Security by Design: Building Compliance Into Every Stage
From planning and vendor assessments to secure builds and SBOM creation, see how to embed compliance into every phase of your product development lifecycle.
•4:01•HD•0 views
Security by Design: Building Compliance Into Every Stage
Transcript
So starting from the top left, obviously, you start any product with the planning phase.
And in this starting planning phase, you wanna make sure that you don't lose sight of security requirements and data privacy requirements. You wanna make sure that those are identified and the sources will be external, like regulations, industry standards, some internal, which would which should driven by internal security policies of the company or from the customers.
We wanna make sure you you have those requirements properly identified, documented, and become tractable over time as the, you know, product development life cycle. You you wanna make sure that they are implemented, and eventually tested, validated, verified, to be implemented correctly. So that's that's very important to to have that started very early.
Same thing goes with the vendor assessments.
You know, it is it is absolutely critical that we identify all vendors that contribute to your product, whether it's their supplying electronics hardware, you know, board support packages, they're supplying software that goes into product, or even the service providers. You know, many of us end up outsourcing software development for the software that goes into the product. You want to identify those vendors also. And the idea here is you put together a methodical way of assessing and evaluating the vendor's security capabilities, you know, what kind of prosecutor program they have, what kind of security controls they have in the product they're supplying you.
And overall goal is to partner and work with the vendors that are at least up to your own, you know, security standards because your customers expect the product to be at certain security standard, no no matter whether it's supplied by, you know, supplier or built by yourself. So that's that's vendor assessment. You want to assess, make sure you maintain a list of all approved vendors for certain components that they are supplying.
And, the the next thing during the plan fit, I believe, which needs to be started as soon as you have high level architecture, you know, technical, you know, plan design of the product, we start your threat modeling exercise. We're going to talk a little bit more about threat modeling, later in this.
And once you move to the phase where you have, you know, software and you're building software, coding everything, all the, you know, basic, basic aspect of good software, secure software, including secure coding, you wanna start taking and running, software completion analysis, static analysis for for your source code. And as you move to the build stage, now you have, you know, final artifact, built artifact that, you know, finally is, and that's where you wanna make sure that you use the the, you know, the build artifact to get the software composition analysis done that will give you list of vulnerabilities in in the product to fix, you know, early in the cycle of, you know, coding and building. You wanna run that software completion, not the vulnerability.
And, eventually, you wanna have a clear software bill of material, and we'll talk more why this is important and how to do later about s bombs.
In in all this, we wanna make sure, you know, nowadays, most of the most of the organizations are building products using automated CICD pipeline, and that need to be secured as well in itself. Every tool, every the whole process that that that, you know, builds your software.