Secure Software Life Cycle - L2 Flashcards
What is a software development life cycle?
A standardised workflow to manage software development processes. This is not the same as the methodology being used. This is about the overall process and what stages the entire process is needing to go through to get from an idea to a software running in the real world with real users
Typically 6 to 8 stage, often split into sub stages
Can help reduce cost and help identify bugs and errors for remediation earlier
List the stages in a software development life cycle (7)
1) Planning
2) Analysis
3) Design
4) Implementation
5) Testing
6) Deployment
7) Maintenance
List the stages in a Secure Software Development Life Cycle (8)
1) Planning
2) Analysis
3) Design
4) Implementation
5) Testing
6) Security
7) Deployment
8) Maintenance & Security
* SSDLC incorporates security in every stage
Explain the Planning stage of SSDLC?
This is about deciding the aims of the project and what needs are trying to be met. It will also identify any stakeholders, investors and customers that are going to use the software.
Researching to see if idea is possible/feasible and whether there is already software that does the same thing already
Market research to see how much it could be sold for
Risk assessments introduced to look at data protection requirement and potential security issues in the project idea (legal, ethical, meet standards)
Cost-Benefit Analysis to see whether project should proceed and which risks we are prepared to accept after the risk assessment and whether potential benefits of the software outweigh potential risks and costs
Explain the Analysis stage in the SSDLC
Define requirements and see what this version of the software will do once it is completed
Identify required resources
Identify which team members we need to put into our technical and development team, including managers
Nominate Project Security and Data Protection Officer (senior manager)
Estimate timescales for how long this development might take
Identify any key challenges that appear so far before progressing any further
Document any potential security/privacy issues as a list which should be given to design and development team so they can address the issues
Explain the Design stage in SSDLC
Architecture and Architecture Security - Puts security design in place, what access controls to have, how it will be meet security challenges
User Interface and Security - Identify any XSS vulnerabilities, measures to protect against hate speech or grooming
Platform Selection and Security/Privacy - How does selected platform affect security (also ported between 2 or built as 2 separate apps)
Programming Languages and Security (Known vulnerabilities) - Check what functionality is needed such as sending data from one side to the other, fast across connections
Communications and Security (i.e. privacy of shared IP) - Look at API communication considerations and also how the team is going to communicate to each other and look for potential security issues
Explain the Implementation stage in the SSDLC
Secure Libraries and Services (are they secure and have previously created libraries been tested)
Brief all developers on security requirements
Write the Code
Unit test security features - If we implement authorisation process we will stop and unit test it
Regular code reviews - schedule time for reviews to happen between the team
Write the documentation for the code - technical and user and API guidelines
Explain the Testing stage in the SSDLC
Functional and Security Testing - functions work? data leakage?
UI Assessment and Security Testing (validation, XSS) - Test plans for dealing with malicious users, XSS, non-repudiation
Communications and Security Testing - Test communications and check for man-in-the-middle monitoring
Performance/Stress and Security Testing - Check whether system can be broken and run arbitrary code as a result of overflow buffers
Environment Specific and Security Testing - Any backdoors from API’s customer uses
Explain the Security stage in the SSDLC
Engage qualified testers - employ dedicated security team externally or within
Set testing scope and provide pseudo-live environment for testers (White box or black box)
Notify stakeholders as required
Conduct External Penetration Test and review code
Monitor testing - implement monitoring capabilities to see what tests are being done
Review results and implement required changes
Explain the Deployment stage in the SSDLC
Deploy to production environment
Repeat testing
Migrate or release to user
Notify Stakeholders
Lessons learned sessions
Explain the Maintenance & Security stage of the SSDLC
Performance monitoring
Support
Bug fixes (change control)
Security monitoring
Regular penetration tests - Internal or external, scheduled and unscheduled
Responsible disclosure - Process or policy for testers or public to disclose any security issues with the software