Blog 7

Another part of the Secure SDLC that I think is key is defining the quality criteria or what we called the “rules of the game” up front.  It defines the priority to fix each issue.

The priority is derived form two factors: the sensitivity or classification of the data that is being handled (confidential, internal, etc.) and the Attack Surface [the authentication level (admin, user, anonymous) plus the access type (remote, local)]. Depending on the combination of these two factors the priority is established, i.e., which security issues will require to be fixed before going into Production and which allow for 30, 60 or more days after launch to be fixed. 

This standard rule, agreed and informed from the beginning of the projects’ SDLC, resulted in an important tool to improve the understanding of risks associated to security issues and to increase commitment for security from the Development team.