Your Cybersecurity Roadmap to Value - A Secure Software Development Roadmap

A Secure Software Development Roadmap for the Future

Over the next several years, software development will occur at an exponential rate (Eng, 2021; Fujdiak et al., 2019; Kiswani, Dascalu, Muhanna, & Harris, 2018).   System and application developers will need to build solutions based on a secure software design lifecycle (SSDLC) framework.   Below is such a framework which was developed using several industry best practices. 

The first best practice leveraged, which is the foundation to the SSDLC Deming’s Plan, Do, Check, Act (PDCA)(Deming, 2021), and is depicted by the blue arrow chain of events which is also considered a timeline.  The timeline can be used today as well as in the future to develop an SSDLC.  Deming’s PDCA was defined and created to provide valuable learning, knowledge, and insight due to the continual improvement of a product, process, or service.  In this case, PDCA was modified to prepare, develop, assess, and execute (PDAE) process (Figure 1: Prepare, Develop, Assess & Execute process and timeline).  The PDAE is leveraged to improve and reduce the likelihood of a bad actor exploiting a vulnerability.  By leveraging the PDAE, developers prepare for the vulnerability by identifying the risks and the associated vulnerabilities identified in the system or application.  Additionally, the MCJ PDAE leverages the Department of Homeland Security’s Cybersecurity Infrastructure Security Agency (CISA), proper vulnerability management (CERT, 2016) model, as well as CISA’s definition for vulnerability management as Define, Plan, Implement, Assess & Improve.   

Once the vulnerability is identified, a solution is then developed by defining the requirements, designing a solution, and building the solution based on the requirements.  With a solution built to mitigate the vulnerability, the developed solution is then assessed to ensure the solution mitigates the vulnerability.  The assessment includes testing the solution in a development or stage environment and preparing the solution for release into the operational environment.  Upon completing a successful test with the development or stage environment to mitigate the vulnerability, the solution is then released into operations.  Releasing the solution to mitigate the vulnerability initiates the execution phase of the PDAE, and it includes utilizing a release team, a system or application team, and product managers to follow an Agile methodology to release the solution into operations and sustaining the application or system until end of life or until the next update is built, tested and released.     

However, a PDAE and Release Management is not enough for the development of an SSDLC framework.  For an SSDLC to be effective, it must be used by more than a release management team, developers, or an operations team.  It must also be is used by leadership and executives to define a vision and strategy.  With a strategy in place, the organization converts the strategy into an action plan.  The action plan will include a vulnerability management aspect to ensure the SSDLC is kept up to date to deliver towards the vision and strategy and ensure the SSDLC ensures the organization can deliver to the mission.  Therefore, Maximum Justice Cybersecurity (MJC) has created Secure-V (V is for Value-Chain) SSDLC model (Figure 3).   The MJC Secure-V SSDLC model is a full-lifecycle roadmap leveraging the DoD Defense Acquisition University (DAU) Systems Engineering Process (DAU, 2021).  The MJC Secure-V model and roadmap has eight stages as represented in large bold print (Vision & Strategy, Require, Design, Build, Improve, Test, Release, and Sustain). 

  When putting all of these models together, organizations will have a cybersecurity roadmap (Fig: 4 MCJ SSDLC Cybersecurity Roadmap to Value).  This roadmap is a value-add model which defines the value-chain of an SSDLC framework and roadmap.   The steps within the Secure-V value-chain include defining a vision and strategy of the solution, which is based upon and supports the organization's mission. With the vision and strategy defined, developers work with their clients, customers, and end-users to determine the system or application’s requirements, all while ensuring security requirements are identified and included in the build-out of the solution.  Once the requirements are known, developers use an agile development methodology to build a secure solution.  As an agile development methodology is iterative and continuous, this step will be leveraged many times to ensure the product or solution meets the need for a secure solution.  Since the build process is iterative, it provides an approach for continuous improvement while providing a methodology for continuous integration and continuous delivery of the application or solution.  Once the application or solution is built, it is tested before being released into operations.  Operations will provide a means to ensure the cloud, on-prem, or hybrid application or solution is sustainable and meeting the requirements as defined early in the value chain.  Developers who leverage this process for an SSDLC will create a solution which ensures the data generated by people, processes, and technologies (the application or system) is secure and provides the confidentiality, integrity, and availability needed for today and tomorrow.  From this data, developers, operators, and executives can collect and review metrics for management and identifying opportunities in the never-ending search for continuous improvement.

References

CERT. (2016).  Vulnerability Management: CCR Supplemental Resource Guide.  US-CERT, Cybersecurity & Infrastructure Security Agency (CISA) Department of Homeland Security (DHS). Vol 4. V1.1.  Retrieved from https://us-cert.cisa.gov/sites/default/files/c3vp/crr_resources_guides/CRR_Resource_Guide-VM.pdf

DAU. (2021).  Technical Processes Overview.  Systems Engineering Brainbook. Defense Acquisition University (DAU).  Retrieved from https://www.dau.edu/tools/se-brainbook/Pages/Technical%20Processes/Technical-Processes-Overview.aspx

Deming, W. (2021). PDSA Cycle. The W. Edward Deming Institute.  Retrieved from https://deming.org/explore/pdsa/

Eng, C. (2021). The sorry state of software security: Secure development is key. TechBeacon.  MicroFocus.  Retrieved from https://techbeacon.com/security/sorry-state-software-security-secure-development-key

Fujdiak. R., Mlynek, P., Mrnustik, P., Barabas, M., Blazek, P., Borcik, F., & Misurec, J. (2019). Managing the Secure Software Development. 10th IFIP International Conference on New Technologies, Mobility and Security (NTMS), pp. 1-4, doi: 10.1109/NTMS.2019.8763845.

Kiswani, J., Dascalu, S., Muhanna, M., & Harris,F. (2018). Clowiz: A Model-driven Development Platform for Cloud-based Information Systems. 6th International Conference on Multimedia Computing and Systems (ICMCS), pp. 1-6, doi: 10.1109/ICMCS.2018.8525494.