Risk, Architecture and Development in the SDLC

All companies increasingly depend upon business-to-business software applications to enhance operations, creating a broad range of risks in the process. These risks include security, availability, recoverability, performance, scalability, and compliance risks related to mission critical, internet facing systems. Many times, the primary cause of these risks is an absence of expertise and consideration of security and privacy during systems development. Previously unstructured implementations of risk mitigation measures in the systems development lifecycle lead to both over- and under-investment in development controls. Many companies claim to use a risk-based approach that incorporates cost-effective levels of risk mitigation commensurate with the corporations risk tolerance levels. The effort should use security architecture, structure within the systems development lifecycle and a proper coding program and training.



Security Architecture

Security architecture can focus on the implementation of eight core security capabilities and architectural standards serving as a ‘minimum necessary’ prescribing when they should be implemented in a system:

  • Risk-based Cost Benefit Effectiveness
  • Business Enabling
  • Adding Value to Core Business
  • Empowering Customers
  • Protecting Relationship and Leveraging Trust
  • Sound Management and Assurance Framework
  • Governance
  • Compliance

Security architecture should prescribe when (e.g. what information to log to facilitate audit or when to encrypt data) and how to implement security in a product (e.g. what should be in an audit log or which cryptographic algorithm to use when performing encryption) so that the product is likely to be compatible with the most common industry security policies.

The ability to select the proper security capability to implement starts with understanding system capabilities and the impact on the internal business environment. Especially critical are the system capabilities that have an impact on the following:

  • Confidentiality of business information (e.g., system functions that could result in disclosure of data accessible to the system);
  • Integrity of business information (e.g., a management command that could be used to modify customer data);
  • Availability of business information (e.g., a system feature that could be used to make customer data or applications unavailable to the customer).

Security Architecture should also prescribe confidentiality controls such as encryption, to be employed both at rest and in transit on any sensitive data (e.g. PII) handled by the system. Similarly, architecture requires integrity controls to be enforced on data, such as security configuration information, whose modification would create vulnerabilities in the environment.

Security architecture requires specific serviceability capabilities to be implemented to enable secure service access to the system and to maintain the system with up-to-date security level (e.g. security patches). Architecture takes a wider more holistic approach to solving the business problem of security by ensuring that all of the components are specifically designed, procured, engineered, and managed to work together for the benefit of the business. You should be able to easily answer the following questions:

  • Do we have all of the components?
  • Do these components work together?
  • Do they form an integrated system?
  • Does the system run smoothly?
  • Are we assured that it is properly assembled?
  • Is the system properly tuned?
  • Do we operate the system correctly?
  • Do we maintain the system?

Security in the SDLC

To facilitate the implementation of the systems by the functional groups involved in a systems lifecycle, security architecture standards should be organized in alignment with the systems development lifecycle

(SDLC) as follows:

  • Architecture and Design requirements for use during the architecture and design stage by systems architects.
  • Systems Development requirements for use during the systems development stage by systems development.
  • Assurance and Testing requirements for use during the various testing stages bysystems developers and quality assurance analysts.
  • Serviceability requirements for use by systems architects, systems developers, and customer service ensuring that systems and processes enable secure serviceability.

Security organizations need to create a repeatable and measurable process that enables systems development efforts to meet business demands for error-free and limited-vulnerability systems. The process is not without its flaws but software development teams should understand how to optimally apply appropriate controls during the SDLC. These groups need to take full responsibility for the systems they create from a security and risk perspective.

Writing Proper Code

Many firms use internally created programming patterns and practices cookbooks that serve as a library of defensive programming practices designed to assist developers with common challenges related to defect-free code. There are several common attack vectors and the defensive programming vectors that can be used to harden applications against potential vulnerabilities. Specifically, programming examples and references demonstrating both proper and poor programming practices as it relates to defensive programming should be provided.codeinthesdlc

The program should define examples of various attacks explaining how they exploit improper programming and what developers and quality assurance staff can do about it. The guide is not intended to be a complete summary of all possible variations of attacks and defenses as that is far beyond scope. Tables describing the most common attack and defensive strategies as well as an indication of which defenses work best for a given attack can be listed in a library.

In addition to the library of defensive programming practices, many firms either develop or contract for a series of awareness trainings then made available through the corporate intranet. Training teaches key security features and common web security pitfalls developers make and how to build secure and reliable systems. Developers should review hands-on code examples that highlight issues and prescribe solutions customized for their business environment. The intent is to challenge all attendees with real world and past examples found their organizations code that is reinforced by practical and realistic code-level lab exercises.


The overall security architecture program should prescribe the use of industry standards across the SDLC: systems architecture and design, systems development and systems testing that reduce vulnerabilities and the risk of exploitation of vulnerabilities. It outlines a set of recommendations for systems development to prevent common security flaws in the area of systems design and software development.

A basic software engineering truism is that fixing software defects earlier in the SDLC can save money in the long run. Development projects tend to slip on timetables, and end-of-cycle processes like quality testing are often abbreviated to keep projects on track. Conversely, when risk considerations and processes are integrated throughout the systems development methodology, organizations can realize significant improvements in their ability to design, develop, test, and maintain the integrity of systems, while at the same time improving the system’s quality, time to market, reliability, and competitiveness.

