The Secure software development life cycle in cloud computing is one of the most interesting concept. Although some view a single point-in-time vulnerability scan as an indicator of trustworthiness, much more important is a holistic evaluation of the people, processes, and technology that delivered the software and will continue to maintain it.
Several software development lifecycles have been published, and most of them contain similar phrases.
Secure software development life cycle in cloud computing is structured
- Requirements
- Design
- Implementation
- Verification
- Release
As mentioned earlier in this domain, another software development lifecycle is arranged like this:
- Planning and requirements analysis
- Defining
- Designing
- Developing
- Testing
- Maintenance
You can see the similarities between the two.
There is a series of fairly intuitive phases in any lifecycle for developing software.
With the move to cloud-based applications, there has never been greater importance of ensuring the security of applications that are being run in environments that may enjoy the same security controls available in a traditional data center environment.
It is well understood that security issues discovered once an application is deployed are exponentially more expensive to remediate.
Understanding that security must be “baked in” from the onset of an application being created or consumed by an organization leads to a higher reasonable assurance that applications are properly secured before an organization using them.
This is the purpose of a cloud-secure development lifecycle.
ISO/IEC 27034-1
Security of applications must be viewed as a holistic approach in a broad context that includes not just software development considerations but also the business and regulatory context and other external factors that can affect the overall security posture of the applications being consumed by an organization.
To this end, the International Organization for Standardization (ISO) has developed and published ISO/IEC 27034-1, “Information Technology—Security Techniques— Application Security.”
ISO/IEC 27034-1 defines concepts, frameworks, and processes to help organizations integrate security within their software development lifecycle.
Standards are also required to increase the trust that companies place in particular software development companies.
Service-oriented architecture (SOA) views software as a combination of interoperable services, the components of which can be substituted at will.
As SOA becomes more commonplace, the demand for proven adherence to secure software development practices will only gain in importance.
Organizational Normative Framework
ISO 27034-1 lays out an organizational normative framework (ONF) for all components of application security best practices.
The containers include the following:
- Business context: Includes all application security policies, standards, and best practices adopted by the organization
- Regulatory context: Includes all standards, laws, and regulations that affect application security
- Technical context: Includes required and available technologies that apply to application security
- Specifications: Documents the organization’s IT functional requirements and the solutions that are appropriate to address these requirements
- Roles, responsibilities, and qualifications: Documents the actors within an organization who are related to IT applications
- Processes: Relates to application security
- Application security control library: Contains the approved
controls that are required to protect an application based on the identified threats, the context, and the targeted level of trust ISO 27034-1 defines an ONF management process.
This bidirectional process is meant to create a continuous improvement loop. Innovations that result from securing a single application are returned to the ONF to strengthen all organization application security in the future
Application Normative Framework
The application normative framework (ANF) is used in conjunction with the ONF and is created for a specific application.
The ANF maintains the applicable portions of the ONF that are needed to enable a specific application to achieve a required level of security or the targeted level of trust.
The ONF to ANF is a one-to-many relationship, where one ONF is used as the basis to create multiple ANFs.
Application Security Management Process
ISO/IEC 27034-1 defines an application security management process (ASMP) to manage and maintain each ANF.
The ASMP is created in five steps:
- Specifying the application requirements and environment
- Assessing application security risks
- Creating and maintaining the ANF
- Provisioning and operating the application
- Auditing the security of the application
