I'm currently doing some research into the secure systems/software development frameworks/methodologies that are currently in use.
I'm wondering what frameworks, if any, people in the (ISC)2 community might recommend and why they would recommend them. I would greatly appreciate any useful insights the community could share with me.
Thanks in advance!
In order to develop hack-resilient software, it is important to incorporate security concepts in the requirements, design, code, release and disposal phases of the SDLC. Security concepts span across the entire life cycle and will need to be addressed in each phase.
Microsoft has created a strategy that is referred as the SD3+C, this stands for Secure by Design, Secure by Default, secure by Deployment and communication
There is no single framework that addresses for all. The requirements will be changed from project to project.
For example you can use BSIMM/SSMM during the requirement/design phase
BSIMM is short for Building Security In Maturity Model. The BSIMM is a study of real-world software security initiatives organized so that you can determine where you stand with your software security initiative and how to evolve your efforts over time. BSIMM provides some good guidance for secure operations (such as penetration testing, software configuration, configuration management and vulnerability management) during deployment.
Threat modeling Frameworks you can use during design phase
Open Source Security Testing Methodology Manual (OSSTMM) during testing phase
You can use other NIST/ISO standards
NIST Special Publication (SP 800-18) provides guidance for the development of security plans, incorporating security requirements and controls into the plan
The ISO/IEC 15408 Standard and Software Security
ISO/IEC 21827:2008 – Systems Security Engineering Capability Maturity Model (SSE-CMM)
ISO/IEC 27002:2005 – Code of Practice for Information Security Management
Payment Card Industry Data Security Standard (PCI DSS)
and so forth
DevOps is also a good methodology to incorporate security
Thank you for sharing your insight. It's much appreciated!
I'm aware of almost all of the frameworks/methodologies you've mentioned here. It's good to see I'm on the right track!
Hello Darin !
You might also gaze on the OWASP Secure Software Development Lifecycle Project (https://www.owasp.org/index.php/OWASP_Secure_Software_Development_Lifecycle_Project).
There you´ll find a solid security software methodology for web applications as well as tools and guidelines.
I hope this helps!