The top secure software development frameworks


Advances in computer technology have prompted the development of frameworks that address security and user requirements in the software development lifecycle.

This article examines several established SDLC frameworks, as well as two frameworks that specifically incorporate risk and security elements. With growing cybersecurity threats, organizations must design and upgrade software applications with security in mind, while still providing users the high performance levels they expect.

Steps in the SDLC

Due to the unique nature of software development, the SDLC process is far from straightforward and, as shown in the flow chart below, includes many loops. These loops help ensure issues are thoroughly checked and verified before software is deployed. Document each step and supporting activities carefully, as those documents will be used throughout the development, testing, training and deployment phases and may be used as evidence for audits.

The seven steps of the SDLC are the following:

  1. Analysis. In this step, the current system or process is analyzed, deficiencies are identified, and desired operating parameters and results are defined. Interviews should be conducted with primary users of the new app, as well as senior leaders whose approval is needed. During this step, developers should prepare a presentation for senior IT and company leadership to ensure they support the project.

    Note: Secure management approval and funding before proceeding with the SDLC process.

  2. Plans and requirements. Once the project is approved, define the new system’s features and capabilities. A project plan should be created at this stage, and developers should clearly state how previous deficiencies will be addressed in the new system. If a spreadsheet or project management software is used, build out the project plan, including subactivities within each major step.
  3. Design. Begin developing the system design, including elements such as hardware, OSes, specialized utilities, I/O, software development tools, communications, security, programming, testing and deployment. Additional activities include project kickoff, operating procedures and related documents, system specifications and potential end-of-project life planning.
  4. Development. During this phase, program designs using internal software teams, external teams as needed, software development tools and other aids. Issues, such as initial testing, user training, deployment, acceptance testing and management approval, should be defined and documented.
  5. Testing. Once the initial system is completed, it should undergo a variety of tests to validate its performance, user ease of interaction, communications capabilities and security attributes. Correct any issues that arise from testing. Tests should also be conducted on the corrections. Involve QA teams in this stage as well.
  6. Deployment. Earlier in the design phase, develop a deployment schedule. Depending on the complexity, the system may need a phased rollout, as opposed to a single launch. This provides users the opportunity to get comfortable with the system in a “safe” environment. The existing system might have to be run in parallel with the new one to facilitate the transition.

    During this step, training programs and documentation should be developed for primary and alternate users. It may be useful to set up a training with several workstations connected to both systems. This enables users to see the differences between the old and new system.

  7. Post-deployment maintenance. Once the system enters this stage, it shifts into maintenance mode. Regularly monitor the new system’s performance. Necessary updates should be made during this stage without causing serious production disruptions. Establish a patching schedule, along with schedules for system shutdowns for maintenance, updates to hardware, and cybersecurity and disaster recovery activities.

The following flow chart demonstrates how the SDLC process helps ensure performance issues are addressed before a system is put into production.

Flow chart about the SDLC
SDLC flow chart

Software development frameworks

Many software development frameworks have been created over the years; the following is a partial list. Each approach can be adapted to incorporate security issues in the development process:

  • The Waterfall model, originally developed in 1970, espouses a linear, logical progression of activities, similar to the original SDLC model.
  • Rapid application development, designed for speed, uses more iterative and adaptive techniques and prototyping for software development.
  • Joint application development engages users more proactively at most phases of the development process, with the intent of improving their satisfaction with the result.
  • The Fountain model is used to develop object-oriented software and uses iterative and incremental development processes.
  • The spiral model is favored for development of large, complex and costly projects. It builds risk management and iterative processes into the framework.
  • Agile, one of the most popular frameworks in use today, focuses on developing smaller pieces of the final software product rather than building the entire system.
  • Lean software development, a variant of Agile, is noted for its flexibility and lack of strict rules. It actively engages users at all stages of the development process and gathers team members into small working groups for greater interaction.
  • Scrum, another Agile variant, is typically used by project managers to administer iterative and incremental activities.

