Q

How can gap analysis be applied to the security SDLC?

When developing software securely, what role does gap analysis play? In this security management expert response, learn how to implement gap analysis into software development, and how it can help stop data leaks at your enterprise.

This Content Component encountered an error
How can gap analysis be applied to the security system development life cycle?

To answer a pretty open-ended question, let's tackle the fundamentals of developing software securely. Optimally, start at the architecture phase, with a threat model that tries to anticipate the most predictable attack vectors on the software. With that threat model, it's possible to design defenses in to address those attack vectors, then constantly check the code and test the ability to defend the private data.

Of course, that utopia tends not to exist in the real world, as most security professionals inherit an application or a software package and have to make the best of it. That's where gap analysis comes in. Basically this involves figuring out where the gaps exist in existing defenses and then putting a plan in place to address the issues.

How can that be done with existing code? There are three main ways and all are important. So to be clear right up front, the answer isn't either/or, it's to what degree all three techniques should be used:

  1. Automated testing -- Look at application scanners, which analyze source code and check for common errors that can create exposures; things like SQL injection, faulty input validation and cross-site scripting can be reasonably easy to pinpoint.
  2. Pen testing -- As good as many of the application scanners are, there is no substitute for a real person trying to figure out how an application can be exploited. In many cases, a penetration tester can find logic errors that are highly problematic yet can't be caught by scanners.
  3. Code reviews -- The third technique is to actually look through the code and find problems. Yes, this can be time consuming, but it's important. Again, there are things that a good code review will pinpoint that will be missed by the other methods.

So yes, a gap analysis does have a place in developing software securely, though more often when retro-fitting an existing application.

More information:

This was first published in October 2008

Dig deeper on Software Development Methodology

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close