Which Secure Development Lifecycle model to choose?

Question

We are going to secure our software development life cycle and have been researching for a good model to start with. I have found 3 major models (methodologies?) which are :

1. Cigital SDLC (7 touch points )
2. Microsoft SDLC
3. OpenSAMM SDLC
4. BSSIM

I couldn't choose either of them since i have no idea which one is best choice compared to other, I need some professionals to guide me on this based on their own experience on the projects and help us decide better.
What are the pros and cons of these models?
It would be great if anyone could guide us in a way that the difference between these models can be more clear. or if one suite some kind of projects better than the others.
We are going to secure the development a software project for a financial institute , so if this imposes some restrictions on the model we need to choose please guide us accordingly Thanks in advance

Answer 1

Personally, I found OpenSAMM to be a good resource, but only after you have something setup. It is a maturity model, which is basically a tool used to determine how well you do something. In other words, it has a focus on metrics and reporting. Don't get me wrong, I think there is a lot of good information in that document, but more of a phase 2.

I have not read Cigital, so I cannot comment on that one.

The MS SDLC is pretty simple to follow. We found most of the document irrelevant, especially when they get into specific things to check for c/c++ stuff and compiler flags, but the core concepts were good.

What you are going to have to do is take the SDLC and map the phases to what you do now. Once you have that mapping, you can then figure out what MS does in each phase and then pick a subset of that (or all of it) to include in your processes.

Think of the SDLC as the tool you will use to create the documents/process that the development team will follow. So, for example, you should probably publish a "development best practice guide" for the dev teams (as part of development training, for example). Since you guys are in the financial industry, you will want PCI/SOX stuff to be included in that document. To expand, the MS SDLC talks about having developer training. You will have to tailor that to your team and goals. For example, you may do a lot of c# training, so you will want to include c# training as part of your training goals.

Most of these models are going to come down to a couple of major components.

1) Build security in (at the requirements stage) Make sure you are looking at the correct docs / strategies, and that functional/non-functional requirements focus on security at the outset. Make sure your goals are aligned with that of the client. Create bug bars, etc. Make sure the architecture supports fail-safes, strong crypto, incident response, etc, etc

2) Train, train, train Developers need training. They preform better when they know what to do, and it is in the fore-front of their mind. Develop a training program that focuses on long term professional development as well as short term (as needed) training.

3) Deliver a secure product by following best practices, and then validate Develop according to best practices (pick a framework such as the ASVS, OWASP Top 10, or a combination), then make sure you validate that you have done it correctly. Do a pen test.

4) Support Make sure you build in the right processes to support your application/client going forward.

As a side note, if you are looking for some professional help, you should consider paying for someone to come in and help you.

Answer 2

OpenSAMM with goals set to acheive certain ASVS levels per project. Then, give back to the OWASP community.

Answer 3

The idea behind Secure Development methodologies are, that you think about and address security concerns earlier in the project life-cycle

I would recommend using CLASP (Comprehensive, Lightweight Application Security Process) to get started on your current development methodology.