Open source development tools

In addition to manually developing software systems, open source applications can help facilitate the development process. The following is a partial list of open source frameworks for development:

  • Spring Boot is designed for Java programming. It simplifies the coding process by providing easy-to-use, pre-written code.
  • Django is similar to Spring Boot in terms of functionality but is used for programming in Python.
  • Angular uses a template approach to web application design.
  • Vue is another JavaScript application development tool.
  • Apache Cordova facilitates the development process by creating multiple deployment environments, each of which uses a single codebase.
  • React Native is used for mobile application development.

Purpose-built secure software development frameworks

The aforementioned software development frameworks and models can be adapted to incorporate security provisions, but they’re not inherently designed for security.

The following two SDLC frameworks take the current approach to software design to a higher level by incorporating risk and security elements.

BSA Framework for Secure Software

Developed by BSA | The Software Alliance and released in 2019, the BSA Framework for Secure Software is a risk-based and security-focused tool software developers, vendors and users can use to examine and analyze how software will perform in specific security situations. Software products and services are the primary focus of the framework, as opposed to traditional SDLC-type models and frameworks. What makes the framework unique is how it helps users ensure that security is factored into the development process and that the software, as written, produces the desired security capabilities and outcomes.

The framework’s risk-based approach helps users and stakeholders identify specific security parameters required by their organization. BSA’s framework is composed of a detailed matrix of the following:

  • Functions are the highest-level activities in the framework. They include the following:
    • Secure development addresses all aspects and phases of the software development and deployment process.
    • Secure capabilities define key security characteristics and capabilities for a software product.
    • Secure lifecycle ensures security is maintained from the initial development of a product through to its end of life.
  • Categories define the major activities and capabilities of a function.
  • Subcategories divide categories into additional areas of consideration.
  • Diagnostic statements provide descriptive outcomes of categories and subcategories and are to be incorporated into the software design process.
  • Implementation notes provide additional guidance on how to achieve the outcomes defined in diagnostic statements and may also be incorporated into the software design process.

NIST SP 800-218 (2022), SSDF Version 1.1

NIST introduced its secure SDLC framework in 2021. The Secure Software Development Framework (SSDF) introduces and recommends specific security-focused activities for each phase of the SDLC.

By integrating the recommended activities specified in the framework into the proper lifecycle phase, software developers can reduce security vulnerabilities in newly developed or updated software, lower the effect of security breaches, and identify possible causes of vulnerabilities to better prepare and prevent future breaches or attacks. SSDF includes a vocabulary of terms to facilitate communication among vendors and users.

A key message in the framework is the importance of introducing security issues and requirements as early as possible into the SDLC. Security can no longer be an afterthought. Rather, security should be a central component of any software development project.

SSDF is a matrix based on the following elements:

  • Practices are activities recommended to be performed during the development cycle. The four practice groups are defined as follows:
    1. Prepare the organization activities specify how organizations prepare employees, technologies and relevant processes for secure software development activities.
    2. Protect the software practices specify how organizations protect software from unauthorized access and malicious actors.
    3. Produce well-secured software practices define how to produce secure software with few or no vulnerabilities.
    4. Respond to vulnerabilities activities ensure any remaining vulnerabilities or software risks are addressed and corrected to prevent future vulnerabilities.
  • Practice elements are included within each practice matrix. They are defined as follows:
    • Practice specifies the practice and includes an identifier for ease of reference, plus an explanation of the practice and why it’s needed.
    • Tasks are the activities performed in a practice.
    • Notional implementation examples are types of tools, processes and methods that help implement a task.
    • References are links to specific software development documents that may be relevant to a task.

While traditional SDLC models can be adapted to accommodate security practices, the two secure software development frameworks provide detailed guidance on the security attributes organizations should consider when building secure software products.



SwiftUI & UI Frameworks







Workflow Startup, Symbolic Frameworks, Launches from Stealth to Debut Protagonist, a Visual and Collaborative Decision-Making App


“After refining our own approach to decision making, which included deep conversations with fellow executives struggling with similar challenges, the opportunity for a new way was clear. The market is saturated with apps for project management and product management or development, but completely missing specialized apps for decisions,” said Scott Hudson, co-founder and CEO at Symbolic. “We saw this as an opportunity to develop apps that support a simple, visual and collaborative approach that is fast and effective. We’re focused on reducing top-down management of creativity and workflow and increasing the contribution every individual can make to business innovation and growth. Our customers are already seeing bottom line results, as well as boosts in team morale and company culture.”

