Project Managers and Product Owners must be aware about Secure Development aspects on all Software Development Lifecycle (SDLC). This article shows the initial steps to add security aspects as part of the Product Manager responsabilities. The number of vulnerabilities and threats to software systems has exponencial increased [1]. Product management techniques need to be revised and the heads of product development must deal with security non-functional requirements as a new norm. The old fashion way was to delegate all security aspects to network management, however the modern threats use application layer as main point of failure and choices made on earlier vision of the product may cause profound damage to companies reputation. Independent where the application is deployed, if it is in the cloud or on-premises the secure development aspects changed and need to be addressed since the conception of the product.Other views like governance and intelligence is not covered in this article but are extremely valuable to PMs.
The following video[1] talks about the estimated cost of cybercrime in 2014, this will highlight the importance of the taking into account security non-functional requirements on Product Vision and Product Design phases.
Implementing security into software applications
SDLC models help software teams to define achievements and artifacts of each development phases, product manager should work to achieve understanding and formulate progress on security aspects for each SDLC phase. The objective in each SDLC phase from security point-of-view are:
- Planning, Understand and document Legal and Customer Security Requirements, Compliance and Training. (e.g. SOX, PS-DSS, GLBA, HIPAA)
- Design, Modeling Threats and define Secure Design Principles (Attack surface reduction, Least privilege, others…).
- Construction, Integration validations, Code Analysis, Code Review. e.g. input validation, fault injection, penetration testing.
- Deployment and Support, Plan for Incidents Responses, Patching and Recovery.
To support the guidelines recommended above is mandatory a software engineering practice and a security chapter to specify models, standards and guidelines to be followed.
Models
Microsoft SDL [3], a model to help software development teams to improve and sustain the security and quality aspects of software products. This model helps Product Managers with recommended security requirements, tools, testing and conducts, reviews and plans.
Standards:
PCI-DSS and PA-DSS [5], These are the Data Security Standards that are used in any financial application that contains transactions with credit card information.
…others, SOX, GLBA, HIPAA and others , but let me know (post a comment) if you want a deeper dive on this list.
Guidelines and Reports
Open Web Application Security Project (OWASP) Top 10 [2], a guide that shows a list of the top 10 vulnerabilities of Web Applications, as well as how to recognize and mitigate the risks. As a Product Manager you need to be aware of it and have to track from requirements to deployment if such top vulnerabilities are mitigated or not.
CWE/SANS Top 25 Most Dangerous Software Errors[4], a report issued in 2009,2010 and 2011 showing the prevention and remediation steps that Product Managers can take to mitigate software weakness. The funniest is that SQL injections is still a threat nowadays.
Continuous Updates
All information provided in the post was compiled in December 2018. Be aware that Hacker methods are constantly evolving, as are the security techniques to address them.
Keep your self updated with the last updates on the security models, standards, and guidelines to improve your application response to threats and vulnerabilities.
For instance, OWASP [2] publish new versions annually.
References:
- [1] https://www.csis.org/events/2014-mcafee-report-global-cost-cybercrime
- [2] https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
- [3] https://www.microsoft.com/en-us/sdl
- [4] http://cwe.mitre.org/top25/
- [5] https://www.pcisecuritystandards.org/document_library
Updates:
Dec 2017, Initial Version
If you liked this post and want a updated version, send me a message on LinkedIn or @GorskiRafael.