Chapter 13: Software Development Security Flashcards
Software Development Life Cycle (SDLC)
The process of building software from conception to deployment
The Steps of the SDLC
Inception
Requirements Gathering
System Design
Development
Testing
Deployment
Training is not a part of the cycle but should be used to ensure that employees at all steps are properly security minded
Requirements gathering
Accounts for regulations and standards that must be complied with. Accounts for adherence to organizational desires and policies. Is the point at which you should be considering the CIA triad, auditing requirements, nonrepudiation, and the like.
System Design
This is the stage at which threat modeling should be employed to detect both design related and implementation related vulnerabilities. The process consists of the following:
Functional Decomposition: uses data flow diagrams to evaluate what attack surface (attackable points) is available and to outline what is moving across untrusted components where and when in the data flow process
Categorizing Threats
Ranking Threats
Mitigation Planning
Development (Coding)
Security steps built in to this phase include:
Static analysis: using automated tools to look for issues
Peer review: developers putting additional sets of human eyes onto code as its being written
Unit testing
Testing
Requires using all of the security cases, use cases, etc, to build realistic testing scenarios to flush out issues. This could involve pen testers, dynamic analysis (automatic exploit checking).
Sometimes results in a loop of test-fail-fix-test
Deployment
Final security reviews, and finalizing of plans to deal with inevitable bugs and security updates
OpenSAMM
Framework to help ensure security processes become a part of the SDLC. Scalable down to individual projects or up to entire organizations