Symbolic is led by serial entrepreneur and CEO Scott Hudson, and his son, Max Hudson, co-founder and principal engineer. Max was first to ideate and begin developing Symbolic’s suite of workflow applications. Meanwhile, Scott’s other company, Henrybuilt, a high-end designer of intelligent kitchen, wardrobe, bath systems for luxury homes, was a natural fit for product testing the Symbolic applications. Using Symbolic Frameworks’ applications, Henrybuilt quadrupled revenue with only a 30 percent increase in staff. The company also shortened production time from 12 weeks to four weeks, and then again, from four weeks to a number of days, even for very large projects. Based on this success, Scott and Max saw the opportunity to bring Symbolic’s workflow, decision-making and prioritization capabilities to business leaders and teams with its first-to-market application, Protagonist.

Protagonist is available on web and mobile devices and is bringing a fresh, visual, and collaborative approach to decision-making and prioritization with less time, more input, and better outcomes. Individuals or teams can quickly organize their thoughts, weigh various factors, compare options, and identify the best path forward. Unlike SaaS-based enterprise solutions that require a massive time and resource investment, unremarkable amounts of data from complex and deeply integrated sources, Protagonist users and collaborators can simply define important decision or prioritization factors and options, assign a weighted value, add qualitative input, view reports in real-time, and make their final decision. Through this quick, visual exercise, the best decisions and top priorities rise to the top and can be compared against other high-ranking alternatives. For teams, Protagonist demystifies decision-making and prioritization processes by enabling collective input and a shared understanding of why a decision was made – helping to improve team moral and overall company culture.

“I used Protagonist to decide on the best project lead for a marketing effort that had a deadline approaching and a specific goal to accomplish, which required all the team’s attention and involvement. Right from the start, Protagonist gave me a different, visual approach to decision-making that guided the right conversations for the team to make a fast, practical and effective decision,” said Manolo Paez, chief revenue officer at The Global Good Fund. “The Protagonist app has a strong lineup of features, such as templates, the ability to weigh various factors, and tools to collaborate and share with other team members. Most importantly, Protagonist’s reporting views provided me with the exact information on what and how to validate why a particular decision was made. We’re currently exploring how to use Protagonist on additional decisions across the business.”

The Protagonist app offers several templates that help make hard, yet common, business decisions. There is also the ability to create your own decision template, including adding your own options and factors, setting different weight options for various factors, and inviting other participants to ensure you and your team are making a qualitative and collaborative decision, an imperative step that is often missed in decision-making and/or prioritization processes.

Capital investments, new office or store locations, employee promotions, entering new markets and continuous improvement of processes are common yet difficult decisions for all businesses. Protagonist Business Decision templates are optimized to guide individuals and teams through decisions important to the operation and growth of a company.

“Businesses need to turn ideas into reality as fast as possible. That means making decisions fast and as a team. To manage this, they turn to workflow software or project management solutions that are complex and painful to use. Instead of gaining agility, users get bogged down by these overcomplicated systems and don’t have the time to do the valuable work the business needs,” said Max Hudson, co-founder and principal engineer at Symbolic. “Today is one big step towards solving these challenges with a series of connected, lightweight, and flexible apps that help individuals and teams drive higher performance.”

Protagonist is available on the web, and iOS and Android devices. For more information, please visit www.symbolicframeworks.com.  

*McChrystal Group, “Decide How Your Organization Performs – Brochure.” December 2020.

About Symbolic Frameworks
Headquartered in Seattle, Symbolic Frameworks helps businesses make idea generation, decision making and prioritization, and workflow easier and faster. The company was created to foster maximum contributions from individuals and teams without the hassle and complexity of today’s workflow software and applications. Symbolic’s apps bring a cultural impact that extends beyond productivity to create a more human-centered workplace. Symbolic’s apps are available on the web and mobile devices. For more information, please visit www.symbolicframeworks.com.