From a strategic perspective, a systems development methodology that addresses security helps normalize development and maintenance costs, decrease information risks, and minimize business disruption cost. Minimized risk also reduces business liability concerns, better protect your company’s brand and reputation, and improve compliance with internal policies and external standards.

Search Our Site

Treadstone 71 - We See What Others Cannot

The Cyber Intelligence Training adds rapid returns to both Cyber Intel Analysts, and Security Ops Centers.  Each student receives quality instruction and hands-on experience with today’s OSINT tools and intelligence tradecraft.  This is necessary for anyone new to Cyber Intelligence and complimentary to any Security Operations within your enterprise. This 4.5-day class provides the student with the resources and fundamentals needed to establish cyber intelligence as a force as both a proactive offensive step and a counter intelligence-contributing arm of your larger team.  – Antonio 

Fortune 100 Company



ONLINE - Cyber Intelligence Tradecraft Certification - Enroll now for April 28, 2018, start date. 8-week online course.

March 12-16 Cyber Counterintelligence - Reston, VA (Cyber Intel Course Pre-Requisite)
March 19-23 Cyber Intelligence- Columbia, Maryland
April 9-13 Cyber Intelligence- London, UK

April 23-27 Cyber Intelligence - NYC
April 30 – May 3 Cyber Intelligence - Los Angeles California - Burbank
May 14-18 Cyber Intelligence- San Jose, CA
June 18-22 Cyber Intelligence- Annapolis Junction, Maryland
Aug 13-17 Cyber Intelligence- Reston, VA
Sep 17-21 - Cyber Intelligence- Boston, MA
Oct 15-19 Cyber Counter Intelligence - Reston, VA
Nov 5-9 Cyber Intelligence- Denver, CO
Dec 3-7 Cyber Counter Intelligence - Columbia, Maryland


Intelligence Tradecraft - CounterIntelligence - Clandestine Cyber HUMINT  - Cyber Psyops - Persona Creation and Management - Cyber Influence Operations - Middle Eastern Cyber Warfare Tradecraft

Blended courses - Courses on demand - Courses developed per your needs, quietly and quickly

Students and organizations taught (non-inclusively):

AIB, American Express, Capital One, Commonwealth Bank, Bank of America, ING, NCSC NL, Defense Security Services, PNY, Dell Secureworks, HPE Security, EclecticIQ, Darkmatter (AE), General Electric, General Motors, PNC, Sony, Goldman Sachs, NASA, DoD, East West Bank, Naval Air Warfare Center, VISA, USBank, Wyndham Capital, Egyptian Government, DNB Norway, Euroclear, Malaysian Cyberjaya, People's United Bank, Baupost Group, Bank of North Carolina, Fidelity Investments, Citi, Citigroup, T. Rowe Price, Wells Fargo, Discover, Blackknight Financial Services, Intercontinental Exchange (ICE), Citizens Financial Group, Scottrade, MetLife, NY Life, Synchrony Financial, TD Ameritrade, National Reconnaissance Office, FBI, Stellar Solutions, Lockheed Martin, Harvard Pilgrim, State of Florida, Deloitte, Ernst and Young, Mitsubishi, Tower Research, Geller & Company, KeyBank, Fannie Mae, BB&T, Aviation ISAC, JP Morgan Chase, Barclays, Nomura International, ING, Finance CERT Norway, BBVA, Santander, Bank of America, Equifax, BNY Mellon, OCC, Verizon, Vantiv, Bridgewater Associates, Bank of Canada, Credit Suisse, HSBC, International Exchange, Vista Equity Partners, Aetna, Betaalvereniging Nederland, several members of FlashPoint, non-inclusively (as well as several other firms by proxy as they hire qualified intelligence professionals trained by Treadstone 71).

Terms of Use - Privacy Policy - Course EULA



"Fantastic class that gets to the foundational aspects of traditional tradecraft. We studied hard examining recent attack campaigns. The analysis training prepared me for real-world efforts. Have to say this is one of the best classes I have ever taken having taken many from SANS.  SANS does not compare. They are more of a class mill today.  The Treadstone 71 course material is unique, focused, and timely."

“This is one of the best, if not the best, Cyber Threat Intelligence training course I've attended.”


Ironically, said Bardin, it was Stuxnet that led Iran to enhance its offensive capability: ‘If Stuxnet had happened to the US or UK, it would have been seen as an act of war. In Iran, it made them invest heavily in offensive cyber operations.’

He revealed that 18 percent of Iranian university students are studying computer science – a cyber warfare talent pool.

Treadstone 71 Interview - Daily Mail on Industrial Control System Hacks







Treadstone 71 Cyber Intelligence Services








Treadstone 71 at Blackhat








Treadstone 71 New Services - Analysis as a Service








Cyber Jihad - 2008-2011 Compilation Part 1








Cyber CoiunterIntelligence Doctrine








Iran Cyber Proxies and Capabilities 








The Irari Report








Gaming as a Method of Jihadist Training








Treadstone 71 Keynote








Treadstone 71 Cyber Intel Services / Training
















Treadstone 71 Secureworld Expo







Treadstone 71 Fox News







Treadstone 71 Hacktivity