, and inspect and accept the delivered system. Participants may also include personnel who represent IT, configuration management, design and engineering, and facilities groups.

Categorization of Systems

Security categorization starts with the identification of what information supports which lines of business, as defined by my previous blog entry, “The "C" word that will save you some Trouble: Categorization".  The business and privacy impact will help determine the categorization of the system.  Subsequent steps focus on the evaluation of security in terms of confidentiality, integrity, and availability. As stated in the NIST Document on SDLC, "the result is strong linkage between mission, information, and information systems with cost-effective information security".  The best approach is to have the business tower leaders endorse and participate in the categorization process. This helps to ensure that individual information systems are categorized at the appropriate level in accordance with the business objectives of the organization. Security categorization help security professionals consider potential adverse impacts to the risk program and security in general for your organization.

The Rest of it in a Nutshell

You can follow the rest of the NIST recommended processes or do something that your organization will adopt, accept and incorporate into your PMO ongoing processes.  In my experience, extracting the security requirements from your security standards - known as the "Security Requirements Master".  These should be all the common requirements.  Make sure the project team has this list as part of the initial engagement and then as the security analyst learns more about the system, the requirements can be refined and customized enough to apply to all the system interfaces, system management, password requirements, etc.  Another thing that you need to do to ensure success is to make security requirements a non-negotiable and... of course... support from the top.

---