NIST SP 800 64 Secure SDLC Consideration High Level Summary
Secure SDLC has been an influencing factor when it comes to Application development. Looking at the number of increasing threats and attacks across the industries, almost all the organisations are now focusing on integrating Security in their Application development process to avoid any such instances in future. Security should be incorporated at the early stage of development cycle rather than doing it later. However this needs to be done keeping in mind the guidelines and frameworks set by The Information Technology Laboratory of the National Institute of Standards and Technology (NIST) and other organisation to add cost effective security step by step in all the phases of SDLC.
The guide presented by NIST SP 800-64 rev2 complements the Risk Management Framework by having a comprehensive approach of managing risk and appropriate level of security based on the levels of risk. It helps in providing the way of integrating security functionality and assurance into the SDLC.
[Also See Blog: Integrating Security Across SDLC phases]
To be most effective, information security must be integrated into the SDLC from system inception.
Ref: NIST SP 800-64 rev2
Early integration of security in the SDLC ensures max. ROI in Security programs.
- Early we identify possible Security concerns, lower the Security Control Implementation and Vulnerability mitigation Cost
- Awareness of potential engineering challenges that one may encounter in future.
- Challenges and Effective Security control implementation
- Identification of shared security services and reuse of security strategies and tools, reduces overall Development cost
- Ensures Security is build-in, improving overall Security posture of a product
- Informed executive decision making through comprehensive risk management in a timely manner.
NIST SP 800-64 rev2 guide focuses on Information Security components of SDLC. First describing Key Security Roles and Responsibilities in SDLC and thereafter detecting relation between Information Security and SDLC.
Key Roles and Responsibility in SDLC:
During the whole SDLC process many Participants are involved to perform different activities in the different phases. Some of the key roles and their responsibilities is explained below:
Authorizing Official (AO): Executive responsible for acquiring/operating of an information system at an acceptable level of risk.
Chief Information Officer (CIO): Responsible for Planning, Budgeting, investment, Performance and acquisitions.
Configuration Management (CM) Manager: Responsible streamlining Change Management Processes and controls changes which may affect Security Posture of the System
Information System Security Officer (ISSO): Responsible for ensuring the security of the system throughout the Lifecycle.
Privacy Officer: Responsible for ensuring the privacy of procured services or system.
Program Manager: Manages the functional system requirement during SDLC and responsible all business and program handling during Lifecycle process.
QA/Test Director: Responsible for reviewing system specifications and determines test needs, and works with Program Managers to plan activities leading up to field test activities. Also responsible for system test, evaluation and execution of test plan as mentioned in specification.
Chief Information Security Officer (CISO): responsible for imposing policies of integrating security into SDLC.
Software Developer: Responsible for Secure Coding, implement controls and other CM issues.
System Architect: Responsible for designing and maintaining the system architecture. Also ensures quality of specification, documentation etc.
System Owner: The system owner is responsible for the procurement, development, integration, modification, operation, and maintenance of an information system.
Incorporating Security into SDLC
In NIST guide, SDLC process has been described as a 5-step Process. Each step is assigned set of security tasks.
Theses phases are
- Initiation phase
- Development/Acquisition Phase
- Implementation/Assessment Phase
- Operations/Maintenance Phase
- Disposal Phase
Let’s discuss the standards set by NIST for each one of the phases:
During this phase the enterprise establishes the project goals and system requirements and document it. It will help in early planning and risk assessment which will help developers to define the threat environment in which system will operate. NIST standards require organisation to categorise the impact of their security breach, i.e., loss of Confidentiality, Integrity or Availability, in 3 levels, Low, Moderate or High and to select appropriate security control. Security categorization standards assist organizations in making the appropriate selection of security controls for their information systems.
Major Security Activities in Initiation Phase:
- Initiate Security Planning
- Identify Key Security Roles & Stakeholder Security Integration Awareness
- Identify Sources of Security Requirements
- Outline Key Security Milestones
- Security Reporting Metrics
- Categorize Information System
- Based on Potential Business Impact, Risk analysis
- Assist in making appropriate Selection of Security controls
- Business Impact Analysis
- Privacy impact Analysis
- Ensure use of Secure Information System Development Processes
- Plan for required Security Training
At this stage, the system is designed, purchased, programmed, developed, or otherwise constructed.
Major Security Activities in Development/Acquisition Phase
- Initial Risk assessment
- To evaluate System’s design and Security Requirements
- Evaluate Security Controls effectiveness
- Select and Document Security Controls
- Design Security Architecture
- Security Control implementation in System Design
- Develop Security Documentation
- Configuration Management Plan
- Contingency Plan, Incident Response Plan
- Continuous Monitoring Plan... etc
- Security Assurance analysis
- Different hardware, software etc Cost consideration
- Initial documents for System Certification and Accreditation
[Also See Blog: Secure the Design for Low Cost Security Control Implementation]
At this stage the developers review the system design by installing the system security features and tests its functionality before placing the system into operation, as described in the specifications. Security controls are integrated at the operational site through established techniques and procedures. The results are supposed to be documented to be used in later phases.
