Security_Testing_SDLC.

md 07/07/2022

Security Testing SDLC

Because i will never work in company that big i tried to destille the points which are usefull for every programmer. So my Approach was to think about

what can an individual developer do, to enhance his code, security wise. I also documented non sast requirements.

Prepare the Organization (PO)

Sec test
Practice Task Why What
relevant

Functional
Define policies that specify the security requirements
sec. req. are
PO.1 PO.1.1 Yes for the organization’s software to meet, including secure
to be tested
coding practices for developers to follow.
like another.

Non-
Define policies that specify software architecture
Functional
requirements, such as making code modular to facilitate
sec. req. a
PO.1 PO.1.1 Yes code reuse and easier updates as well as isolating
must be
security functionality from other functionality during
defined how
code execution.
to address

General
governance,
Use automated technology for toolchain management
PO.3 PO.3.1 No not
and orchestration.
particular for
testing

General
governance,
Integrate tools with other tools and with existing
PO.3 PO.3.2 No not
software development processes and workflows.
particular for
testing

General
governance,
PO.3 PO.3.2 No not Update, upgrade, and replace existing tools.
particular for
testing

General
governance,
Monitor tools and tool logs for potential operational and
PO.3 PO.3.2 No not
security issues
particular for
testing

1/5
Security_Testing_SDLC.md 07/07/2022

Sec test
Practice Task Why What
relevant

General
governance, Record security check approvals, rejections, and
PO.4 PO.4.1 No not requests for exception as part of the workflow and
particular for tracking system.
testing

Protect Software (PS)

Sec test
Practice Task Why What
relevant

Use version control features of the repository to

But it's neccessary track all changes made to the code with
PS.1 PS.1.1 No
for the code qualtity accountability to the individual developer
account.

To be shure that the

code is not altered Use cryptography (e.g., cryptographic hashes) to
PS.1 PS.1.1 No
unnoticed after a help protect the integrity of files.
test

But it's important to

keep track what Create and maintain a software bill of materials
PS.1 PS.1.1 No
other software you (SBOM) for each software package created.
use

Produce Well-Secured Software (PW)

Sec test
Practice Task Why What
relevant

Yes to adopt Review vulnerability reports and statistics from

PW.1 PW.1.1 Yes
your test previous software

So your
Review the software design to confirm that it
PW.2 PW.2.1 Yes testing is up
addresses all of the security requirements.
to date

General
governance, Define the security-related criteria for selecting
PW.3 PW.3.1 No
not particular commercial and open-source software.
for testing

General
See if there are publicly known vulnerabilities in the
governance,
PW.3 PW.3.2 No software modules and services that the vendor has
not particular
not yet fixed.
for testing

2/5
Security_Testing_SDLC.md 07/07/2022

Sec test
Practice Task Why What
relevant

General Ensure each software module or service is still

governance, actively maintained, which should include new
PW.3 PW.3.2 No
not particular vulnerabilities found in the software being
for testing remediated.

General
Determine a plan of action for each third-party
governance,
PW.3 PW.3.2 No software module or service that is no longer being
not particular
maintained or available in the future.
for testing

Should be
Validate all inputs, and validate and properly encode
PW.5 PW.5.1 Yes easey to
all output.
implement

Should be
PW.5 PW.5.1 Yes easey to Avoid using unsafe functions and calls.
implement

Should be
PW.5 PW.5.1 Yes easey to Handle errors gracefully.
implement

Should be
PW.5 PW.5.1 Yes easey to Provide logging and tracing capabilities.
implement

Should be a
core Check for other vulnerabilities that are common to the
PW.5 PW.5.1 Yes
functionality development languages and environment.
of the sast

It's esay to
immplement
a check if the
PW.6 PW.6.1 Yes Use up-to-date versions of compiler and build tools.
used
compiler is
newest one

Non-
Functional
sec. req. a Enable compiler features that produce warnings for
PW.6 PW.6.2 Yes
must be poorly secured code during the compilation process.
defined how
to address

3/5
Security_Testing_SDLC.md 07/07/2022

Sec test
Practice Task Why What
relevant

Because the
Implement the “clean build” concept,where all
code can be
PW.6 PW.6.2 Yes compiler warnings are treated as errors and
altered after
eliminated.
the testing

That's a part Enable compiler features that randomize

of the public characteristics, such as memory location usage, that
PW.6 PW.6.2 No
relations would otherwise be easily predictable and thus
department exploitable.

Document information about the compilation and

It's not just
PW.6 PW.6.2 No build tool configuration in a knowledge base that
the testing
developers can access and search

Use a static analysis tool to automatically check code

General
for vulnerabilities and for compliance with the
governance,
PW.7 PW.7.2. No organization’s secure coding standards, with a human
not particular
reviewing issues reported by the tool and remediating
for testing
them as necessary.

Use automated tools to identify and remediate

Should be
documented and verified unsafe software practices
PW.7 PW.7.2. Yes includet in the
on a continuous basis as human-readable code is
test software
checked into the code repository.

General
governance, Identify and document the root cause of each
PW.7 PW.7.2. No
not particular discovered issue.
for testing

General
Document lessons learned from code review and
governance,
PW.7 PW.7.2. No analysis in a knowledge base that developers can
not particular
access and search.
for testing

It has to be
done by Conduct testing to ensure that the settings, including
human's the default settings, are working as expected and are
PW.9 PW.9.1 No
because it to not inadvertently causing any security weaknesses,
complex for a operational issues, or other problems.
test

Respond to Vulnerabilities (RV)

Sec test
Practice Task Why What
relevant

4/5
Security_Testing_SDLC.md 07/07/2022

Sec test
Practice Task Why What
relevant

It's a requirement
Configure the toolchain to perform automated
RV.1 RV.1.2 No how the test is
code analysis and testing on a regular basis.
executed

General
governance, not Use issue tracking software (existing software, if
RV.2 RV.2.1 No
particular for available) to document each vulnerability.
testing

General
governance, not Document the root cause of each discovered
RV.3 RV.3.1 No
particular for issue.
testing

General
Document lessons learned from root cause
governance, not
RV.3 RV.3.1 No analysis in a knowledge base that developers can
particular for
access and search.
testing

To develop the Add mechanisms to the toolchain to automatically

RV.3 RV.3.2 Yes
tests further detect future instances of the root cause.

5/5