1 CYBER SECURITY GUIDELINE FOR 2 SECURE SOFTWARE 3 DEVELOPMENT LIFE CYCLE (SSDLC) 4 5 CyberSecurity Malaysia 6 November, 2019 7 REGISTERED OFFICE: 8 CyberSecurity Malaysia, 9 Level 7 Tower 1, 10 Menara Cyber Axis, 11 Jalan Impact, 12 63000 Cyberjaya, 13 Selangor Darul Ehsan, Malaysia 14 COPYRIGHT © 2019 CYBERSECURITY MALAYSIA 15 The copyright of this document belongs to CyberSecurity Malaysia. No part of this document 16 (whether in hardcopy or electronic form) may be reproduced, stored in a retrieval system of any 17 nature, transmitted in any form or by any means either electronic, mechanical, photocopying, 18 recording, or otherwise without the prior written consent of CyberSecurity Malaysia. The 19 information in this document has been updated as accurately as possible until the date of 20 publication. 21 NO ENDORSEMENT 22 Products and manufacturers discussed or referred to in this document, if any, are presented for 23 informational purposes only and do not in any way constitute product approval or endorsement by 24 CyberSecurity Malaysia. 25 TRADEMARKS 26 All terms mentioned in this document that are known to be trademarks or service marks have been 27 appropriately capitalised. CyberSecurity Malaysia cannot attest to the accuracy of this information. 28 Use of a term in this document should not be regarded as affecting the validity of any trademark 29 or service mark. 30 DISCLAIMER 31 This document is for informational purposes only. It represents the current thinking of 32 CyberSecurity Malaysia on the security aspects of the SSDLC environment. It does not establish 33 any rights for any person and is not binding on CyberSecurity Malaysia or the public. The 34 information appearing on this guideline is not intended to provide technical advice to any 35 individual or entity. We urge you to consult with your own SSDLC advisor before taking any 36 action based on information appearing on this guideline or any other documents to which it may 37 be linked. 38 PUBLIC COMMENT 39 You may submit electronic comments and suggestions at any time for CyberSecurity Malaysia 40 consideration to [email protected]. Comments may not be acted upon by CyberSecurity 41 Malaysia until the document is next revised or updated. 42 Acknowledgement 43 CyberSecurity Malaysia wishes to thank the following individuals who have contributed and/ or 44 reviewed this document. 45 External Contributors/ Reviewers: 46 Internal Contributors/ Reviewers: 47 Contents 48 49 INTRODUCTION ......................................................................................................... 1 50 1. Scope ................................................................................................................... 2 51 2. Terms, Definitions, Abbreviated Terms and Acronyms .................................. 2 52 2.1 Terms and Definitions .................................................................................... 2 53 2.2 Abbreviated Terms and Acronyms ............................................................... 6 54 3. Intended Audience ............................................................................................. 6 55 4. Secure Software Development Life Cycle (SSDLC) ........................................ 6 56 5. Phase 1: Security Requirements ....................................................................... 8 57 5.1 Sources for security requirement ................................................................. 8 58 5.2 Data Classification ....................................................................................... 13 59 5.3 Use case and misuse case modeling ......................................................... 15 60 5.4 Risk management ......................................................................................... 16 61 6. Phase 2: Security Design ................................................................................. 20 62 6.1 Core Security Design Considerations ........................................................ 20 63 6.2 Additional Design Considerations .............................................................. 23 64 6.3 Threat modeling............................................................................................ 25 65 7. Phase 3: Security Development ...................................................................... 27 66 7.1 Common software vulnerabilities and controls ........................................ 27 67 7.2 Secure software processes ......................................................................... 28 68 7.3 Securing build environments ...................................................................... 29 69 8. Phase 4: Security Testing ................................................................................ 30 70 8.1 Attack surface validation ............................................................................. 30 71 8.2 Test data management ................................................................................ 31 72 9. Phase 5: Security Deployment ........................................................................ 32 73 9.1 Software acceptance considerations ......................................................... 33 74 9.2 Verification and validation (V&V) .................................................................... 34 75 9.3 Certification and accreditation (C&A) ......................................................... 35 76 9.4 Installation .................................................................................................... 35 77 10. Phase 6: Security Maintenance ....................................................................... 36 78 10.1 Operations, monitor and maintenance ....................................................... 37 79 10.2 Incident Management ................................................................................... 38 80 10.3 Problem management .................................................................................. 39 81 10.4 Change management ................................................................................... 40 82 10.5 Disposal ........................................................................................................ 41 83 11. SSDLC Checklists ............................................................................................ 43 84 11.1 Phase 1: Security Requirements (5) .......................................................... 43 85 11.2 Phase 2: Secure Design (6) ........................................................................ 44 86 11.3 Phase 3: Security Development (7) ............................................................ 45 87 11.4 Phase 4: Security Testing (8) ...................................................................... 46 88 11.5 Phase 5: Security Deployment (9) .............................................................. 47 89 11.6 Phase 6: Security Maintenance (10) ........................................................... 47 90 12 References ........................................................................................................ 49 91 Appendix A ............................................................................................................... 51 92 Appendix B ............................................................................................................... 53 93 Appendix C ............................................................................................................... 56 94 Appendix D ............................................................................................................... 58 95 Appendix E ............................................................................................................... 59 96 Appendix F ............................................................................................................... 61 97 98 INTRODUCTION 99 100 This document provides guideline for Secure Software Development Life Cycle (SSDLC) 101 highlight the security tasks for each phase involves in the development processes. SSDLC consists 102 of six (6) phases, there are: security requirement, security design, security development, security 103 testing, security deployment and security maintenance phases. This guideline describes security 104 information such as security tasks, which incorporate into every phase in producing secure 105 software to ensure the confidentiality, integrity and availability of their information systems. 106 107 The applying of security tasks into the development life cycle are become vital and needed to 108 clarify several problems. The high costs of remediation for the developer whenever the 109 vulnerabilities have been identified after the deployment of the software become the major 110 problem to the organization. As consequences, it will be related with a breach and then give effect 111 to an organization. Therefore, it is important for the organization to ensure the appropriate security 112 controls with security tasks are in place throughout the development life cycle. The organization 113 must plan for security in order to incorporate security from the beginning of any software 114 development. Organization has assured the appropriate security tasks included in design phase to 115 meet the requirement phase. The processes continue for development of software securely and 116 assure the security requirements have been met during implementation. The organization must 117 conduct ongoing reviews to maintain the appropriate level