Implement Software Security as an Element of the Cybersecurity Architecture

The organization shall define and implement a Secure Software Development Life Cycle (SSDLC) process in software development.

The first step in the SSDLC process should be to define security requirements that ensure that security considerations become integrated into the services being developed right from the creation phase.

It is recommended that the SSDLC process include at least the following steps:

• A - Training
• B - Description of the requirements
• C - Design
• D - Development
• E - Security testing
• F - Publication
• G - Responding to issues

The general rules for secure development work have been drawn up and approved by the development managers. The implementation of the rules is monitored in software development in the organization and the rules are reviewed at least yearly.

The safe development policy may include e.g. the following things:

• safety requirements of the development environment
• instructions for secure coding of the programming languages used
• safety requirements at the design stage of properties or projects
• secure software repositories
• version control security requirements
• the skills required from developers to avoid, discover and fix vulnerabilities
• compliance with secure coding standards

Compliance with the rules of secure development may also be required of key partners.