Certified Information Systems Security Professionals (CISSPs) provide value to organizations in that they boast technical and security prowess alongside managerial competence. This unique perspective is well-displayed during software development and writing secure code. CISSPs are in a position to prioritize security while also concerning themselves with the long-term business impacts. To a CISSP, software must be on-time, on budget, within scope, AND secure. The good news? It’s within financial reach.
Emphasizing Proactive Security
CISSPs know that the cost of building secure code is practically the same as building insecure code. Therefore, CISSPs can help development teams prioritize security without undermining on-budget or on-time delivery.
Security Throughout the Software Development Lifecycle
CISSPs approach each phase of software development with an eye toward security and finances. These perspectives are especially important in the Requirements, Design, Verification, and Implementation phases.
This phase involves performing security and privacy risk assessments to determine baseline security needs. Determining clear security requirements before starting to code will minimize disruption to a project. The Requirements phase carries a low cost – you just need to take the time.
CISSPs adopt a security perspective to traditional design review. This security perspective includes a comprehensive review of issues ranging from access control to regulatory requirements to types of data that are stored in the system. The Design phase can come at no additional cost; it’s an extension of risk and privacy assessments, and can be done on your own. Your shoestring budget is intact!
If operating in Agile, the Implementation phase involves analysis through user stories and use cases. Static code analysis should be done daily, and any breaks should be fixed within 24 hours. This analysis will likely have to be outsourced at a moderate cost.
If the Implementation phase dealt with use cases, the Verification phase involves “abuse cases.” This phase prompts organizations to think like a malicious actor; to ask “what features can hackers take advantage of?” Verification manifests itself in the form of penetration tests, fuzz testing, and dynamic analysis. There are free tools available, such as the Microsoft File Fuzzer and the OWASP Testing Guide, which can keep the cost low.
Worth the Commitment
Executing security controls during software development takes planning and commitment, but they allow software developers to build secure code without taxing other valuable resources such as finances and time. CISSP holders can help guide this process with their leadership and emphasis on both security and business considerations.
Domain 8 of the CISSP exam covers secure software development. CyberVista’s online CISSP exam prep course can prepare you for this domain as well as the seven other domains to pass the CISSP on the first try.