Software Development Security Flashcards
System Development Life Cycle
5 steps
Initiate
Acquire / Develop
Implement
Operate / Maintain
Dispose / Decommission
Software Testing and Validation
Verification Testing
Validation Testing
Verification Testing - Determines whether original design specifications have been met
Validation Testing - higher level view - determines whether original purpose of software has been achieved
Software Testing and Validation
Integration Testing
Acceptance Testing
Regression Testing
Integration Testing
Assesses way that modules work together. Determines if functional and security specs have been met
Acceptance Testing
Ensures customer is satisfied with functionality of software
Regression Testing
Occurs after changes made to the code to ensure they haven’t reduced functionality or security
Software Development Security Best Practices
4 Organizations
WASC
Web Application Security Consortium
OWASP
Open Web Application Security Project
BSI (a DHS initiative)
Build Security In initiative
IEC
International Electro technical Commission
WASC
provides best practices for web based applications
OWASP
monitors attacks, specifically web attacks
BSI
promotes process-agnostic approach to make security recommendations for architectures, methods, code reviews, management processes
IEC
created 27034 standard, part of ISO/IEC 27000 series. These provide guidance for integrating security into development and maintenance of software applications
Software Development Methods
Build and Fix Approach
Build and Fix
used in the past, has been discredited. Now used as a model to avoid
build version, keep modifying until user is satisfied
Software Development Methods
Waterfall Model
Waterfall model
Break process into individual steps and completely fulfill one before moving to the next.
Idea - Analysis - Design - Development - Test - Release
not many iterations between the steps
Doesn’t allow for change until the project is complete. Ok for small projects where requirements are completely understood, but dangerous for large projects.
Software Development Methods
V-Shaped Model
(Section 7, Lecture 70 for diagram)
V-Shaped Model
As you go through steps of defining requirements, you validate them.
Each of these steps is verified:
System Requirements - Diagram - Software Requirements - Software Architecture - Software Detail Design - Software Code.
Rigid, like the waterfall, doesn’t allow for much flexibility, adapting to change is difficult.
Software Development Methods
Prototyping
Rapid
Evolutionary
Operational
Use sample code to explore specific approach to solving a problem before extensive time and cost have been invested
Rapid - discarded after use
Evolutionary - created and improved upon in a lab
Operational - developed and improved in production
Software Development Methods
Incremental Model
Requirements - Design - Implement, then repeat, constantly returning to requirements and design
similar to a multi-waterfall.
Each incremental phase results in an operational deliverable
customer can respond to each build and help development team improve
Good for getting customer basic functionality quickly
Software Development Methods
Spiral Model
Start at the center and spiral out in a circle
Determine Objectives
Identify and Resolve Risks
Develop and Test
Plan Next Iteration
Each prototype allows new requirements to be addressed. Risk analysis ensures all issues are reviewed and analyzed so things don’t slip through the cracks
Software Development Methods
RAD (Rapid Application Development)
Agile
RAD
Combines prototyping and iterative procedures to accelerate the development process
less time spent upfront, emphasis is on rapidly producing prototypes so crucial knowledge can be gained through trial and error
It was created because by the time software was fully developed with other models, the requirements had changed and developers had to start over.
Build -> Demonstrate -> Refine -> repeat
Software Development Methods
Cleanroom Model
JAD (Joint Analyses Development)
aka (Joint Application Development)
Cleanroom
strict, formal steps and structured method. Attempts to prevent errors through extensive testing
JAD
uses team approach and workshops to agree on requirements and resolve differences
Software Development Methods
Traditional vs RAD model comparison
Traditional has discrete steps
RAD has quick analysis and design, then prototyping. Continue that until you get a good implementation
Software Development Methods
Agile vs Waterfall methods
Waterfall goes through each step before moving to the next, no returning to previous steps
Agile can jump back to earlier steps
Software Development Methods
Capability Maturity Model Integration
Level 1 - initial - reacting
Level 2 - managed - processes started but reacting
Level 3 - defined - projects tailored from std processes
Level 4 - quantitatively managed - measured processes
Level 5 - optimizing - process improvement
Programming Languages
Machine
Assembly
High-Level
Very-High-Level
Natural
Machine - deliver instructions directly to processor
Assembly - uses symbols or mnemonics to represent sections of binary code
High-Level - uses abstract statements (if then else) and are processor independent
Very High - abstract algorithms that hide some complexity from the programmer
Natural - use these to create software that can solve problems on its own, instead of needing a programmer
Object Oriented Programming
Modularity
Definition
Reusability
Maps
modularity in design through autonomous objects
definition of internal components without impacting other parts of system
reusability of components
readily maps to business needs