# What you'll learn

After watching this video, you will be able to: 
* Describe security by design.
* Describe the secure software development lifecycle (or SDLC).
* Explain how to map DevOps into a secure SDLC.

# What is Security by design?

* While creating projects, you have probably done everything without any consideration for security, it was an afterthought.
* Eventually, security would shut down all the servers, and the code would be cracked.
* This is one of the main reasons why security should not be a last-minute decision.
* To overcome this, a security team must always be involved.
* Get some solid collaboration with the security people early and regularly because it's critical to write your code in a secure manner.
* You can develop a secure application with DevOps.

# What is SDLC?

The Software Development Lifecycle (SDLC) is a framework that specifies the steps involved in software development at each stage.
* It details the strategy for developing, deploying, and maintaining a program.
* SDLC is a well-structured sequence of stages that leads to the rapid development of high-quality software that has been completely tested and is ready for production.

Different stages of the SDLC are: 
* **Requirements**, where the project team begins to comprehend the customer's expectations for the project.
* **Design**, where decisions are based on the requirements list that you created during the Requirements stage.
* **Develop**, where a design is put into action.
* **Test**, where developers test their code and programming to see whether it meets client needs or if the functionality is smooth.
* **Deploy**, which you execute when the product is ready to go live after it has been tested by the project team and has passed each testing phase.


# What is secure SDLC?

![image.png](attachment:29f2d973-d8f7-4568-ab8d-44efe36d2dcd.png)

Secure SDLC describes how security fits into the different phases of the software development lifecycle.

This process of involving security testing and its best practices in the existing development model includes: 
* Risk assessment; 
* Threat modeling and design review; 
* Static analysis; 
* Security testing and code review; 
* Security assessment and security configuration.

# Mapping DevOps in Secure SDLC

How can you map DevOps into the phases of a secure SDLC?

## Requirements phase

![image.png](attachment:05216a3a-437b-46ac-86b4-a1f75ef9f5fa.png)

During the **Requirements phase**:
* You **perform a risk assessment** and consider how people might attack the code.
* Make sure you've **determined the security needs and standards**, as well as the type of information you're dealing with.
* **Define the security requirements** where you identify the information to protect.
* **Perform attack profiling** to determine what might be going on throughout the design threat modeling process.


## Design phase

![image.png](attachment:3b951771-69c1-422f-ac12-1ebf2eb6af7b.png)

The design stage is about designing in a secure manner.

During **design threat modeling**, ask:
* What are some of the elements that could make your architecture vulnerable? 
* How can you securely design the precautions that can be taken during this stage?
* Securing the deployment pipeline is about ensuring that you have a secure design.
* You've automated all the tests correctly, and your continuous integration/continuous delivery (or CI/CD) pipeline is searching for vulnerabilities.
* With DevOps, security team members can instruct Dev team members about common threat types and help them create unit tests to counter them.

## Develop phase

![image.png](attachment:21cf6399-aca4-4ee9-80a7-7b7142216406.png)

In the **develop stage**: 
* You can perform static analysis with tools that will check for security vulnerabilities in your code, look at it, and proclaim it insecure.
* This stage incorporates the validation of automated data to guarantee that the information in the system is both correct and useful.
* Security tasks and a secure scrum is a scrum framework variation that emphasizes secure software development throughout the SDLC.

## Test phase

![image.png](attachment:e967bace-43ec-4d07-af3c-17da7030a3c4.png)

In the **test stage**: 
* You want to incorporate vulnerability scans.
* You undertake security testing on your code, and you conduct a risk assessment before you launch it.
* **Strive for failure:** If you can break your application, attackers are likely to be able to do so as well.
* Parallelize security testing: To save time, run tests in parallel to shorten the test window by using code scanners alongside unit tests and functional verification tests (or FVTs).

## Deploy phase

![image.png](attachment:7621dbda-c332-41df-a488-3716c8d380d1.png)

When you get to the **deploy stage**, and your code is in production:
* You will ensure that it is functioning safely in various ways.
* You can use automated launch of deployment scripts.
* You can also use deploy and rollback, which means that for a file upload deployment, rollback will essentially revert the changes.
    * So, if a file was previously uploaded, it will be erased; 
    * if a modification was made, it will be undone;
    * if a file was removed, it will be placed back;
* You can perform production security tests, which imitate real-world hacking methods and approaches to reveal hidden flaws in your device or application.
* These tests can give you genuine insights and practical outcomes.

# Summary

![image.png](attachment:d774b1e0-14ea-43f8-94c4-d88d23277e99.png)

In this video, you learned that: 
* You can collaborate with a security team to better understand and experience the smooth implementation of new features.
* Secure SDLC is a process that involves security testing and its best practices in the existing development model.
* SDLC stages are requirements, design, development, testing, and deployment.
* You can map secure SDLC to these stages by undertaking risk assessments and looking at how individuals may attack your code.