OWASP Secure Software Development Lifecycle Project

=Main=



{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
 * valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

OWASP Secure Software Development Lifecycle Project(S-SDLC)
OWASP Secure Software Development Life Cycle Project(S-SDLC) is an overall security software methodology for Web and APP developers.

Its aim is to define a standard Secure Software Development Life Cycle and then help developers to know what should be considered or best practices at each phase of a development Life Cycle (e.g. Design Phase/Coding Phase/Maintain Phase/etc.)

Software security has now become a wider concept other than network security. There is a developing common sense that creating secured enough software is not just about individual skills but also or even more on work flows-- Software Development Life Cycle. To achieve security requires to be involved in every phase of a Secure Software Development Life Cycle.

The project’s final goal is to help users to reduce security issues, and raise the overall security level from every stage by using the methodology.

Description
OWASP Secure Software Development Life Cycle Project(S-SDLC) defines security software development process as well as guides, tools, checklists and templates of activities in each phase.

The project’s final goal is to help users to reduce security issues, and raise the overall security level from every stage by using the methodology.

OWASP Secure Software Development Life Cycle Project defines security software development process as well as guides, tools, checklists and templates of activities in each phase.

The delivery will contain(not final):

•	Introduction: S-SDLC frame

•	Training guideline: Providing Security Training System

•	Requirements Phase: Risk Evaluation Guideline, and Requirements Criteria Doc.

•	Design Phase: Security Design Review Guideline and Threat Modeling Guideline.

•	Implement Phase: Security Coding Guide(C/C++、JAVA、PHP，C#)

•	Validation Phase: Actives level, Security Testing Guideline

•	Release/maintenance Phase: Vulnerability Management and Incident Response Guideline

Detail information is in below table of content:

Licensing
Creative Commons Attribution ShareAlike 3.0 License

'''The OWASP Secure Software Development Lifecycle Project are free to use. In fact it is encouraged!!!''' '' Additionally, I also encourage you to contribute back to the project. I have no monopoly on this knowledge; however, we all have pieces of this knowledge from our experience. Let's begin by putting our individual pieces together to make something great. Great things happen when people work together.''

The OWASP Secure Software Development Lifecycle Project are licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.


 * valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

What is OWASP Security Principles Project?
OWASP Secure Software Development Life Cycle Project is an overall security software methodology for Web and APP developers.

The project’s goal is to help users to reduce security issues, and raise the overall security level from every stage by using the methodology.

Presentation
To be updated...

Project Leader
The OWASP Secure Software Development Lifecycle Project is developed by a worldwide team of volunteers. A live update of project contributors is found here.

The first contributors to the project were:


 * [mailto:Rip@owasp.org.cn RIP]
 * [mailto:silver@owasp.org.cn Silver Zhang]
 * [mailto:xtz@seczone.cn Tianze Xia]

Related Projects

 * OWASP_CISO_Survey

To be updated...

Openhub

 * OWASP Project Openhub


 * valign="top" style="padding-left:25px;width:200px;" |

Quick Download
To be updated...

News and Events
To be updated...

In Print
To be updated...

Classifications

 * }

=FAQs=

How can I participate in your project?
All you have to do is make the Project Leader's aware of your available time to contribute to the project. It is also important to let the Leader's know how you would like to contribute and pitch in to help the project meet it's goals and milestones. There are many different ways you can contribute to an OWASP Project, but communication with the leads is key.

If I am not a programmer can I participate in your project?
Yes, you can certainly participate in the project if you are not a programmer or technical. The project needs different skills and expertise and different times during its development. Currently, we are looking for researchers, writers, graphic designers, and a project administrator.

= Acknowledgements =

Contributors
The OWASP Secure Software Development Lifecycle Project is developed by a worldwide team of volunteers. A live update of project contributors is found here.

