CSDL is applicable to all programming languages, operating systems, and application development efforts. The requirements defined are both agnostic and complimentary to any development methodology including standard waterfall, agile, or any other type of defined process. However, for different development methodologies there are distinct implementations. CSDL is divided into activities called elements. For example, Threat Modeling, Static Analysis, Identity Assurance, and Security Testing are some of the elements of CSDL. Inside Cisco, CSDL elements are used as an overlay to our standard development lifecycle. Augmenting each phase to include processes, tools or deliverables that are targeted towards product security and resiliency.
In depth product security knowledge is not a pre-requisite for successful use of CSDL. Training, however, is an inherent part of CSDL. It is designed to provide guidance on product security aspects of specific tool/process requirements as they pertain to individual job roles or specific tasks. Each job function has a different task when comes to development and CSDL trainings is tailored to those different roles. For example, developers are offered training on Threat Modeling, Static Analysis, Secure Coding, and etc, while testers have different priorities.
In addition, Cisco holds an annual internal security conference aimed at raising security awareness within the company's development community, called SecCon. All of Cisco is invited; however, the Cisco development organization is the primary target audience. Product teams get to learn from and interact with security researchers directly. SecCon bridges the communications gap, bringing security expertise directly to teams developing Cisco products.
The concept phase defines the full product from an end-user perspective, describing features and functionality necessary to create a useful, usable, and desirable product, and is documented in a statement of product requirements. During the concept phase, key product security requirements need to be included as this is the earliest opportunity in the development lifecycle to eliminate potential vulnerabilities, thus resulting in significant savings during the plan, develop, and validate phases.
The plan phase specifies what will be designed and built (in response requirements), and what resources are required to deliver the product. As the engineering team considers the overall system architecture, they must augment their design process to include security concepts such as reduction in attack surface, least privilege, intellectual property protection and defense-in-depth. Bolting on securing features during the implementation or validate phase is error prone and will significantly impact release schedule. CSDL provides tools and methodologies to assist teams with building products that are secure by design.
During the development phase, the product team begins to write the code and perform unit testing. Throughout this phase, a number of sophisticated tools and technologies are incorporated to detect and reduce security-related software vulnerabilities in the system. This starts with adhering to best practice coding guidelines, choosing secure versions of libraries used in the system, and running the latest static analysis tools to detect and eliminate security vulnerabilities from the source code. The next layer of defense is to enable the compiler to automatically provide protection when certain compile time conditions are met. Finally, certain run time defenses can be put in place to reduce the chances of successful exploits if the attacker were able to inject malicious code.
The product is validated through integration, feature test, system and regression tests, Early Field Trial and Beta testing. As part of this process, the product security functionalities integrated in the prior phases need to be verified. In addition, a number of new activities are introduced to further validate the system prior to FCS and put in place the ability to continuously monitor threats post FCS.
CSDL Compliance Verification
Compliance Verification examines security activities performed on software prior to release. The verification can include an examination of trusted product architecture evaluation, threat models, and CSDL tool outputs..
Once the product has been thoroughly validated, and passed the launch readiness review, it is launched officially. Even with multiple layers of defenses in CSDL, undoubtedly not all security vulnerabilities will be eliminated from the system. This is especially true as the threat landscape shifts over time. It is important teams have a strategy in place to report and respond to security vulnerabilities.