The Cisco Secure Development Lifecycle: An Overview
Cisco has defined a development standard called the Cisco Secure Development Lifecycle (CSDL). This process is designed to ensure that Cisco produces secure and resilient products by identifying and implementing specific processes or tools to enable engineers to detect, fix, mitigate and prevent design and code weaknesses that could become exploitable.
CSDL is a multi-layered defensive approach. First, we seek to ensure product security is integrated into the design and design review process through the use of baseline requirements and threat modeling reviews. Secondly, we pursue a rigorous software development design process to detect, fix, and protect against potential software weaknesses. Finally, we utilize robust penetration testing to validate the effectiveness of the first two layers of our defense, and to identify and fix any resulting vulnerabilities.
CSDL utilizes many industry standards and best practices. For example, CSDL tools and processes specifically seek to eliminate common software weakness such as those found in the SANS Top 25, and to utilize Safe C Libraries and OWASP Java libraries. The aim is also to leverage industry best practices in utilizing threat modeling in design review, static analysis, and standards-based compiler technologies such as Pro-Police or BOSC, and to utilize commonly available or open source penetration testing tools and techniques. Microsoft has also been a valuable partner as both a model for SDL and also as a sounding board for Cisco as we developed and adapted their concepts to meet the unique attributes of our development environment and needs.
Cisco continuously works to identify secure postures, requirements, and best practices for products. Once identified, vetted, and agreed upon, they are stored in a common technology repository and incorporated into development methodologies with the expectation that products will comply with all requirements within the applicable common technology.
In addition to robust tools and process for developing products, design and code reviews are critical efforts that are gaining even more internal attention. While most reviews are performed by senior members of the development team, they may also include individual technical experts, depending on the technology or code under review. In addition to development team-focused efforts, Cisco also has resources to address product security needs such as in-depth review and vulnerability analysis or common criteria review and inspection. These specialized teams assist in code reviews, penetration tests, and compliance certification activities.
Penetration testing is a critical final development step to ensure that product security mitigation issues have been addressed. Cisco utilizes many commonly used commercial and open source fuzzing tools to ensure that we have adequately resolved product weaknesses or identified and fixed potential problems before the product ships.
ISO certification of our development processes, of which CSDL is an inherent part, provides customers validation and confidence that our processes, such as common technology requirements, secure coding procedures, code reviews, testing and verification, are designed to be consistently executed within our product development. The end goal of the Cisco Secure Development Lifecycle methodology is to ensure that our customers can remain confident that the Cisco product is robust and resilient in the face of attack.