The first contributors to the project were:


 * [mailto:Rip@owasp.org.cn RIP] (Sub-project Owner)
 * [mailto:silver@owasp.org.cn Silver Zhang](Sub-project Owner)
 * Kevin (Sub-project Owner)
 * [mailto:sky@owasp.org.cn Xia Tianze] (Sub-project Owner)
 *  [mailto:yukan@owasp.org.cn Yu Kan](Sub-project Owner)
 * [mailto:Lance@owasp.org.cn Lance Li] (Sub-project Owner)
 * Bao Yuezhong (Participant)
 * Ricky Xu (Participant)
 * Wang Jie (Participant)

= Road Map and Getting Involved =

Base on the current estimation, the roadmap of the OWASP Secure Software Development Life Cycle Project is below:

Involvement in the development and promotion of the OWASP Secure Software Development Lifecycle Project is actively encouraged! You do not have to be a security expert in order to contribute. Some of the ways you can help:
 * Helping find references to some of the principles.
 * Project administration support.
 * Wiki editing support.
 * Writing support for the book.

= Related stuffs =

This Page includes S-SDLC releated stuffs. Categorized as a.)Tools b.) Libraries c.)Technical Docs

Tools
OpenRASP is an open-source, free and self-adapting security tool made for OWASP S-SDLC Security Deployment & SecDevOps phase.
 * OpenRASP

It can provide functions like threat detection, data stream monitor, quick-response to production by the deep integration of its protection engine.

Unlike other perimeter control solutions like WAF, OpenRASP directly integrates its protection engine into the application server by instrumentation. It can monitor various events including database queries, file operations and network requests etc.

When an attack happens, WAF matches the malicious request with its signatures and blocks it. OpenRASP takes a different approach by hooking sensitive functions and examines/blocks the inputs fed into them. As a result, this examination is context-aware and in-place. It brings in the following benefits:

1. Only successful attacks can trigger alarms, resulting in lower false positive and higher detection rate;

2. Detailed stack trace is logged, which makes the forensic analysis easier;

3. Insusceptible to malformed protocol.

OpenRASP FAQ
1. List of supported web applicationBelow table shows the recent updates of the project.Below tables shows recent updateBelow table shows recent updates.s. servers

Only Java based web application servers are supported for now. The support of other web application servers will also be soon included in the coming releases.

OpenRASP on the following application servers for both Linux and Windows platforms has been tested. 2. Performance impact on application servers
 * Tomcat 6-8
 * JBoss 4.X
 * WebLogic 11/12

Multiple intense and long-lasting stress tests has been taken. Even in the worst-case scenario (where the hook point got continuously triggered) the server’s performance was only reduced by 10%

3. Integration with existing SIEM or SOC

OpenRASP logs alarms in JSON format, which can be easily picked up by LogStash, rsyslog or Flume.

4. How to develop a new plugin?

A plugin receives a callback when an event occurs. It then determines if the current behavior is malicious or not and blocks the associated request if necessary.

Detailed documents available on github.

"INSIGHT" is a management platform developed by the Security Department of CreditEase which integrates Application system asset, Vulnerability lifecycle, and Security knowledge base. "INSIGHT" was developed by Python language and form of Flask framework & MySQL & Docker container.
 * "INSIGHT" Platform
 * 1) Application System Asset Management: managing assets of application system in the company, including system name, domain, senior level, department, and owner.
 * 2) Vulnerability Lifecycle Management: proceeding online submission, notification, verification, retesting, classification, risk calculation, repair deadline calculation, email reminder, and vulnerability data analysis for the security vulnerability found from application system in the company.
 * 3) Security Knowledge Management: implementing centralized storage, online learning, security training, and knowledge inherited of security knowledge and standard specification.

Detailed documents available on github.

The concept of design

Application security activities begin with the risk assessment of the application assets. When the company accumulates more assets, it shall encounter increasing problems, such as unclear assets resource, miss of asset owner, the high cost of continuous of vulnerability tracking and difficulty of security knowledge penetrating, no data support for high-frequency risks, and failure of solving core problems, In addition, risk quantification is also a problem.



In the design of application security management framework, the general process of risk governance is as follows:



Based on the demands of the above risk governance, “INSIGHT" came into being.

Highlights

After the implement of "INSIGHT" system, we achieved the following goals. Please see the following picture:

Vulnerability history at a glance Vulnerability tracking is methodical Learning Cases can be found easily Safety requirements are precisely controlled Threats and risks are well-founded Quantitative figures are known in real time

Libraries
To be added.

Technical Docs
To be added.

= Recent Updates =