SecDevOps practices are used for application development.
Perform the code review and/or code analysis based on the organization’s secure coding standards, and record and triage all discovered issues and recommended remediations in the development team’s workflow or issue tracking system.
Perform Code Reviews and/or Analysis According to Secure Coding Standards: Incorporate peer and expert reviews, tools and automation, structured checklists, and continuous improvement measures into the code review and analysis process. Use established workflows and tracking systems to document issues, prioritize remediation, and record lessons learned.
| ID | Operation | Description | Phase | Agent |
|---|---|---|---|---|
| SSS-02-02-10-01-01 | Incorporate peer and expert reviews | Conduct peer reviews to identify potential issues in code, integrating existing analysis and testing results. Engage expert reviewers to detect advanced threats, such as backdoors or malicious content, ensuring comprehensive scrutiny. | Development | Development Teams |
| SSS-02-02-10-01-02 | Leverage tools and automation | Use peer review tools to streamline discussions and feedback while documenting all findings. Employ static analysis and automated tools to check for vulnerabilities and compliance, followed by human review to validate and remediate reported issues. | Development | DevOps Teams |
| SSS-02-02-10-01-03 | Apply structured review checklists | Use standardized review checklists to ensure the code meets all specified functional, security, and compliance requirements. This structured approach helps maintain consistency across reviews and ensures no critical checks are missed. | Deployment | Quality Assurance Teams |
| SSS-02-02-10-01-04 | Implement continuous improvement measures | Identify root causes of discovered vulnerabilities during reviews and analysis. Record lessons learned in a centralized, searchable knowledge base (e.g., a wiki) to promote organizational learning and reduce the recurrence of similar issues. | Post-deployment | Security Teams |
| SSS-02-02-10-01-05 | Track and document review results | Use established workflows and tracking systems to document issues, prioritize remediation, and track resolution progress. Maintain comprehensive records for audits and to inform future code reviews. | Post-deployment | Compliance Teams |
| Industry framework | Academic work | Real-world case |
|---|---|---|
|
Information Security Manual (ISM-1780) NIST Secure Software Development Framework (PW.7.2) SSDF (PW.7.2: Perform the code review and/or code analysis- Example) |
Organizations must configure and integrate automated security testing tools within the software delivery pipeline to ensure scalability and low operational overhead. These tools should automatically execute security tests as part of the build and deployment processes, providing continuous feedback and early detection of vulnerabilities. Begin security testing as early as the requirements or design phases, adopting a test-driven development approach where security test cases are designed and executed alongside functional test cases. Unresolved test cases serve as actionable goals for developers, ensuring that all identified security gaps are resolved before implementation is considered complete. This reduces the risk of release delays due to unresolved vulnerabilities or forced risk acceptance to meet project deadlines. To improve visibility, consolidate automated and manual security test results into centralized dashboards and present the outcomes regularly to management and business stakeholders. If any findings remain as accepted risks, stakeholders and development managers must collaboratively establish clear timeframes for addressing these before release. Enhance testing processes by adopting test correlation tools that merge results from dynamic, static, and interactive security tests into a unified dashboard. These tools facilitate defect management and allow for the seamless tracking of security issues. Spread awareness of test results and findings across development teams, fostering a culture of continuous learning and proactive security improvement throughout the organization.
| ID | Operation | Description | Phase | Agent |
|---|---|---|---|---|
| SSS-02-02-10-02-01 | Configure automated security testing tools | Integrate security testing tools (e.g., SAST, DAST, IAST) into the CI/CD pipeline for automated execution during builds, deployments, and other stages of the development lifecycle. | Development | DevOps team, Security team |
| SSS-02-02-10-02-02 | Implement security test-driven development (STDD) | Design security test cases early in the requirements or design phases. Run these tests automatically, and use them to guide the implementation until all tests pass. | Development | Development teams, Security champions |
| SSS-02-02-10-02-03 | Present security test results via dashboards | Create centralized dashboards to display the results of automated and manual security tests. Regularly share these results with management and stakeholders for transparency. | Deployment | Security team, Development managers |
| SSS-02-02-10-02-04 | Correlate security test results | Use security test correlation tools to merge and centralize results from multiple scanners, such as dynamic, static, and interactive tools, into a unified view. | Deployment | DevOps team, Security team |
| SSS-02-02-10-02-05 | Establish accountability for accepted risks | Document unaddressed security findings as accepted risks, and work with stakeholders to define concrete deadlines and monitor progress for remediation. | Post-deployment | Security team, Development managers |
| SSS-02-02-10-02-06 | Continuously improve security tests | Regularly review and enhance security tests to address emerging threats and lessons learned from past testing activities. | Post-deployment | Security team, Development teams |
| Industry framework | Academic work | Real-world case |
|---|---|---|
|
Information Security Manual (ISM-1780) NIST Secure Software Development Framework (PW.7.2) OWASP SAMM: Software Assurance Maturity Model (V-ST-3-A) |
Organizations must establish a centralized system for tracking and managing security defects across all applications and development processes. This system should begin by standardizing the definition and classification of security defects to ensure consistent identification and reporting. Security defects can originate from various sources, including threat assessments, penetration tests, outputs from static and dynamic analysis scanning tools, and responsible disclosure programs or bug bounties. To foster a transparent security culture, avoid assigning blame to teams or individuals for identifying or introducing defects. Instead, focus on promoting collaboration and proactive remediation. Security defects should be recorded and tracked in a well-defined location, which need not be centralized for the entire organization but must allow a comprehensive overview of all defects affecting a specific application at any given time. Implement strict access controls to safeguard defect records and mitigate the risks of data leakage or misuse. Enhance prioritization of defect remediation efforts by introducing qualitative classifications (e.g., critical, high, medium, low) based on the risk and impact of each defect. Additionally, ensure the tracking system minimizes duplication of entries and false positives, enhancing its accuracy and reliability. By maintaining a comprehensive record of security defects, organizations can prioritize remediation, identify systemic vulnerabilities, and improve their overall security posture.
| ID | Operation | Description | Phase | Agent |
|---|---|---|---|---|
| SSS-02-02-10-03-01 | Define security defect standards | Establish a common definition and classification system for security defects, including severity levels and prioritization criteria. Ensure teams understand these definitions. | Preparation | Security team, Development teams, ,Testing teams, QA teams |
| SSS-02-02-10-03-02 | Set up a centralized defect tracking system | Implement a tool or platform (e.g., JIRA, Azure DevOps) to record and track all security defects for each application. Ensure it supports centralized or application-specific views. | Development | DevOps team, QA teams, Security team |
| SSS-02-02-10-03-03 | Integrate security defect identification sources | Connect(link) defect tracking with bug reports from threat assessments, penetration tests, static/dynamic analysis tools, and bug bounties to ensure all defects are captured effectively. | Development | Security team, Testing teams, Vendor partners |
| SSS-02-02-10-03-04 | Classify and prioritize security defects | Introduce a qualitative classification system for defects (e.g., critical, high, medium, low) and prioritize fixes based on severity and application impact. | Deployment | Security team, Development teams, Testing teams |
| Industry framework | Academic work | Real-world case |
|---|---|---|
|
Information Security Manual (ISM-1780) NIST Secure Software Development Framework (PW.7.2) OWASP SAMM: Software Assurance Maturity Model (I-DM-1-A) |