The Role of Tools in Improving Embedded Software Security / Part 2: Security Improvement and the Software Development Lifecycle

By Bill Graham

Bill Graham

In many of my previous posts, I’ve discussed Wind River's 5+1 step improvement framework for embedded device security. By design, it’s meant to complement the software development lifecycle (SDLC) that our customers are using – the stages or phases how they define them and the processes they follow. It’s important for a discussion on tools to put them in the context of the SDLC to see where they apply and how they are useful beyond just the coding stage.

Figure 1 shows the relationship between the SDLC and our security improvement framework. The phase names and number of phases may change from customer to customer but the general idea remains the same. It’s important to note that the improvement framework is equally compatible with Microsoft’s Secure Design Lifecycle that is gaining traction amongst embedded developers too.

SDLC and 5+1 improvement framework diagram

SDLC image

Figure 1: Relationship between software development lifecycle phases and the security improvement framework.

Security-Related Activities at Each Phase of Development

The activities the development team needs to perform at each stage of development to increase system security is outlined in Figure 2. This is representative rather than exhaustive but provides a good outline of what needs to be done.  As I discussed in a previous post, many of these activities are new and now part of the project plan where they likely weren’t in previous products. Assisting with these activities with tools and services is where a vendor like Wind River can make the difference in meeting your project and security goals.

SDLC image 2
Figure 2: Various security-related activities in relation to the software development lifecycle.

The details about the phases and names of the development lifecycle (and the processes used such as Agile development) are interchangeable. This Development, system simulation and testing tools play a big part in automating these activities, and in my next post, I’ll discuss how Wind River’s and our partner’s tools fit into this framework.


For additional information from Wind River, visit us on Facebook.