It has been a long time since the introduction of the Microsoft Secure Development
life cycle, providing a framework from companies on how to implement security in
the SDLC. But the state of the art is that several companies are not much willing to
consider the security aspect while building their applications. We live in a age where
Internet of Things is flourishing giving rise to new threats and thus the threat landscape
is increasing. We never know what will come in our way when the application is live and
in the market for the customers to use. Companies are seen struggling in taking informed
decisions when it comes to accepting the importance of implementing security in each
and every phase of the SDLC.
It becomes important to take into consideration the thought process of the management when it comes to adopting a suitable approach or process for the SDLC. There have
always been controversies related to the budget which goes into implementing security,
the impact on the delivery schedule, the efforts or resources required and the value it
would give in return to the customer and the organization. The goal of the thesis is to
help the organization realize the importance of building in security in the application and
help them take informed decisions by creating risk awareness. The subjects under focus
would be the study of existing practices the organization follows, what if security steps
in, how to achieve a trade-off between investment in security and the benefits reaped
out of it. It is also equally important to understand the organizational and human factors
dealing with information security while building the application.
The target audience would be everybody involved in the company(any size) from the
executive body to the support/operations team, including the business developers, project managers, system architects, developers, testers,etc in an agile centric environment.
The reason in having the entire organization buy in security is because security has to be
embedded in every phase to assure an end-to-end security in order to minimize the risks
when the product/application is live and is hit by any incident.