Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Application Security

Slack Releases Open Source Secure Development Lifecycle Tool

Team collaboration solutions provider Slack last week announced that one of the secure development lifecycle (SDL) tools used internally by the company has been released as open source.

Team collaboration solutions provider Slack last week announced that one of the secure development lifecycle (SDL) tools used internally by the company has been released as open source.

The tool, named goSDL, is a PHP-based web application designed to provide developers and project managers a list of questions and checklists that should help them improve the security of new software and features. It is meant to be used at the middle or near the end of a project.

After providing some general information about their project, developers using goSDL are instructed to answer some questions for an initial risk assessment. Among other things, developers are asked if they believe the involvement of the security team is necessary, and if their code adds new authentication features or changes existing security controls.

Once the initial assessment has been completed, goSDL requires developers to provide information about the components they are using, including web technologies, programming languages, and parsers. New components can be easily added to the questionnaire via JSON plugins.

Based on the responses provided in the previous phases, goSDL then generates security checklists that are relevant to the project. For tracking purposes, two JIRA tickets are created – one for the developer and one for the security team, allowing it to track its own review.

“The tool tailors the checklist to the developers’ specific needs, without providing unnecessary unrelated security requirements. Security experts can establish custom security guidance and requirements as checklist items for all developers,” Slack said. “This checklist is used as a guide and reference for building secure software. This encourages a security mindset among developers when working on a project and can be used to easily track the completion of security goals for that project.”

goSDL can be used with Atlassian’s Jira Enterprise issue tracker and the Trello project management application. The goSDL source code, along with usage instructions, can be found on GitHub.

“By open-sourcing goSDL, we hope to enable other growing organizations to scale their security. We also hope to learn from their experience; we welcome contributions to the tool, its modules, and its checklists, and are excited to see what pull requests will come in!” said Max Feldman of the Slack Product Security team.

Advertisement. Scroll to continue reading.

Related: Kaspersky Open Sources Internal Distributed YARA Scanner

Related: Netflix Releases Open Source Security Tool “Stethoscope”

Related: Google Open Sources Vendor Security Assessment Framework

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

CISO Conversations

Joanna Burkey, CISO at HP, and Kevin Cross, CISO at Dell, discuss how the role of a CISO is different for a multinational corporation...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...