Integration of Security Engineering Principles into the Software Lifecycle Management

Today’s economy and society could not function without complex IT network infrastructures. Increasing integration among customers and suppliers requires stronger links across the borders of entities and companies. This technological progress however increases the danger that the IT systems and databases of a company are being attacked in order to obtain valuable data, of just to cause damage. Security in software development is thus growing more important. IT projects are primarily driven by business requirements while risks are often not taken into full consideration. While technical defense mechanisms exist for most common attacks, companies often lack the overarching perspective on software development and operations, which is instrumental in ensuring adequate security for a company’s IT systems and data. Such a perspective includes organizational and process elements as well as technical aspects. This diploma thesis focuses on defining a concept for secure software development for the eIntegrationsplattform of VersicherungSchweiz IT. The platform hosts a large range of webbased components and web-applications, which are being accessed by internal users, but also by customers, brokers and selected suppliers. Based on a detailed diagnostic of the situation including strengths and weaknesses, an analysis of existing models and processes, and principles of secure software development, a holistic process for software development is derived with focus on processes and organization. Handover checklists were developed, and the entire process is linked into the existing organization. The last part of the thesis looks at implementation requirements, describes the actions to be taken, and provides an outlook on further security-relevant topics for VersicherungSchweiz IT in the future.