Fundamental Practices for Secure Software Development Third Edition March 2018 c . 5 b u Essential Elements of a Secure Development Lifecycle Program h t i g © 2018 SAFECode – All Rights Reserved. m o Fundamental Practices for Secure Software Development Table of Contents Executive Summary .................................................................................................................................... 4 Introduction ................................................................................................................................................. 5 Audience ................................................................................................................................................. 5 SAFECode Guidance and Software Assurance Programs ..................................................................... 6 Application Security Control Definition .................................................................................................... 7 Actively Manage Application Security Controls ...................................................................................... 7 m o Design .......................................................................................................................................................... 9 Secure Design Principles ....................................................................................................................... 9 c . 5 Threat Modeling .................................................................................................................................... 10 Develop an Encryption Strategy ........................................................................................................... 11 Standardize Identity and Access Management .................................................................................... 12 b u Establish Log Requirements and Audit Practices ................................................................................ 14 Secure Coding Practices .......................................................................................................................... 15 h t i g Establish Coding Standards and Conventions ..................................................................................... 15 Use Safe Functions Only ...................................................................................................................... 15 Use Code Analysis Tools To Find Security Issues Early ..................................................................... 17 Handle Data Safely ............................................................................................................................... 17 Handle Errors........................................................................................................................................ 20 Manage Security Risk Inherent in the Use of Third-party Components .............................................. 21 Testing and Validation .............................................................................................................................. 22 Automated Testing ............................................................................................................................... 22 Manual Testing ..................................................................................................................................... 24 Manage Security Findings........................................................................................................................ 27 Define Severity ..................................................................................................................................... 27 Risk Acceptance Process ..................................................................................................................... 28 Vulnerability Response and Disclosure ................................................................................................. 29 Define Internal and External Policies ................................................................................................... 29 Define Roles and Responsibilities ........................................................................................................ 29 Ensure that Vulnerability Reporters Know Whom to Contact ............................................................... 30 Manage Vulnerability Reporter