Chapter 4- Software Development Security Flashcards
SDLC Basic Phases
Project Initiation and Planning; Functional Requirements Definition; System Design Specification; Developmnet and Implementation; Documentation and common program controls; Testing and evaluation control (C&A); Transistion to production (implementation)
SLC
Extends above SDLC - Operations and maintenance support; revisions and system replacement; project initiation and planning
Project Initiation
Security activities should be done in parallel
Functional Requirements
Security requirements should be formalized
System Design Specifications
security features designed, generally based on the overall security architecture for the company
Development and Implementation
code should be analyzed to eliminate common vulnerabilities that might lead to security exploits and other risks
Documentation and Common Program Controls
types of logging the program should be doing
Acceptance
tested to ensure it meets all the functional and security requirements. Testing is to ensure that the application meets its security requirements and specifications and uncover all design flaws that would violate security policy. Run independently in a production simulation environment. First Phase of C&A
Testing and Evaluation Controls
bounds checking and data validation - test data should not be production data. test all changes
C&A
Certification and Accreditation - Certification is the process of evaluating security stance of the software and against a set of security standards or policies. Verify conversion. Accreditation - Acceptable level of risk is determined. Provisional accreditation is for a specific period and outlines specific changes. Full means no changes required.
Transition to Production (implementation)
obtain security accreditation, train users, implement, parallel operations if necessary.
Revisions and System Replacement
Changes must follow SDLC and be recorded in change managment system. Reviews should inlcude security planning and procedures - application audits should be conducted periodically including documentatin security incidents and system failures.
CMM
Capability Maturity Model for Software - focuses on quality management process and has 5 maturity levels. ISO 9000 includes software development quality standards
Waterfall life-cycle method
oldest method - list of activities that must be completed before the next phase begins
Structured Programming Development
promotes discipline, allows introspection, and provides controlled flexibility - requires defined processes and modular development - each phase is subject to reviews and appraisals
Spiral Method
nested version of the Waterfall method. - Plan DO Check Act sub phases
Clean room
method of controlling defects - focuses defect prevention. more time spent in early phases.
Iterative development
successive refinements of requirements, design, and coding
Prototyping
simplified version, release for review, user feed back build better second version
Modified Prootype model
ideal for Web app development - deployed in quick time frame
Rapid application development
strict time limits on each phase - rapid prototyping
Joint Analysis Development
developers work directly with users to develop a working application
Exploratory Model
set of requirements built with what is currently available
CASE
computer-aided software engineering - use computers and utilities to help with systematic analysis, desing, development, implementation and maintenance of software