Awesome SDLC

Collection of resources on building Secure Development Lifecycle.

Contents

TBD

SDLC variations

• Microsoft SDLC
• Cisco SDLC

Compiled list of useful tools and resources for each of phases derived from Microsoft SDLC

Phase 1 - Training

This phase includes such practices as:

• Core security training

Resources:

• OWASP Security by Design

  Short read on the main principles for designing secure applications.

• Basics of Web security by Cade Cairns and Daniel Somerfield.

  "Basic practices which every developer can and should be doing as a matter of course".

• OWASP Top 10 - 2017

  The list of most common threats for web applications.

• OWASP JuiceShop

  A vulnerable website with challenges of differnet difficulty.

Phase 2 - Requirements

This phase includes such practices as:

• Establishing security and privacy requirements
• Creating quality gates/bars
• Performing security and privacy risk assessments

Resources:

• OWASP Application Security Verification Standard Project

  Ready-made requirements for most development tasks.

• OWASP Security Knowledge Framework

  Web application that incroporates OWASP ASVS and can help with requirements tracking and following throughout the application lifecyle.

Phase 3 - Design

This phase includes such practices as:

• Establishing design requirements
• Atack surface analysis reduction
• Threat modeling

Resources:

• Threat modeling - Designing for security ($) - book by Adam Shostack

  A classic book on doing it right.

• Microsoft Threat Modeling Tool

  A classic tool for drawing the model and enumerating threats.

• Threat modeling toolkit

  An awesome talk on practical threat modeling by Jonathan Marcil, application security engineer at Twitch.

Phase 4 - Implementation

This phase includes such practices as:

• Using approved tools
• Deprecating unsafe functions
• Performing static analysis

Resources:

• Awesome-static-analysis

  Awesome list of tools for static analysis - it has it all.

Phase 5 - Verification

This phase includes such practices as:

• Performing dynamic analysis
• Fuzz testing
• Attack surface review

Resources:

• Owasp ZAP

  Zed Attack Proxy - a free tool for automated dynamic analysis and much more.

• Awesome-Fuzzing

  Awesome list on everything regarding Fuzzing.

Phase 6 - Release

This phase includes such practices as:

• Creating an incident response plan
• Conducting final security review
• Certifying release and archive

Resources:

Phase 7 - Response

This phase includes such practices as:

• Executing incident response plan

Resources: