Skip to main content

Start With a Security Assessment

Learning Objectives

After completing this unit, you’ll be able to:

  • Define a security assessment.
  • Explain how to make a security assessment plan.

Knowledge Check

Let's use this knowledge check to see if we remember the five stages of the Secure Development Lifecycle that were covered in the previous unit. This isn’t scored—it’s just an easy way to quiz yourself on the concepts you're learning. To get started, drag the term in the left column next to the matching description on the right. When you finish matching all the items, click Submit to check your work. To start over, click Reset.

Great work! Knowing the five phases will be a good foundation as we start diving into more detail. Now it's time to learn about security assessments.

What Is a Security Assessment?

A security assessment checks for vulnerabilities and ranks ongoing engineering work by level of risk. It helps you think like an attacker so you can understand how an application can possibly be misused. Security assessments also ensure that input provided by legitimate users is sanitized, validated, and processed safely by the application. Implementing a security assessment gives you a formal process to examine security risks and define the specific steps required to mitigate those issues before release. 

As a developer, you work with other development teams and business units to help design, create, document, code, test, deploy, and maintain secure applications. Security assessments encourage security by design (SBD) and give engineering teams a security milestone early in the development process. SBD is a key cybersecurity principle, and one that’s crucial to the secure development lifecycle (SDL). SBD means designing software to be secure from the outset to reduce the likelihood of flaws that might compromise an organization’s security. It's crucial to remember that, from a cost perspective, the sooner security is addressed in the development cycle, the better. 

Some organizations have a formal security assessment process that development teams must complete. Often this begins with a questionnaire that scopes a project’s security risks. Some organizations have developed internal applications to streamline this process. If your organization has a formal security assessment team, it will define security milestones and requirements that must be met before the product can be released. 

If your organization does not have a formal security assessment process, the Open Web Application Security Project (OWASP) has a Risk Assessment Framework with open source tools to help you get started with designing your own assessment protocol. 

Background image of cog wheels with check marks in front and a security assessment checklist.

Create a Security Assessment Plan

Since every developer has a stake in building securely, it's a good idea to require every unit of work to be within the scope of a security assessment. Launching a security assessment early in your process is a smart security investment and can avoid costly surprises later on. 

A good security assessment program has four goals. 

  1. Empower engineers with clear security requirements.
  2. Increase automation to cut down on manual tasks and boost consistency.
  3. Track security actions and tasking.
  4. Integrate security into development at every stage.

Whether you're building your own security assessment tool or using one that already exists, here are some things you want to look for.

  • Questionnaires that are specific to your team
  • Suggested security tasks that are based on your answers
  • Questionnaires and tasks that can be quickly updated as threats change
  • Multiple user stories or an epic (a large body of work that can be broken down into a number of smaller stories) that can be attached to one approval

A good security assessment program provides consistent security best practices and compliance advice in a centralized location. It helps you ensure that your team is on the same page prioritizing security as an integral part of the development process. 

Resources

Quiz

Omar’s team knows that security requirements are changing as his agency prepares to move into the public cloud. They’re beginning a new sprint and have security questions specific to cloud development.  

Compartilhe seu feedback do Trailhead usando a Ajuda do Salesforce.

Queremos saber sobre sua experiência com o Trailhead. Agora você pode acessar o novo formulário de feedback, a qualquer momento, no site Ajuda do Salesforce.

Saiba mais Continue compartilhando feedback