Architecture (A2): SDL Activities and Best Practices 83
the planning and awareness of security, privacy, and risk management
early in the SDLC through the proper used of an SDL will result in sig-
nificant cost and time savings.
Perhaps the most important, complex, and difficult part of the SDL
starts during this phase of the SDL. As discussed previously, threat
modeling and architectural security analysis typically fall into the domain
of the senior software security architects and requires the most experience
and expertise of any of the tasks within the SDL. Fortunately, tools are
currently available and in the process of being developed that can assist
this phase, and help leverage and scale a skill set that is typically a limited
resource in a software security group.
Additional security training that may be needed for key developers
to understand the current threats and potential exploitations of their
products, as well as training for secure design and coding techniques
specific to the software being developed and for the systems with which
the software will be interacting, are identified at this stage of the SDL.
This enables the developers to work more efficiently with the software
security architects and others from the software security group to create
more secure designs and empower them to address key issues early in the
development processes.
4.1 A2 Policy Compliance Analysis
The purpose of a software security policy is to define what needs to be pro-
tected and how it will be protected, including reviewing and incor porating
policies from outside the SDL that may impact the development process.
These might include policies governing software or applications developed
or applied anywhere in the organization.During this phase, any policy
that exists outside the domain of the SDL policy is reviewed. Corporate
security and privacy policies will likely instruct designers and developers
on what the security and privacy features need to be and how they must
be implemented. Other policies may include those that govern the use
of third-party and open-source software or the protections and control
of source code and other intellectual property within and outside the
organization. Assuming the software security group is separate from the
centralized information security group, it is important that both groups
collaborate on all policies and guidelines related to the development and