Due to its globally accessible nature, applications are becoming more popular targets for attackers to compromise an organization’s security

SSDLC or Secure Software Development Lifecycle is structured to deploying secure software applications has become increasingly important due to the rise in security risks.

Software application are designed and developed with functionality first in mind and security as a distant second or third

6 phases in secure software development:

I. Security Requirement

All requirements, including security, are highly specified in the first place and laid the groundwork for the rest phases. This module objectives focus functional security and Drivers security which need to be addressed to maintain the confidentiality, integrity and availability .

To gathering Security Requirement:

• Eliciting software security requirements takes different approach

• It should by enumerated separate from the functional requirement so they can be reviewed and tested

• Mixing security requirement with functional requirement can make security requirement gathering process more complicated and inaccurate

II. Security Design

“Most of the web applications are vulnerable due to insecure design of application at design phase”.

A security negligence at design and architecture phase may lead to vulnerabilities that are difficult to detect and expensive to fix in production. We must identifying the threats in sufficient details for developers to understand and code accordingly to mitigate the risk associated with the threat

Secure design actions:

III. Development

Secure coding is an essential aspect of the Software Development Life Cycle (SDLC) that focuses on building software applications with strong security measures in place. By following secure coding practices, you can significantly reduce vulnerabilities and protect your applications from potential cyber threats:

• Input Validation

• BAC

• Injection Flaws

• Improper error handling

• Session management

• Insecure storage

• Cross-site scripting

• DOS

• Buffer overflows

• Insecure configuration management

IV. Testing

Testing phase in SSDLC that is focussing investigation and discovery all vulnerabilities exist in application.

2 commons way:

DAST: is a security testing technique which involves simulating attacks against the application and analyzes how the application behaves

SAST: Application Security Testing (SAST), or “white-box”, tools inspect source code or binaries and provide feedback on possible vulnerabilities. These tools are used during the development phase of the SDLC.

V. Deployment

Deployment is the last phase of SSDL where the application is moved from development environment to production environment

VI. Maintenance

Security should be the critical consideration while deploying any application

JAVA web application secure deployment involves ensuring security at various levels from bottom to top

Administrator should ensure the physical security of a host machine, its OS security, and security of the all other software installed on the machine

A Web Application Firewall (WAF) provides a security layer that protects the web server from malicious traffic

Administrator should ensure secure setting of the web server (Apache Tomcat, Jboss(WildFly))

Administrator should configure and check the deployment security settings in both Server.xml and web.xml files carefully

Maintenance and monitoring is an iterative process undertaken after the initial deployment of the application