Engineering Execution Plan for Security

in SDLC - Example
1. Introduction
Objective: The objective of this project is to develop a secure web application for online
banking, integrating security practices throughout the SDLC to mitigate potential risks.

Scope: The project scope includes the online banking web application, its backend services,
and the database storing customer information.

2. Security Requirements Analysis

Requirement Gathering: Security requirements have been identified from stakeholders,
including compliance with GDPR and adherence to OWASP Top 10.

Security Goals: Our security goals include ensuring the confidentiality, integrity, and
availability of customer data, along with regulatory compliance.

Risk Assessment: Initial risk assessment was conducted using the STRIDE model,
identifying potential threats like SQL injection and data breaches.

3. Architecture and Design Phase

Secure Architecture Design: We designed a microservices architecture with built-in security
features like API gateways for secure access and encrypted data storage.

Threat Modeling: Threat modeling was performed for each microservice, focusing on
potential threats and corresponding mitigation strategies.

Security Control Identification: Identified security controls include JWT for secure
authentication, HTTPS for data in transit, and AES encryption for data at rest.

4. Implementation Phase
Secure Coding Practices: Followed OWASP secure coding guidelines to mitigate common
vulnerabilities such as SQL injection and cross-site scripting.

Dependency Management: Utilized OWASP Dependency-Check to review and manage third-

party libraries, ensuring they are up-to-date and free from known vulnerabilities.
5. Testing Phase
Static Code Analysis (SAST): Implemented SAST using tools like SonarQube to analyze the
source code for security vulnerabilities.

Dynamic Code Analysis (DAST): Utilized DAST tools such as OWASP ZAP to test the running
application for vulnerabilities.

Penetration Testing: Conducted penetration testing to identify and exploit vulnerabilities,

which were then addressed before deployment.

6. Deployment and Maintenance

Security Review and Audit: A final security review and audit were conducted to ensure all
security measures were in place and effective.

Continuous Monitoring: Implemented Splunk for continuous monitoring of security events

and alerts.

Patch Management: Established a patch management process with monthly reviews to

update software and address vulnerabilities.

7. Conclusion
Summary of Security Measures: This document recaps the comprehensive security
measures and practices implemented throughout the SDLC of our online banking
application.

Future Considerations: We plan to continuously improve our security practices by adopting

emerging security technologies and methodologies, with a focus on machine learning for
anomaly detection.

Appendices
Appendix A: Risk Assessment Report - Detailed report of the initial risk assessment findings
and mitigation strategies.

Appendix B: Security Requirements Documentation - Document listing all identified

security requirements from stakeholders and regulatory bodies.

Appendix C: Threat Modeling Outputs - Outputs from the threat modeling activities
conducted during the design phase.

Appendix D: Compliance and Regulatory Standards Checklist - Checklist of all compliance

and regulatory standards addressed in this project.