10 de ago de 2023

Secure software development: a comprehensive guide to the seven key stages

  • Connect and support people
  • Not all software is created equal. A solid approach to secure software development is a key aspect that sets them apart.

    Here our Chief Information Security Officer, Robert Haist, lays out how the concept of secure Software Development Lifecycle (secure SDLC) plays a critical role as the cornerstone for maintaining a holistic and continuous focus on security.

    “At TeamViewer, we meticulously follow an extended version of the secure SDLC in every software development lifecycle. It is this holistic and comprehensive approach to security that gives companies around the world the peace of mind they need to rely on TeamViewer.”
    Robert Haist, Chief Information Security Officer

    At its core, secure software development can only happen if you have a framework in place that ensures a constant focus on security. Organized into seven overarching stages, the secure SDLC is a set of individual components that enhance the development process and reinforce software security.

    Stage #1: Security training

    In a nutshell

    Security risks can be, more often than not, attributed to human error. To avoid this, security training and education must be positioned as a core part of every individual’s role in an organization. Regardless of department, role, or seniority, security should be considered the responsibility of everyone. Adequate, accessible, and regular training should be provided to all members of staff from the onboarding and throughout.

    In detail

    Understand the significance of providing security training for every member of your organization and take advantage of your very own Security Training to-do list here.

    Stage #2: Security-screened requirements

    In a nutshell

    To ensure project security requirements are met, define and determine your approach. TeamViewer follows a Definition of Done (DoD) methodology, which we highly recommend implementing. Enhance project security by establishing a clear plan of action.

    In detail

    See how your organization can DoD into practice and tick off the other items on your Security-Screen Requirements to-do list.

    Stage #3: Security-aware design

    In a nutshell

    The design stage is where many of the technical details of a product are communicated to clients or internal stakeholders. It is crucial to prioritize security awareness in this stage, as decisions made here significantly impact the final product design. At this stage, TeamViewer collaborates closely with Security and Privacy experts to ensure the development process is driven forward in the most security-aware way.

    In detail

    Here we demonstrate how we follow Security by Design and Privacy by Default approaches as well as providing you with your Security-Aware Design to-do list.

    Stage #4: Secure implementation

    In a nutshell

    Based on your security-aware design, your software should be ready to be securely coded and, overall, the implementation should be straightforward. To ensure this, it is essential to conduct a comprehensive set of tests, including both automatic and manual evaluations.

    In detail

    We have included what tests are needed, and why, as well as your Secure Implementation to-do list in this long-form version of the Seven Key Stages of Secure Software Development.

    Stage #5: Verification

    In a nutshell

    During the verification stage you want to ensure that your software functions as intended and adheres to the security measurements you have built around it.

    In detail

    What kind of tests should you be performing? We answer this question and take you through how you can tick them off your Verification to-do list.

    Stage #6: Secure release

    In a nutshell

    With the tests completed it’s time for users to benefit from the software. To ensure a secure release, it’s important to use a hardened code signing service before it reaches the end user.

    In detail

    There is one very important item on your Secure Release to-do list that cannot be skipped over.

    Stage #7: Response

    In a nutshell

    Even when you strictly follow each stage and test continuously, the threat of vulnerability is always present, and you need to be ready for it. To maintain security, you need a security incident response plan. As part of this, ensure that there is a clear reporting system in place so that those responding to incidents can effectively communicate their findings back to the wider team. Implementing a Bug Bounty team (more about in the fold out) is also a keen approach to catch and respond to vulnerabilities efficiently.

    In detail

    In this final stage, tackle incidents effectively and efficiently by following your Response to-do list.