Secure Software Development Life Cycle (SecSDLC) || Identity Access Management (IAM)

6.3.9 Secure Software Development Life Cycle (SecSDLC) 

The SecSDLC involves identifying specific threats and the risks they represent, followed by design and implementation of specific controls to counter those threats and assist in managing the risks they pose to the organization and/or its customers. The SecSDLC must provide consistency, repeatability, and conformance. The SDLC consists of six phases, and there are steps unique to the SecSLDC in each of phases: 

Phase 1.Investigation: Define project processes and goals, and document them in the program security policy. 

Phase 2.Analysis: Analyze existing security policies and programs, analyze current threats and controls, examine legal issues, and perform risk analysis. 

Phase 3.Logical design: Develop a security blueprint, plan incident response actions, plan business responses to disaster, and determine the feasibility of continuing and/or outsourcing the project. 

Phase 4.Physical design: Select technologies to support the security blueprint, develop a definition of a successful solution, design physical security measures to support technological solutions, and review and approve plans. 

Phase 5.Implementation: Buy or develop security solutions. At the end of this phase, present a tested package to management for approval. 

Phase 6.Maintenance: Constantly monitor, test, modify, update, and repair to respond to changing threats.8 

In the SecSDLC, application code is written in a consistent manner that can easily be audited and enhanced; core application services are provided in a common, structured, and repeatable manner; and framework modules are thoroughly tested for security issues before implementation and continuously retested for conformance through the software regression test cycle. Additional security processes are developed to support application development projects such as external and internal penetration testing and standard security requirements based on data classification. Formal training and communications should also be developed to raise awareness of process enhancements.

 6.3.25 Identity Access Management (IAM) 

As discussed in Chapter 5, identity and access management is a critical function for every organization, and a fundamental expectation of SaaS customers is that the principle of least privilege is granted to their data. The principle of least privilege states that only the minimum access necessary to perform an operation should be granted, and that access should be granted only for the minimum amount of time necessary.17 However, business and IT groups will need and expect access to systems and applications. The advent of cloud services and services on demand is changing the identity management landscape. Most of the current identity management solutions are focused on the enterprise and typically are architected to work in a very controlled, static environment. User-centric identity management solutions such as federated identity management, as mentioned in Chapter 5, also make some assumptions about the parties involved and their related services.