2.5 Explain concepts related to vulnerability response, handling, and management.
📘CompTIA CySA+ (CS0-003)
The Secure SDLC is a structured process used to develop software in a way that reduces vulnerabilities and security risks. It ensures that software is secure, reliable, and safe to use in an IT environment.
The SDLC is divided into several phases, and each phase has specific security considerations. These phases are usually:
- Planning
- Requirements
- Design
- Development / Implementation
- Testing / Verification
- Deployment / Release
- Maintenance / Operations
Let’s go through each phase in detail:
1. Planning Phase
- Purpose: Decide what software to build and how it will operate.
- Security Focus:
- Identify potential threats and risks before starting coding.
- Define security requirements, like authentication, encryption, and access controls.
- Example in IT: Planning a new internal employee portal includes deciding who can access sensitive HR data and how the portal will protect that data.
2. Requirements Phase
- Purpose: Specify what the software must do and what rules it must follow.
- Security Focus:
- Include security requirements in the software specification.
- Consider compliance requirements (e.g., GDPR for personal data or PCI DSS for payment data).
- Example in IT: If building a password manager, the software must require strong passwords, multi-factor authentication, and encrypted storage.
3. Design Phase
- Purpose: Create a blueprint of the software, including architecture, modules, and data flow.
- Security Focus:
- Perform threat modeling: identify where attackers might try to exploit vulnerabilities.
- Design secure architecture: separate sensitive modules, use proper authentication, and avoid single points of failure.
- Example in IT: For a database system, design it so that only certain servers can connect and encrypt sensitive information.
4. Development / Implementation Phase
- Purpose: Actual coding of the software.
- Security Focus:
- Follow secure coding practices:
- Input validation: ensure data entered by users is correct and safe.
- Output encoding: prevent attackers from injecting harmful code.
- Use parameterized queries to prevent SQL injection.
- Avoid hardcoding passwords or secret keys in the code.
- Follow secure coding practices:
- Example in IT: When coding a web application, developers use frameworks that automatically protect against common attacks like cross-site scripting (XSS).
5. Testing / Verification Phase
- Purpose: Ensure the software works correctly and meets requirements.
- Security Focus:
- Conduct vulnerability testing and security testing:
- Penetration testing to simulate attacks.
- Static code analysis to find coding mistakes.
- Dynamic analysis to test runtime behavior.
- Verify compliance with security standards.
- Conduct vulnerability testing and security testing:
- Example in IT: Test an email server software to ensure only authorized users can send emails and sensitive emails are encrypted.
6. Deployment / Release Phase
- Purpose: Release the software to production for real users.
- Security Focus:
- Ensure secure configuration during deployment.
- Apply patch management and update policies.
- Limit access to production servers and databases.
- Example in IT: Deploy a cloud-based HR system with role-based access control so only HR staff can access employee records.
7. Maintenance / Operations Phase
- Purpose: Maintain the software to fix bugs and improve performance.
- Security Focus:
- Regularly patch vulnerabilities.
- Monitor logs and system behavior for anomalies.
- Update security mechanisms as threats evolve.
- Example in IT: Continuously update a web application to patch newly discovered security vulnerabilities and prevent attacks.
Key Security Practices in SDLC
- Shift-left security: Incorporate security early in the development process.
- Code reviews: Have peers review code to catch vulnerabilities.
- Version control & change management: Track all changes to quickly fix issues.
- Secure dependencies: Check third-party libraries for vulnerabilities.
- Continuous monitoring: Detect and respond to issues in production environments.
Why Secure SDLC is Important for the Exam
- Ensures software is resistant to attacks.
- Reduces costs because fixing security issues early is cheaper than after deployment.
- Meets legal, regulatory, and organizational compliance standards.
- Improves trust in IT systems (users can safely access applications).
Summary Table for Exam
| SDLC Phase | Purpose | Security Focus |
|---|---|---|
| Planning | Decide software goals | Identify threats, define security needs |
| Requirements | Specify software rules | Include security & compliance requirements |
| Design | Blueprint of software | Threat modeling, secure architecture |
| Development/Implementation | Coding of software | Secure coding practices, input/output validation |
| Testing/Verification | Verify software works correctly | Security testing, vulnerability scanning |
| Deployment/Release | Release software to users | Secure configuration, patch management |
| Maintenance/Operations | Ongoing updates & monitoring | Patch vulnerabilities, monitor logs |
✅ Exam Tip: The CompTIA Server+ exam may ask:
- The correct phase to perform security testing.
Answer: Testing/Verification phase. - What is shift-left security?
Answer: Incorporating security early in SDLC (Planning & Design). - Which phase deals with patching vulnerabilities after release?
Answer: Maintenance/Operations phase.
