Domain 8 Flashcards
Legal, Regulatory, and Market Pressures
- Cyber security research and survey reports are published annually
- 5 trillion losses in 2019
- healthcare energy and retail saw increases in average cost of data breaches
The Bad News: The Majority of Deployed Systems Are Anything But Safe and Secure
- Accepted practice to have junior or less experienced programmers handle small tasks
- most experienced programmers have no formal education
- industry believes teaching software security now this is a waste of effort
Software Development Methodologies
- Software development methodology is the collection of managed activities that can be used to translate end users needs for functions and capabilities into a software system that meets those needs
- Must balance satisfying needs against time
- all systems have life cycles
- security should be a vital focus
- should choose methodologies carefully
- Entire development process needs security
Classical Software Development Life Cycle (SDLC)
- Developed in the 1950s
- Many development life cycles but most commonly referring to the classic waterfall method
- framework the godly phases of a software development project
- does have many variations
- Clear decisions and processes bound the transition of project activities from one phase to the next
- Generally accepted phases
o project initiation and planning
o functional requirements definitions
o system design specifications
o development and implementation
o documentation and common program controls
o testing and evaluation control
o transition to production
Project Initiation and Planning
- Usually starts with the idea
- justification for the project
- typically contained in a document that outlines projects objectives scope strategies and other important factors - Approval based on project plan document and all undertakings should be cost justified
- must include security
- security requirements begin here - Establish user requirements
-determine security requirements - identify alternatives
- conduct risk analysis - Select Approach
- define security strategy
Functional Requirements Definition
- Analysis of caring and possible functional requirements
- functional and non functional should be identified during this phase
- make revisions as needed
- formalized security requirements
- Key security functions
- identify security areas
- establish security requirements
- security test
- include security requirements
- include functional security requirements
Development and implementation
- Source code is developed
- includes new code from scratch and inclusion of code modules or snippets from other projects
- test scenarios and test cases are developed
- phase where common coding mistakes can be made
- risk can be made manageable by carefully selecting validating in adhering to strict rules for code reuse - Analyze to eliminate common vulnerabilities
- can be done in many ways But code review needs to be done properly
Integrated product team (IPT)
- team of stakeholders and individuals who possess various skills
- goal is to work together or define the process
- Members also have to provide enough representation from all stakeholders
integrated product and process development (IPPD)
- Recognizes that the right choices for development manufacturing and tests cannot be made while the project is still being thought through
- can be used as a management technique advantage is the ability to facilitate meeting costs and performance objectives
- goal is to facilitate multi skilled team members working together through the concept of IPT
- Can involve members from the enterprise and contractors or consultants
Structure programming development
- Programmers use it
- uses extensive subroutines and block structures they can be reused
- promotes discipline allows introspection and provides controlled flexibility
- structured approach for security to be added
- put into practice in the 1970s right before the adoption of object oriented programming
- principles are still found but rarely used in its original form
Interactive development
- Was made in response to the shortcomings of the waterfall method
- waterfall method was highly structured in ways that restricted or prohibited changes in requirements designs and softwares once each phase had been completed
- examples are the DoD worldwide military command and control system
- and the Federal Aviation Administration - iterative models make it difficult to ensure security provisions are still valid in the changing environment
rapid application development
- reform refined form of prototyping
- require strict time limits on each phase
- go to produce quality code quickly
- runs the risk of fast development which can lead to poor design
joint analysis development
- invented To enhance the development of large mainframe systems
- useful in today’s environment
- success of this methodology is based on players communicating at all phases of the project
- works best when people work the job together with the people who have the best understanding of the tech
- If you are building a network together architecture together instead of one more person trying to do everything
exploratory model
- Set of requirements built with what is currently available
- requires assumptions to be made as to how the system might work
- because of the lack of structured security needs to take priority
- security professionals need to ensure their requirements are addressed appropriately
Reuse model
- Built from already existing and testing components
- best suited for projects using object oriented development
- components chosen based off of known effectiveness of security characteristics
- most widely used approach to developing software
o often the most poorly managed 1
spiral method
- nested version of the original waterfall method
- distinguishing feature is that each phase has four added sub stages
o Known as the Deming Cycle, Plan do check act - Call us and schedule a revised each time the risk assessment is performed
- improvement of the waterfall method because you can address at each phase
prototyping
- Objective to build a simplified version release it and then use feedback from stakeholders to review
- repeated until everyone is satisfied
- broken down into step by step processes
modified prototype model
- Ideal for web application development
- allows for basic functionality to be formally deployed in a quick time frame
- Begins maintenance phase after deployment
- go to a process flexible enough so the app is not based on the state of the organization at any given time
clean room
- focused on controlling and at best avoiding defects
- emphasis on writing the code correctly the first time
- quality is achieved through proper design rather than testing and remediation later
extreme programming
- Having several values and characteristics of software development
- simplicity communication and feedback are the values
- structured approach
- relies on smaller subprojects with limited and defined scope as well as developers working in pairs
- owners should be involved in defining the needs in the first place
- relies on simplicity
standard libraries other libraries and software reuse
- Software library is a repository of pre written code classes procedure scripts and other program elements
- allows developers to create functionalities without having to rewrite the necessary code
- can be developed by any IT supply chain
- Loosely defined hierarchy of libraries
- OS and hardware libraries - provided by respective vendors should be supported with digitally signed updates
- programming language libraries - supplied by the vendor of the integrated development environment or language tools that’s being used
- development frameworks
- in-house project specific customer specific or product specific libraries
- third party open source libraries published by reputable sources
- third party open source libraries of unproven pedigree or nature - textbook journal or magazine publishers blogs or user community discussion boards can be suitable for use once it has been thoroughly inspected for potential back doors classic coating Trojans and logic bombs
common programming language libraries
- C, C#, and C++ standard libraries, each for its specific language
- Framework class library (FCL) which applies to the .net framework
- Java Class Library (JCL) which applies to Java programming languages
- Ruby standard library which contains Ruby programming language
- increased dependability
- reduce process risk
- effective use of specialists
- standards compliance
- accelerated development
programming tool and tool sets
- Tools and tool sets provide a wide variety of capabilities
- binary compatibility analysis tools
- bug databases
- build tools
- code coverage
- compilation and linking tools
- debuggers
- documentation generators library interface generators and other integration tools
integrated development environments
- combine the features of me two of the capabilities into one environment for use
- designed to maximize productivity by providing reusable components
- single architecture where all development can be done
- typically consists of a source code editor build automation tools and debuggers
Control and separation of environments
- three important environment
- development environment
- quality assurance environment
- production environment - Mini control measures but the traditional one is to physically isolate
- Nothing more or less than applying the concept of least privilege to achieving the security of the software development process