Are security tools considered to be a part of application lifecycle management (ALM)?
Security tools are absolutely a core component of application lifecycle management. As the security industry has developed over the years, research has shown security activities are necessary throughout the entire application lifecycle. Numerous commercial ALM products have begun to include security functionality. What’s more, many ALM products include security activities in lifecycle management functionality.
To understand more about this, it’s important to recognize the importance of security at each phase of the development lifecycle. During requirements gathering, security requirements must be considered (in fact, privacy requirements are also an important consideration during this stage). Some lifecycles lump security-related requirements into functional or technical requirements, whereas other lifecycles categorize them apart in order to add emphasis to their importance. Regardless of which categorization method a team uses, accounting for security is critical in the requirements stage. Good ALM applications help teams gather these requirements in the planning or design phase of a project.
As the project transitions to the design phase, additional security activities are required. Threat modeling is probably the best-known example of these activities. By modeling threats within application design, product teams can uncover flaws and poorly designed features. They can also identify high-risk areas which will need additional attention during the implementation and testing phases. All of this information creates project output – documentation, implementation tasks, and test cases. In some instances (especially where HIPAA or PCI are a concern) this documentation is required for compliance purposes.
When projects enter the implementation phase, tools become critically important. Static code analysis tools are useful in automating some of the security burden; these tools often come from commercial ALM vendors and can, at times, be integrated into the ALM suite. As the project transitions to the testing phase, test cases are executed which were developed during requirements, design, and implementation phases. Automated security testing tools such as application scanning technologies can aid the team in assessing application security and gathering results. Output from tests can be tied back into requirements, tasks, and test cases. The ALM application helps teams by providing a centralized repository which accounts for all activities within the implementation and testing phases.
As security becomes more mainstream and is seen less as a parallel activity and more as a core practice in the application lifecycle, ALM vendors will include more and more related functionality in their existing product offerings. Teams and customers alike will benefit because security will be seen as an equal partner to other ALM activities such as functional testing or performance testing. Planning, executing and reporting on security-related activities and requirements will become a seamless component of the overall application lifecycle.
This was first published in September 2011