Questions tagged [sdlc]

Integrating security practices into the Software/Systems Development Life Cycle. Security practices can be part of any or all of the requirements, design, implementation, testing, or operational phases of a development cycle.

Most software or systems engineering involves some sort of Software/Systems Development Life Cycle which typically includes some variation of the following phases:

Requirements gathering and investigation
Design
Implementation
Testing
Operation and maintenance.

A mature development cycle will include security analysis at some or all of these phases.

This tag is about how to integrate security practices into an SDLC.

8 questions

votes

1 answer

Should I develop with TLS on or off?

I develop applications on my local computer that I later deploy to a TLS production server. Should I develop with TLS on or off?

tls sdlc

asked May 30 '18 at 20:32

Jonathan

2,288
13
16

votes

3 answers

Security Testing Methods for Enterprise Level

I have been asked to perform risk assessment for a company. The scope covers about 100 applications and in various business units. Major task is to assess currently implemented security controls and provided recommendations after the assessment.…

risk-analysis nist devops agile sdlc

asked Dec 23 '18 at 04:48

ray bash

votes

2 answers

Can results from DAST (Dynamic Application Security Testing) tools be false positive?

I know results from Static Application Security Testing (SAST) can be false positives or real and it is up to the security analyst and developer to decide which vulnerability is real based on the scenario and context. Is the same applicable to DAST…

appsec process dynamic-analysis sdlc

asked May 09 '18 at 23:07

Puja

votes

2 answers

SAST vs WAF: What should I choose?

Given the fact that I have a WAF already deployed, what is the benefit I could get by purchasing a SAST tool that would scan the engineers' code for security flaws? Does this also apply for SCA tools where they can alert in case of using a…

waf sdlc

asked Jul 25 '19 at 10:27

elli

votes

1 answer

How to interpret "Verify the use of a secure software development lifecycle that addresses security in all stages of development"?

I've been looking at OWASP Application Security Verification Standard 4.0.2 for a while now, and I'm trying to understand all the checkpoints in detail. I am not sure what exactly the author of a particular point meant. Therefore, I have a request…

owasp asvs sdlc

asked Mar 14 '21 at 21:18

soro

votes

1 answer

Should we build a generic security unit test suite

As part of our secure SDLC, we are delivering security as security requirements directly into the backlog of an application team. The security requirements will directly correlate to the functional features being delivered in the iteration. I am…

source-code sdlc

asked Nov 06 '20 at 16:16

bobD

vote

1 answer

How to include OWASP Zap in CI/CD

Company wants to start improving security. Test team uses OWASP Zap tool (GUI version) to scan the new version for vulnerabilities. That usually takes between half an hour to 90 minutes. How to include the scan in a CI/CD in a way it is fast (under…

zap sdlc

asked Nov 09 '21 at 13:32

Mate Mrše

vote

2 answers

Security implications of source code location

Were working towards implementing a SDLC for a company and as in any complex environment there are differences of opinion for the new process. Some of the developers want to make use of one directory others want to use another. Due to IT resource…

devops sdlc

asked Jul 24 '19 at 18:13

Joe

1,214
1
11
16