Security in code development enhanced by service design
When implementing software composition analysis (SCA) into the secure software development testing process, the leveraging service design principles to enhance security has been demonstrated to be crucial.
The thesis examines how service design methods and tools can be implemented for secure software development testing. The results demonstrate the importance of service design when generating new and innovative ideas for different processes and for collaboration with relevant stakeholders.
Efforts are made to produce secure code for customers. Developers are educated and trained for secure coding. Developed code is quality reviewed and verified with four eyes principle. Software composition analysis (SCA) provides an opportunity to improve code security. SCA is used to find security related issues with automatic testing and prevent the use of vulnerable or unlicensed components. Secure software development testing process generated with service design enables automatic security testing findings management in the early phases of the process.
Software composition analysis usage consists of two parts
Setup activity is the first step to get code scanned. Scanning event is added to the code build and to the scanner system. Once setup is done the scanning can be initiated. Analysis of the scanning result is the second step. SCA scanning report is analyzed and activities are performed as required based on the results.
Service design in secure software development testing
Holistic thinking of user needs, the capabilities of the technology in use, and the aspects of the solutions economical sustainability are basic principles of service design and lay ground for the process development. The service design process first generates a status of the existing situation and then defines a concept for the SCA use. The aim of the design is to generate different ideas and possibilities which can be evaluated and refined for a solution.
Service design process includes four phases:
- Discover
- Clarify
- Design
- Deliver
Discovery phase creates understanding of the stakeholders needs who interact with the service. Discovery phase provides also Information about the business logic and metrics how process progress is followed. Clarify phase provides information about the service stakeholders needs and behaviors in the process, how the service responds to the identified stakeholders needs, and visualizes the entire process from the user perspective and identified opportunities.
Concept insights generation with technical capabilities evaluation is done based on the information from the earlier phases in the design phase. In delivery phase the designed service concept is verified with the stakeholders in a rehearsal and final concept is documented presenting relationships between service components in detail.
Output from the service design process includes an additional concept description visualizing the created service and the process from the user perspective. Maturity model is defined to describe the expected behavior for the process users. Defined business goals and metrics measure the success of the process. Roadmap for the future activities creates opportunity for technical process improvement.
”SCA service design can decrease the number of critical vulnerabilities.”
The secure software development testing process for SCA service design can decrease the number of critical vulnerabilities. SCA is performed automatically after the code is created and a report from the test is made available for developer analysis. Developers plan activities based on the analysis results. Defined business goals and metrics create an opportunity to monitor the security testing findings status and manage efforts for future success incrementally.
Vainio, V (2024). Design for Secure Software Development Testing. Master’s thesis. Turku University of Applied Sciences.
Picture reference
Adobe (2024). Adobe Express. https://new.express.adobe.com/