Blog Series: Get Familiar with the SDL-LOB Process. Introduction to Phase Five: Release for LOB

Hello, Anmol here. As you’ve been following along with me in my blog series on Security Development Lifecycle for Line-of-Business applications (SDL-LOB) , I’ve talked about Phase One, Two, Three and Four. Today, I’ll discuss the last phase - Phase Five: Release for LOB. SDL-LOB defines standards and best practices for providing security and privacy for line-of-business (LOB) applications either in development or being planned for development.

In the Release phase, now that the application is live in production, a post-production assessment takes place. It is important to note that this is a continuous process and all applications/hosts/network devices are in scope. This type of assessment performed by an operations team and involves verification of patch management, compliance, network and host scanning as well as responding to incremental releases for hotfixes and service packs. Typically the assessment occurs on a continuous regular cycle and integrates with an existing management process already in place established by the compliance group.

Highlight for this phase include:

• Host-level security
  • Patch Management
  • Appropriate configuration
  • Antivirus
  • Compliance
• Review access control/permissions
• Server auditing and logging
• Network level security
• Application retirement

Under every task given above, there are several security requirements that the application team follows. Here’s the complete list of security requirements here. Concluding my blog series I’ve talked about all 5 phases of SDL-LOB, providing you a brief highlight of each of the phases. Take some time and review all phases of the SDL-LOB in detail. To wrap up, here’s the phases again:

• Phase One: Requirements for LOB

• Phase Two: Design for LOB

• Phase Three: Implementation for LOB

• Phase Four: Verification for LOB

• Phase Five: Release for LOB

-Anmol Malhotra
Senior Security Engineer
ACE Team