NIST SP 800-64: High Level Summary
1
NIST SP 800 64 Secure SDLC Consideration: High Level Summary Secure SDLC has been an influencing factor when it comes to Application development. Looking at the number of increasing threats and attacks across the industries, almost all the organisations are now focusing on integrating Security in their Application development process to avoid any such instances in future. Security should be incorporated at the early stage of development cycle rather than doing it later. However this needs to be done keeping in mind the guidelines and frameworks set by The Information Technology Laboratory of the National Institute of Standards and Technology (NIST) and other organisation to add cost effective security step by step in all the phases of SDLC. The guide presented by NIST SP 800-64 rev2 complements the Risk Management Framework by having a comprehensive approach of managing risk and appropriate level of security based on the levels of risk. It helps in providing the way of integrating security functionality and assurance into the SDLC. [Also See Blog: Integrating Security Across SDLC phases] To be most effective, information security must be integrated into the SDLC from system inception. -
Ref: NIST SP 800-64 rev2
Early integration of security in the SDLC ensures max. ROI in Security programs. How? Early we identify possible Security concerns, lower the Security Control Implementation and Vulnerability mitigation Cost Awareness of potential engineering challenges that one may encounter in future.
Challenges and Effective Security control implementation
Identification of shared security services and reuse of security strategies and tools, reduces overall Development cost
Ensures Security is build-in, improving overall Security posture of a product
Informed executive decision making through comprehensive risk management in a timely manner.
NIST SP 800-64 rev2 guide focuses on Information Security components of SDLC. First describing Key Security Roles and Responsibilities in SDLC and thereafter detecting relation between Information Security and SDLC.
Key Roles and Responsibility in SDLC: During the whole SDLC process many Participants are involved to perform different activities in the different phases. Some of the key roles and their responsibilities is explained below: