The relationship between projects, products, and the SDLC involves an element that is not emphasized enough: security.
Products without security risk becoming irrelevant. Projects lacking governance to comply with organizational security policies will find themselves unable to operate. A Software Development Life Cycle (SDLC) that accounts for security only in the testing, or worse, just after deployment, is increasing the risk of the occurrence of and the cost of fixing exploitable security vulnerabilities. Despite the normalcy surrounding cyberattacks, the unacceptability of them remains at a critical level.
Long ago
My academic training in security dates back to 2006 when I studied Information Assurance and Security, and my practical experience dates back to 2000 when I regularly released software to the public. Every time I published a release, I thought about all of the “hacked” or “cracked” versions of popular competing software. While my product was widely used, it did not get hacked in any notable manner because I added encryption and anti-decompiling mechanisms into the software prior to release. Additionally, I included multiple authentication mechanisms including serial key distribution to control the use of the software by authorized individuals. While sophisticated hackers would have been able to bypass these controls, I made the work more difficult. Making the work more difficult is the key.
Information Security and the Secure Software Development Life Cycle
The next set of blogs will cover two important security areas: Information Security from the perspective of overall information systems security management, and the Secure Software Development Life Cycle (Secure SDLC). It is important to note: there is no such thing as 100% security. There is always a way to affect the Confidentiality, Integrity, and Availability of a system. The important consideration is whether the defender of a system is doing what they can to make sure attackers have a very difficult time accomplishing their goals to the point that the risks to the system are minimized and actions can be taken to prevent catastrophic consequences. As I had done with the PMP® exam, I will go through concepts and details helpful for taking the CISSP® (the gold standard for information security just as the PMP® is for project management) and CSSLP® (for Secure SDLC) exams.