20 - Software Development Security

Question 1

What are some security considerations for the software development phase?

Answer 1

• Choosing a type of programming language:
  
  • Compiled Languages: The use of a tool called a compiler that transforms the source code into a .exe file. Users cannot see the original source code unless a decompiler is used.
    
    • C, Java, FORTRAN
    • Less prone to manipulation but malicious activity can be hidden.
  • Interpreted Languages: The source code is distributed and can be viewed by the end-user.
    
    • Python, JS, R
    • More prone to be modified but code can also be reviewed by the end-users.
• Choose a method of programming:
  
  • Functional: A series of steps.
  • OOP: Objects are used that have specific methods related to them. Can provide more depth and functionality to a program. Objects can be grouped into classes and can also inherit properties of a parent as well as additional methods they need. Objects can be self-contained and can act as a black box to end-users who do not need to know the inner workings.
• Assurance Procedures: Formalized processes by which trust is built into the lifecycle of the system.
• Avoiding and Mitigating System Failure: Putting methods in place to avoid failure of a system.

Question 2

What are some OOP terms that are good to know?

Answer 2

• Message: Communication/input to an object
• Method: Internal code that defines the actions an object performs
• Behavior: Results/output of an object
• Class: A collection of common methods from a set of objects that defines their behavior
• Instance: An example/item of a class that contains its methods.
• Inheritance: When methods of a class are inherited/absorbed by another subclass/child item.
• Delegation: Forwarding of a request/message by an object to another object. (This will happen when an object does not have the method for the message)
• Polymorphism: The characteristic of an object that allows it to respond with different behaviors to the same message because of changes in external conditions.
• Cohesion: Describes the strength of the relationship between the purposes of the methods within the same class.
• Coupling: The level of interaction between objects.

Question 3

What are some techniques for Avoiding and Mitigating System Failure?

Answer 3

• Input Validation: Verifies the values provided by the user match the programmer’s expectations before allowing further processing.
  
  • Limit Check: Program confirms if a number falls within an expected range.
  • Escaping Input: Removing risky characters and replacing them with safe values
• Authentication and Session Management: Requires users to authenticate before accessing an application or modifying data. It is best practice to try to integrate the organization’s existing authentication system instead of trying to create one from scratch. It also bets practice, to use secure transmission channels and proper session time limits.
• Error Handling: Disable detailed error messages from public view to prevent valuable system information from falling into the wrong hands.
• Logging: Applications should be configured to send detailed logging info to a protected, centralized repo.
• Fail-Secure: Upon failure, the system goes into a high level of security until an admin can diagnose and restore the system.
• Fail-Open: This allows users to bypass failed security controls, erring on the side of permissiveness.

Question 4

What events do the OWASP Secure Coding Guidelines suggest to log?

Answer 4

1. Input Validation errors
2. Authentication events (especially failures)
3. Access Control Failures
4. Tampering Attempts
5. Use of invalid or expired session tokens
6. Exceptions raised by the OS or applications
7. Use of Admin privileges
8. TLS failures
9. Cryptographic Errors

Question 5

What are some core activities that are usually every development process?

Answer 5

• Conceptual Definition: High-level statement of purpose that should include the general system requirements.
• Functional Requirements Determination: Specific system requirements are determined
  
  • Input: Data provided to a function
  • Behavior: Logic describing what actions the system should take in response to different inputs.
  • Output: Data provided from a function.
• Control Specifications Development: Ensures security controls are designed into every system. Controls must be designed into the system to prevent unauthorized access, maintain data confidentiality, must provide logging capabilities, and must ensure availability is in place.
• Design Review: Designers determine how the systems will interoperate and be laid out.
• Code Review Walkthrough: Developers start writing the code and have walkthroughs to review for issues
• User Acceptance Testing: Actual users validate the systems with predefined scenarios to test for issues.
• Maintenance and Change Management: Have a support team in place to keep the system operational and use a formal change management structure for any official work done.

Question 6

What are some known SDLC models?

Answer 6

• Waterfall Model: A series of iterative activities, when one phase is completed, the next takes place. If there is an issue found in one stage, the process can revert back to a previous one to correct the problem, There are 7 stages:
  
  • System Requirements
  • Software Requirements
  • Preliminary Design
  • Detailed Design
  • Code and Debug
  • Testing
  • Operations and Maintenance
• Spiral Model: An iterative process where each phase goes through one of four cycles. Each phase can be an incremental release with slight improvements:
  
  • Objective Setting
  • Risk Assessment
  • Development and validation
  • Planning
• Agile Software Development: Model whose core philosophy values:
  
  • Individuals and interaction over processes and tools
  • Working software over comprehensive documentation
  • Customer collaboration over contract negotiation
  • Responding to change over following a plan
• Software Capability Maturity Model: Intended on helping organizations improve the maturity and quality of their software processes by implementing a path from chaotic processes to mature, disciplined software processes. Stages:
  
  • Level 1 - Initial: No defined process
  • Level 2 - Repeatable: Use of code in a reusable fashion is introduced.
  • Level 3 - Defined: Operating according to a set of formal, documented processes.
  • Level 4 - Managed: Quantitative measures are utilized are to gain an understanding development process
  • Level 5 - Optimizing: A process of continuous improvement takes place.
• IDEAL Model:
  
  • Initiating: Business reasons are outlined, support is built, and appropriate infrastructure is put in place.
  • Diagnosing: Engineers analyze the current state of the organization and make general recommendations for change.
  • Establishing: The organization takes the recommendations and develops a plan of action to help achieve those changes.
  • Acting: The organization develops solutions and then tests, refines and implements them.
  • Learning: Analyze and validate the solutions. If necessary, propose new actions.

Question 7

What is a Gantt Chart?

Answer 7

A type of bar chart that shows a graphical illustration of project tasks and their schedule.

Question 8

What is a PERT?

Answer 8

A PERT (Program Evaluation Review Technique) is a tool used to judge the size of a software product in dev and calculate the standard deviation (SD) for risk assessment.