Secure your Software Supply Chain in 2024: Secure Product Criteria and Management
A development team is comprised of development experts, quality assurance (QA), build engineering and security. The product management team is comprised of individuals with product leadership experience, and includes product and development managers, security architects, and company-level quality control assessors, all contributing to product release oversight. The top-level organizational management team must ensure secure development policies and procedures are supported within the budget and schedule and are implemented and adhered to by the assigned development teams. The figure below outlines a secure development process and lifecycle.
The example process illustrated above ensures that secure, resilient products are developed. It also illustrates that the development process can be measured using well-defined, tangible artifacts that may be collected, evaluated, and recorded to validate the use of the documented secure principles and guidelines outlined by the product management team.
LEARN CYBERSECURITY IN 2024
Check out our comprehensive cybersecurity course and enhance your knowledge in the field! Join now to learn the essential skills and techniques to protect yourself and others in the digital world. Don’t miss this opportunity to become a cybersecurity expert!
Threat scenarios
When developing and delivering a product, the following common threats may occur during the software development lifecycle:
1. Adversary intentionally injecting malicious code or a developer unintentionally including vulnerable code within a product.
2. Incorporating vulnerable third-party source code or binaries within a product either knowingly or unknowingly.
3. Exploiting weaknesses within the build process used to inject malicious software within a component of a product.
4. Modifying a product within the delivery mechanism, resulting in injection of malicious software within the original package, update, or upgrade bundle deployed by the customer.
Recommended mitigations
The supplier and developer management team should set policies that ensure development organizations have security-focused principles and guidelines in place to:
• Generate architecture and design documents,
• Gather a trained, qualified, and trustworthy development team,
• Create threat models of the software product,
• Define and implement security test plans,
• Define release criteria and evaluate the product against it,
• Establish product support and vulnerability handling policies and procedures,
• Assess the developers’ capabilities and understanding of the secure development process and assign training,
• Document and publish the security procedures and processes for each software release.
For more about “Securing the Software Supply Chain”
