SDLC and Security in Projects
When organisations undertake any form of change, there is a potential to add new risks to the equation. This is particularly true, from a cyber security perspective, when there is development of new systems or changes to systems and infrastructure. Root cause analysis of many of our penetration testing projects often point to this as a key risk. Building security into the project lifecycle has often been a challenge; security is often seen as a blocker and running contrary to project goals and timelines. This is particularly acute in environments where speed to market is a critical competitive advantage. This can lead to building projects with significant security flaws. As organisations move away from traditional waterfall development toward agile and DevOps approaches, the role of security becomes even more important.
Our approach to ‘Secure by Design’ is focused on making security relevant to the process and building security champions within the development community; this reflects our view on the personal effectiveness of security professionals in challenging risk and working in partnership with the broader business. In particular, we help clients by:
Helping the security team to deliver value to the project through promoting security as an enabler to the business;
Working with both project teams and the security teams to develop threat models relating to the project. These threat models are then used throughout the development process to assess whether security objectives are being met;
Developing and supporting implementation of secure by design project principles into the project and development processes;
Performing testing (including penetration testing and code review) throughout a project lifecycle with root cause analysis to understand issues in the secure by design approach.
Our secure by design approach covers both Systems Development projects as well as broader IT change projects (e.g. major upgrade of systems, architecture changes, etc.)