Jump to content
Sign in to follow this  
Larry Feldman

CSF and SDLC?

Recommended Posts

The question is: Can the Cybersecurity Framework be used to guide software development activities or is it solely for the purpose of managing cybersecurity operations?

 

Background: Clearly cybersecurity should be considered as an important system parameter, starting with design and development phase of system lifecycle. Furthermore, the better we can “build security in” (define security requirements, secure system design, software assurance, comprehensive testing), the less vulnerable will be the system and fewer security-related problems we will have in operational/maintenance phase.

 

There are the control families in NIST SP 800-53 Rev 4 that have an emphasis on controls for software developers, development processes, or supply-chain.

 

Many widely accepted best practices to improve secure coding practices such as static and dynamic code analysis, threat modeling, code reviews, penetration testing of software, attack surface review, etc. are included in the control catalog as supplemental guidance or enhancements, but are not always included in the recommended security control baselines (e.g., low, mod, high).

 

Cybersecurity Framework has the same issue, it is much more focused on operational phase of the system lifecycle than development one. It has references to controls, such as SA-17, but does not provide any more details and maps this control to “A System Development Life Cycle to manage systems is implemented” subcategory that sounds pretty vague.

 

Share this post


Link to post
Share on other sites

I think only a cursory glance at the framework demonstrates it only touches on a partial list of information security controls, mentions risk management but doesnt assist with it, and barely even dips into the broader concepts of cybersecurity as a problem space (or suite of disciplines).  Of particular pertinence, it really lacks many controls for managing/limiting how businesses introduce the exposure which must be managed by infosec and supporting operations. The SDLC gap is a part of that broader gap. It also mentions but doesn't really provide insight into how to use business risk management to guide technical risk management, how to test for effectiveness at reducing risk, etc.  Ie: It provides no framework for identifying and applying the kind of context required to make its own control generalizations implementable in a valuable, coherent way. 

 

That said, it was a pretty interesting assessment of where typical critical infrastructure and other companies were from a mindset perspective. (NIST's term "Common Practices" is apt)

 

When I use it in my class, I mostly use it as a guide to gaps in consensus perspective.

Share this post


Link to post
Share on other sites

While is has its limitations as a one size fits all, I think if you do a search on controls where ISO 27001 A.14.X are cross-referenced (Systems Acquisition, Development, and Maintenance Domain), you can discover more places where guidance is linked to for SDLC requirements..

 

There isn't really a good place in the CSF functional organization to put SDLC stuff in once place. SDLC wouldn't fall under Identify or Protect, etc. it would be scattered throughout. I think if it was attempted, it would be noisy for a vast number of organizations that would try to use it (and don't have in house development at all).

 

I would recommend you use the secondary material.. buy ISO 27002:2013 if only just for domain 14. Then you can point to "PR.IP-2: A System Development Life Cycle to manage systems is implemented" and should how multiple controls in ISO 27001/2 are used to do that.

 

Such is the price of flexibility in a framework.. sometimes you need to be flexible to accommodate it, also. 

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×