Major Security Activities in Implementation/Assessment Phase
- Create Detailed Plan for Certification & Accreditation (C&A)
- Integrate Security into Established Environments or Systems
- Integration and Acceptance Testing
- Enabling Security control settings
- Assess System Security
- Validate system functional and security requirements
- Testing of Security Controls and their resiliency
- Security Accreditation: Authorize Information System to process, store or transmit information
At this phase, system is operating and continuously monitored to ensure the pre-established requirements are incorporated, and hardware, software components are added or replaced. Configuration Management (CM) and control activities is required to establish an upgrade of hardware, software, and firmware components for the information system and to document any actual change in the system, which is essential to ensure continuous monitoring and reporting the status of the comprehensive information security program.
Major Security Activities in Operations/Maintenance Phase
- Review Operational Readiness to handle unplanned modifications to system
- Perform Configuration Management and Control activities to ensure consideration of potential security impacts due to specific changes in the system
- Conduct Continuous Monitoring to ensure effectiveness of security controls over time
At this stage the contract closeout and the disposal of the systems is provided. An orderly termination of the system is done by preserving all the vital information of the system according to the record management regulations so that it can be reactivated in future if needed. It also ensures that the data is deleted, erased or written over as necessary, Hardware and software should be archived, dispose of as directed by the authority.
Major Security Activities in Operations/Maintenance Phase
- Build and Execute a Disposal/Transition Plan
- Ensuring Information Preservation (Backup) and Retrieval methods
- Legal requirements related with Record retention, when disposing systems
- Media sanitization policy to prevent unauthorized information disclosure
- Hardware and Software disposal policy
- System closure or disassembling policy
Additional areas for Security Considerations
The developers should use NIST SP 800-64 as a reference document in conjunction with other NIST publications throughout the development of the system. “Building Security In” is a Security management technique that implements specific security considerations during SDLC phases. Let’s walk through different security oriented considerations for Service-based or cross-IT platform initiatives.
Supply Chain and Software Assurance
This process require to showcase best practices and methodologies to promote security and integrity in the hardware and software. It should target three goals. Trustworthiness, Predictable Execution and Conformance. Towards these goals, acquisition managers and information security managers should factor in risks posed by the supply chain as part of their risk mitigation efforts.
Service-Oriented Architecture (SOA)
It is an architectural design, where existing or new functionalities are packed as services. These services communicate with each other by passing data from one service to another. NIST SP 800-95, Guide to Secure Web Services, provides more information on SOA security considerations. Scoping of Security boundary, assigning Risk Level and managing security expectations across stakeholders and getting aligned with agreement are few of the Security management challenges with SOA.
Specific Accreditation of Security Modules for Reuse
It provides developers trusted codes that can be reused when needed, at a reduced cost that must be relied upon to provide security functionality across a broad range of projects. Same process is described in NIST SP 800-37.
It provides value and benefit to multiple organizations by providing access to memorandum of agreement or service-level agreement. MOA or SLA should specifically describe Security features, requirements and expected performance levels to ensure all parties are adequately protected. It should also talk about test and validation responsibilities, incident response procedures and monitoring and operations policies.
Technology Advancement and Major Migrations
As the technology advances the existing systems should also be migrated or upgraded to cope up with the current technology advancement. Consideration must be given not only to integrating security into the SDLC for new systems and the integration of systems, but also to the overhaul, upgrade, or migration of systems to address technology advancement.
Data Center or IT Facility Development
It deals with the physical security solutions. Data centre is the storage upon which the applications are built. Customers using the data centre facility should only be provided with matrix of redundancy along with protection mechanism. Data at Rest and in-transit should be separated, along with features assisting in implementing Separation of Duties and Auditability should be strictly enforced. Like, Usage of VLANs for administrative traffic and applications.
The use of virtual machine is a great idea of cost saving. It can provide additional Security in terms of Isolation and Recovery, but needs additional planning for risk imposed due to virtualization implementation like Data Interception, DOS to host’s resources etc.
Above is the high level summary of NIST Special Publication on Security considerations in SDLC, assisting organizations by providing guidelines for building security into their SDLC process. This will help them to build cost effective, risk appropriate security control identification, development and testing.
Hack2Secure Secure SDLC program is completely based on different Industry security standards and practices, providing organizations an end-to-end solution to learn, adopt, integrate, implement and analyse Secure SDLC process. Our Secure SDLC workshop integrated with globally available Certification Program, equip professionals with required skills for Secure SDLC adoption. Hack2Secure exclusive Secure SDLC Consulting service assist organizations to adopt Secure SDLC framework and assist in integrating as a part of their process.