Assessment of software development lifecycle security maturity

"Cybersecurity increasingly constitutes a real challenge for public and private organizations as well as for individuals. The development and sophistication of cyberattacks are becoming a major concern for decision-makers and users at all levels.

Attackers adopt highly sophisticated methods to exploit the vulnerabilities of information systems to illegitimately access them, thereby compromising the confidentiality, availability, or integrity of these systems. Among the targeted systems, application assets are prime targets.

Recent studies show that a significant portion of successful attacks target exploitable vulnerabilities in the application layer. In this regard, according to the "Software Improvement Group," about 75% of internet attacks have exploited security flaws specific to software.

To address this issue, software developers have tried in the past to outsource security tasks. This has been done with firewalls, intrusion detectors, or malware protection. However, if the software has security vulnerabilities, it is not always possible to remedy these weaknesses via externally added security components without losing functionality.

This currently widespread software development practice generates multiple vulnerabilities that need to be addressed as quickly as possible through patch cycles. Risks to developed applications will continue to grow substantially if the security of the implemented software is not considered. It is increasingly essential to adopt an approach that integrates security from the design stage through to delivery and production.

Through various audits conducted by the DGSSI and audit firms with various stakeholders, it has often been found that developed applications have several critical vulnerabilities, the corrections of which are generally costly. Developing an application and then thinking about security measures later is a common practice that the DGSSI strongly recommends avoiding. Instead, the DGSSI recommends integrating security requirements from the application or service's design stage. These requirements can translate into architectural choices, functionalities, technologies, etc.

In this regard, the DGSSI recommends integrating the notion of risks into the software development project lifecycle. The goal is to propose a series of actions distributed throughout the design and development cycle of a product, integrating into each entity's existing project methodology. The involvement of all stakeholders (Developers, Security/Risk Managers, Operations) is a guarantee of security in this approach. Security should be everyone's responsibility.

In this context, the DGSSI developed a guide on the maturity of the software development lifecycle in 2021. This guide defines application security according to several axes and covers, in particular:
 

  •  The most well-known software development methodologies;
  •  Some models concerning secure development lifecycles;
  •  A focus on the SAMM maturity model;
  •  A maturity level calculation matrix based on the SAMM 2.0 model.


The maturity level calculation matrix is the result of this work. It allows stakeholders, regardless of the adopted software development methodology, to access a simple and concise question/answer form to transparently calculate the security maturity level of their development cycles, similar to what has been previously used in the context of the DNSSI.

The proposed approach is designed to be independent of the development methodology, meaning it can be applied to all types of projects. It should also allow for:

 

 

  •  Evaluating an organization's existing software security practices;
  •  Building a balanced software security program according to well-defined iterations;
  •  Demonstrating concrete improvements to a security assurance program;
  •  Defining and measuring security-related activities;


Allowing entities to self-assess and calculate gaps relative to security practices. The aim of this approach is to further develop the culture of application security at the national level. The DGSSI invites all stakeholders to undertake the proposed evaluation and share their results to consolidate a document on the maturity of the software development security lifecycle at the national level."

 

 

To report any criminal digital content, including threats to the security of individuals and groups, praise or incitement of terrorism, and violations of the rights and freedoms of children, please use the following platform : www.e-blagh.ma

DGSSI2024 All rights reserved