¶ What Activities are part of the Build Phase?
In the build phase, we are acquiring the solutions to be constructed. This is often driven by a Build vs Buy decision point early in the process, driven by design decisions, the security activities involved differ slightly based on our ability to influence the outcomes. When building internally, we can have complete control over the methodologies employed and the security activities utilized at every step in the process, but this too comes with additional risks due to time and certainty as opposed to buying a system outright from a 3rd party who probably specializes in this work. The challenge there is then validating that what we are buying meets our requirements and that we can trust what is delivered to us.
¶ Software and Hardware Development
The software and hardware development phase is the stage in the development process where the system's software and hardware components are designed, developed, and integrated to create a functional system. This phase typically follows the requirements and design phases and precedes the system integration and testing phases.
During this process, the system's software and hardware components are developed in parallel, with close collaboration and coordination between the development teams. The software components are typically developed using programming languages, while the hardware components are developed using hardware description languages, schematic diagrams, and other tools.
This also involves a variety of activities, including coding, testing, and debugging of software and hardware components, integration of components into subsystems and the overall system, and the creation of user manuals and other documentation. The goal is to ensure that the software and hardware components work together seamlessly, meet the requirements, and are reliable and efficient.
The outcomes of the software and hardware development phase include fully functional software and hardware, integration of these components into subsystems and the overall system, and documentation of the system's architecture and functionality. These outcomes serve as the basis for the system integration and testing phases.
¶ Secure Software Development Lifecycle
The SSDLC or SDL as it is sometimes known, is the set of activities that define good security practices for secure development. This is not a separate phase, per se, as much as it is a framework that should be applied as part of the build. Frameworks such as the Application Security Verification Standard from OWASP are an excellent approach, since they apply a risk-based model that can be informed by threat modeling activities.
Additionally, NIST has released SP 800-218, Secure Software Development Framework (SSDF) Version 1.1: Recommendations for Mitigating the Risk of Software Vulnerabilities, which is largely recognized as one of the best frameworks for the application of secure software practices.
While these industry approaches are powerful in defining best practices, your organization should define a charter and governance program for software security that makes sense based on the cuklture and resources available. The Software Assurance Maturity Model is another great resource when defining the omponents of your software security program.
¶ Quality Assurance
Quality assurance (QA) is a process of ensuring that a product or service meets the required quality standards. It involves a set of activities that are performed to identify defects, prevent them from occurring, and ensure that the product or service meets the expectations of the stakeholders. Here are the key activities involved in quality assurance:
Depending on the development process, QA might occur during build or test phases. For instance, in a waterfall approach where the build is completed in large phases, QA activites are conducted inline with development work. In more continuous development models, these are very rapid iterations and you might see these activities push forward into Test.
¶ Procurement
In a Buy decision pattern, there will need to be a set of procurement activities as part of this process. The procurement stage refers to the process of acquiring the materials, equipment, and services needed to build or operate a system. This stage is an important part of the system development life cycle, as it ensures that the necessary resources are available at the right time and cost to complete the project successfully.
The procurement stage typically involves the following steps:
- Identifying requirements: In this phase, the project team identifies the materials, equipment, and services that are required to build or operate the system. This includes defining technical specifications, performance requirements, and quality standards.
- Sourcing suppliers: Once the requirements are defined, the project team identifies potential suppliers who can provide the necessary materials, equipment, and services. This may involve issuing requests for proposals (RFPs) or requests for quotes (RFQs) to a select group of suppliers.
- Evaluating proposals: In this phase, the project team evaluates the proposals received from suppliers based on criteria such as cost, quality, delivery time, and technical compliance with the project requirements.
- Negotiating contracts: Once a supplier is selected, the project team negotiates a contract that specifies the terms and conditions of the procurement, including delivery schedules, pricing, and quality standards.
- Managing the procurement process: Throughout the procurement process, the project team monitors supplier performance to ensure that they are meeting the terms of the contract. This may involve managing supplier relationships, monitoring delivery schedules, and resolving any issues that arise.
The procurement stage ensures that the necessary resources are available to complete the system development process. By carefully defining requirements, sourcing suppliers, evaluating proposals, and negotiating contracts, the project team can ensure that the procurement process is efficient and cost-effective.
¶ Cyber - Supply Chain Risk Management (C-SCRM)
Also referred to within CIE as Cyber Secure Supply Chain Controls as one of the 12 Principles, this activity is really about validating the authenticity and security of the suppliers and the products and services being procured. Since your will have limited ability to control how the product is built, this category of activity is heavily focused on assurance and validation of attestations provided by suppliers. As this topic will be covered elsewhere on this wiki, this article is primarily a stub, but for additional resources, see the NERC Supply Chain Working Group
- Provenance
- Pedigree
- Secure Equipment Delivery
- Software Transparency
- Vulnerability Disclosure Reporting (VDR) and Vulnerability Exploitability (VEX)
- Security Addendums in Contracting
- Vendor Risk Management