Integrating Security into SDLC – Part6

5. Secure Deployment: Deployment phase is where the application is actually moved to Production and now the application is ready to be accessible by its intended users. A dedicated security team should be in-place to validate the current environment against the findings from System Design phase and provide a go ahead or hold the deployment activity. The validation process must ensure all the agreed security Controls are in place for each reported Threat.

Deploy Phase: Network Penetration Testing
Deploy Phase: Network Penetration Testing

 If the Project Team receives a go ahead from the security team:

  • Application is deployed on the Production Server and the Network Penetration Testing Team should be notified to conduct Network Penetration Tests.
  • These tests are typically performed using Commercial / Open Source penetration testing tools and can be complimented by manual analysis to filter any false positives.
  • The objective of running these tools is to identify any open ports, default admin accounts, stale accounts, and successful login attempts by unintended user login, and more.

 

To sum it up:

  • Validate relevant security Controls are in-place for reported Threats from System Design phase
  • After a go ahead from Security Team, notify Network Penetration Testing Team
  • Conduct Network Penetration Tests to identify any security vulnerabilities at the Network level
  • Risk rank each identified vulnerability
  • Provide relevant patch recommendations
  • Carry forward all artifacts and observations to the next phase of SDLC

Benefits of integrating Security in Phase5:

  • All the reported Threats will have relevant Security Controls
  • Failure to have compensating Controls will either result in Security Exception approved / rejected by the Top management or directly from the Client / Customer
  • Network penetration tests will ensure that only relevant ports are open and the application is accessible only from the required port
  • All default and stale accounts are removed
  • Activities conducted in this phase reduces a huge maintenance cost for your Clients / Customers
  • Application is finally securely deployed

<<Previous       Next >>

Author: admin

Raghavendra Rao PV has more than 11years of experience in Information Technology. He started his career as a software developer at Accenture in the year 2006 and then moved to Information Security. Prior to starting SecureFirst Solutions Private Limited, he worked with Organizations namely; Accenture Services Private Limited, TATA Consulting Services, Dell International Services. He is a Certified Ethical Hacker (CEH) and IBM Rational AppScan Certified.

Leave a Reply