How can gap analysis be applied to the security SDLC?

BROWSE BY TAG Expert Archive: Security Management,   Software Development Methodology,   Application and Platform Security,   Enterprise Risk Management: Metrics and Assessments,   Information Security Management,   VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Expert Archive: Security Management What is the GISP certification and how does it compare to the CISSP certification? Using a QSA to write up a PCI DSS report on compliance (ROC) Comparing cheap security products and appliances to costly appliances What are some tips on protecting my security budget in a poor economy? What value do research firms provide to their subscribing enterprises? What certificate offers the best ROI for an IT project manager? Is insider activity or outsider activity a bigger enterprise threat? How does information security prevent fraud in the enterprise? Differences between an SAS 70 data center and a Tier III data center What does the future of the endpoint encryption market look like? Software Development Methodology Quiz: How to build secure applications How to detect software tampering Developers Need Help with Security Errors Does an EULA make it truly illegal to decompile software? SQL injection continues to trouble firms, lead to breaches IBM acquires Ounce Labs for source code analysis Microsoft issues emergency Active Template Library updates Software security threats and employee awareness training Adobe patches ColdFusion vulnerability blocking website attack nCircle statistics show rising Web application vulnerabilities Enterprise Risk Management: Metrics and Assessments Layoffs prompt insider threat fears, cybersecurity survey finds How to avoid Internet liability lawsuits Bruce Jones: Report Security and Risk Metrics in a Business-Friendly Way Bernie Rominski: Communicate Effectively with Management about Risk Best Policy and Risk Management Products Monitoring program data and internal controls for risk management Risk management strategy for an information technology solution provider Align your data protection efforts with GRC The basics of enterprise GRC project management RSA council addresses growing security risks in the cloud Enterprise Risk Management: Metrics and Assessments Research

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary bypass  (SearchSecurity.com) Common Weakness Enumeration  (SearchSecurity.com) debugging  (SearchSoftwareQuality.com) fuzz testing  (SearchSecurity.com) heuristics  (SearchSoftwareQuality.com) sandbox  (SearchSecurity.com) threat modeling  (SearchSecurity.com) trigraph  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

To answer a pretty open-ended question, let's tackle the fundamentals of developing software securely. Optimally, start at the architecture phase, with a threat model that tries to anticipate the most predictable attack vectors on the software. With that threat model, it's possible to design defenses in to address those attack vectors, then constantly check the code and test the ability to defend the private data.

Of course, that utopia tends not to exist in the real world, as most security professionals inherit an application or a software package and have to make the best of it. That's where gap analysis comes in. Basically this involves figuring out where the gaps exist in existing defenses and then putting a plan in place to address the issues.

How can that be done with existing code? There are three main ways and all are important. So to be clear right up front, the answer isn't either/or, it's to what degree all three techniques should be used:

1. Automated testing -- Look at application scanners, which analyze source code and check for common errors that can create exposures; things like SQL injection, faulty input validation and cross-site scripting can be reasonably easy to pinpoint.
2. Pen testing -- As good as many of the application scanners are, there is no substitute for a real person trying to figure out how an application can be exploited. In many cases, a penetration tester can find logic errors that are highly problematic yet can't be caught by scanners.
3. Code reviews -- The third technique is to actually look through the code and find problems. Yes, this can be time consuming, but it's important. Again, there are things that a good code review will pinpoint that will be missed by the other methods.

So yes, a gap analysis does have a place in developing software securely, though more often when retro-fitting an existing application.

More information:

• Watch this interview with Gary McGraw, who discusses secure software development.
• Read more about analyzing business processes and infrastructure for data protection.