Secure Software Life Cycle - L2 Flashcards

1
Q

What is a software development life cycle?

A

A standardised workflow to manage software development processes. This is not the same as the methodology being used. This is about the overall process and what stages the entire process is needing to go through to get from an idea to a software running in the real world with real users

Typically 6 to 8 stage, often split into sub stages

Can help reduce cost and help identify bugs and errors for remediation earlier

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

List the stages in a software development life cycle (7)

A

1) Planning
2) Analysis
3) Design
4) Implementation
5) Testing
6) Deployment
7) Maintenance

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

List the stages in a Secure Software Development Life Cycle (8)

A

1) Planning
2) Analysis
3) Design
4) Implementation
5) Testing
6) Security
7) Deployment
8) Maintenance & Security
* SSDLC incorporates security in every stage

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Explain the Planning stage of SSDLC?

A

This is about deciding the aims of the project and what needs are trying to be met. It will also identify any stakeholders, investors and customers that are going to use the software.

Researching to see if idea is possible/feasible and whether there is already software that does the same thing already

Market research to see how much it could be sold for

Risk assessments introduced to look at data protection requirement and potential security issues in the project idea (legal, ethical, meet standards)

Cost-Benefit Analysis to see whether project should proceed and which risks we are prepared to accept after the risk assessment and whether potential benefits of the software outweigh potential risks and costs

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Explain the Analysis stage in the SSDLC

A

Define requirements and see what this version of the software will do once it is completed

Identify required resources

Identify which team members we need to put into our technical and development team, including managers

Nominate Project Security and Data Protection Officer (senior manager)

Estimate timescales for how long this development might take

Identify any key challenges that appear so far before progressing any further

Document any potential security/privacy issues as a list which should be given to design and development team so they can address the issues

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Explain the Design stage in SSDLC

A

Architecture and Architecture Security - Puts security design in place, what access controls to have, how it will be meet security challenges

User Interface and Security - Identify any XSS vulnerabilities, measures to protect against hate speech or grooming

Platform Selection and Security/Privacy - How does selected platform affect security (also ported between 2 or built as 2 separate apps)

Programming Languages and Security (Known vulnerabilities) - Check what functionality is needed such as sending data from one side to the other, fast across connections

Communications and Security (i.e. privacy of shared IP) - Look at API communication considerations and also how the team is going to communicate to each other and look for potential security issues

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Explain the Implementation stage in the SSDLC

A

Secure Libraries and Services (are they secure and have previously created libraries been tested)

Brief all developers on security requirements

Write the Code

Unit test security features - If we implement authorisation process we will stop and unit test it

Regular code reviews - schedule time for reviews to happen between the team

Write the documentation for the code - technical and user and API guidelines

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Explain the Testing stage in the SSDLC

A

Functional and Security Testing - functions work? data leakage?

UI Assessment and Security Testing (validation, XSS) - Test plans for dealing with malicious users, XSS, non-repudiation

Communications and Security Testing - Test communications and check for man-in-the-middle monitoring

Performance/Stress and Security Testing - Check whether system can be broken and run arbitrary code as a result of overflow buffers

Environment Specific and Security Testing - Any backdoors from API’s customer uses

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Explain the Security stage in the SSDLC

A

Engage qualified testers - employ dedicated security team externally or within

Set testing scope and provide pseudo-live environment for testers (White box or black box)

Notify stakeholders as required

Conduct External Penetration Test and review code

Monitor testing - implement monitoring capabilities to see what tests are being done

Review results and implement required changes

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Explain the Deployment stage in the SSDLC

A

Deploy to production environment

Repeat testing

Migrate or release to user

Notify Stakeholders

Lessons learned sessions

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Explain the Maintenance & Security stage of the SSDLC

A

Performance monitoring

Support

Bug fixes (change control)

Security monitoring

Regular penetration tests - Internal or external, scheduled and unscheduled

Responsible disclosure - Process or policy for testers or public to disclose any security issues with the software

How well did you know this?
1
Not at all
2
3
4
5
Perfectly