Contact: Barokas Communications | [email protected]

SOURCE Symbolic Frameworks

Related Links

http://www.symbolicframeworks.com



Top 11 Web Frameworks Used By Developers In 2019



Web frameworks are usually used by the developers to ease the building process of web applications. They help developers to concentrate more on the task rather than the complex coding part. According to the Stack Overflow Developer Survey 2019, among nearly 90,000 developers, 63,585 developers chose the most loved web frameworks where jQuery, React.js and Angular secured the first, second and third positions respectively.

In this article, we list down the 11 most popular web frameworks that have been used by the developers in 2019.



(The frameworks are listed down in the order of their popularity)

1| jQuery

Created in 2006, jQuery is a free and open-source JavaScript library designed to simplify HTML DOM tree traversal and manipulation, as well as event handling, CSS animation, among others. This library simplifies the interaction between JavaScript and Document Object Model (DOM). The other features of this library are cross-browser support, AJAX support, CSS3 selectors and basic XPath syntax support, among others. As of May 2019, this library has been used by 72% of the 10 million most popular websites.

2| React

React is a declarative, efficient, and flexible JavaScript library for building user interfaces. This framework lets a developer compose complex UIs from small and isolated pieces of code called “components”. It can be used as a base in the development of a single-page as well as a mobile application. 

3| Angular(previously Angular JS)

Created by the Angular Team at Google and a group of developers community, Angular is a TypeScript-based open-source web application framework. This development platform can be used for building mobile and desktop web applications using TypeScript/JavaScript and other languages. It uses a hierarchy of components as its primary architectural characteristic and has a different expression syntax for property and event bindings.

4| ASP.NET

 ASP.NET is an open-source, cross-platform framework for building web applications as well as services with .NET and C#. Created by Microsoft, this framework allows developers to build dynamic web applications. It enables real-time bi-directional communication between server and client. For building web applications, ASP.NET extends the .NET platform with tools and libraries such as web-page templating syntax, known as Razor for building dynamic web pages using C#, the base framework for processing web requests, libraries for common web patterns and other such.

5| Express 

Express is an open-source web application framework for Node.js. This is a minimal and flexible Node.js web application framework which provides a robust set of features for web and mobile applications. The features of this framework include allowing to dynamically render HTML Pages based on passing arguments to templates, setting up of middlewares and much more.

6| Spring

Spring is an application framework written in Java programming language. This framework provides a comprehensive programming and configuration model for modern Java-based enterprise applications – on any kind of deployment platform. It includes a number of modules to provide services such as aspect-oriented programming, convention over configuration, data access, database connectivity and much more.

7| Vue

Vue is a popular framework in JavaScript. It is an open-source progressive framework for building user interfaces and is designed in such a manner that the core library is focused on the view layer only, and is easy to pick up and integrate with other libraries or existing projects. 

See Also


8| Django

Django is a high-level Python-based open-source web development framework for backend web applications. In one of our articles, we discussed the final release of Django 3.0 which will bring a number of intuitive features. This framework is designed to satisfy the complex requirements of experienced web developers.  

9| Flask

Flask is a lightweight WSGI Python web application framework. This framework became widely popular as an alternative to Django projects with the monolithic structure and dependencies. It is classified as a microframework because it does not require particular tools or libraries.

10| Laravel

Laravel is a web application framework with syntax written in PHP language. Some of the features of Laravel are a modular packaging system with a dedicated dependency manager, different ways for accessing relational databases, built-in authentication and authorisation, MVC support and Object-Oriented approach, Artisan Console, Eloquent ORM and other such.

11| Ruby on Rails

Ruby on Rails is one of the most popular frameworks written in Ruby. This is an open-source server-side web application framework which is a model–view–controller (MVC) framework that provides default structures for a database, web pages, etc. It is a framework for building websites and it combines the Ruby programming language with HTML, CSS, and JavaScript to create a web application that runs on a web server.


Enjoyed this story? Join our Telegram group. And be part of an engaging community.


Provide your comments below

comments

Ambika Choudhury

A Technical Journalist who loves writing about Machine Learning and Artificial Intelligence. A lover of music, writing and learning something out of the box. Contact: [email protected]