Ask the Expert

How can gap analysis be applied to the security SDLC?

How can gap analysis be applied to the security system development life cycle?

    Requires Free Membership to View

To answer a pretty open-ended question, let's tackle the fundamentals of developing software securely. Optimally, start at the architecture phase, with a threat model that tries to anticipate the most predictable attack vectors on the software. With that threat model, it's possible to design defenses in to address those attack vectors, then constantly check the code and test the ability to defend the private data.

Of course, that utopia tends not to exist in the real world, as most security professionals inherit an application or a software package and have to make the best of it. That's where gap analysis comes in. Basically this involves figuring out where the gaps exist in existing defenses and then putting a plan in place to address the issues.

How can that be done with existing code? There are three main ways and all are important. So to be clear right up front, the answer isn't either/or, it's to what degree all three techniques should be used:

  1. Automated testing -- Look at application scanners, which analyze source code and check for common errors that can create exposures; things like SQL injection, faulty input validation and cross-site scripting can be reasonably easy to pinpoint.
  2. Pen testing -- As good as many of the application scanners are, there is no substitute for a real person trying to figure out how an application can be exploited. In many cases, a penetration tester can find logic errors that are highly problematic yet can't be caught by scanners.
  3. Code reviews -- The third technique is to actually look through the code and find problems. Yes, this can be time consuming, but it's important. Again, there are things that a good code review will pinpoint that will be missed by the other methods.

So yes, a gap analysis does have a place in developing software securely, though more often when retro-fitting an existing application.

More information:

This was first published in October 2008

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: