CISSP: Development Environment Security Controls

Introduction

Cloud computing and mobile applications are radically changing the way we do business. Enterprises are building applications more rapidly than ever before, often using Agile development processes and then expanding their internal development programs with third-party software and open-source libraries and components that increase the overall threat exposure cumulatively.

An application or software “vulnerability” is fundamentally a flaw, loophole, or weakness in the application that leads it to process critical data insecurely. By exploiting these vulnerabilities, cyber-criminals can gain access to an enterprise system or software and steal confidential data. Most common software vulnerabilities include escalation of privilege, buffer overflow, and input /output validation vectors such as SQL injection, cross-site request forgery (CSRF), and cross-site scripting (XSS).

Securing software and applications are among the major challenges faced by the industry. Still, in the eyes of software developers, security is an impediment and a roadblock to the overall development process.

Every software program or application has its own development lifecycle, which encompasses the following phases: initiation, development or acquisition, implementation, operations, maintenance, and disposal. Collectively, these are called the system development lifecycle (SDLC). Each of the phases has explicit goals and requirements and security has its set of controls to be adhered to and practiced for each stage.

What Is a Security Control?

Security controls are technical and administrative defenses and security measures for countering and minimizing loss or unavailability of services and application that are due to vulnerabilities.

Security controls are referenced generally all the time but are rarely defined. The security controls can be technical or administrative and can be further classified as preventive, detective, or corrective in nature.

• Preventive controls are used to prevent the threat from coming in contact with the vulnerabilities or loopholes identified within an application or software package.
• Detective controls are used to (Read more...)