applications & systems development a very brief overview of the sdlc and the security issues...
TRANSCRIPT
![Page 1: Applications & Systems Development A very brief overview of the SDLC and the security issues involved](https://reader030.vdocuments.mx/reader030/viewer/2022032722/56649f4a5503460f94c6bd57/html5/thumbnails/1.jpg)
Applications & SystemsDevelopment
A very brief overview of the SDLC and the security issues involved.
![Page 2: Applications & Systems Development A very brief overview of the SDLC and the security issues involved](https://reader030.vdocuments.mx/reader030/viewer/2022032722/56649f4a5503460f94c6bd57/html5/thumbnails/2.jpg)
Generic Systems Engineering Process
Discover Needs Define System Requirements Design System Architecture Develop Detailed Design Implement System Assess Effectiveness of System
![Page 3: Applications & Systems Development A very brief overview of the SDLC and the security issues involved](https://reader030.vdocuments.mx/reader030/viewer/2022032722/56649f4a5503460f94c6bd57/html5/thumbnails/3.jpg)
SystemRequirements
SoftwareRequirements
Analysis
ProgramDesign
Coding
Testing
Operations &Maintenance
A simplistic software development model
![Page 4: Applications & Systems Development A very brief overview of the SDLC and the security issues involved](https://reader030.vdocuments.mx/reader030/viewer/2022032722/56649f4a5503460f94c6bd57/html5/thumbnails/4.jpg)
SystemRequirements
SystemRequirements
Analysis
Design
Coding
Testing
Operations &Maintenance
The Waterfall development model
Going back only one stage limits rework and enhances control
![Page 5: Applications & Systems Development A very brief overview of the SDLC and the security issues involved](https://reader030.vdocuments.mx/reader030/viewer/2022032722/56649f4a5503460f94c6bd57/html5/thumbnails/5.jpg)
SystemRequirements
SoftwareRequirements
ProductDesign
Coding
IntegrationProduct
Implementa-tion
Operations &Maintenance
A modified Waterfall development model that enforces comparison against specific baselines
Validation
Validation
Verification
Unit Testing
Verification
System Test
Revalidation
Verification: doing the job right
Validation: doing the right job
![Page 6: Applications & Systems Development A very brief overview of the SDLC and the security issues involved](https://reader030.vdocuments.mx/reader030/viewer/2022032722/56649f4a5503460f94c6bd57/html5/thumbnails/6.jpg)
The Spiral Model
![Page 7: Applications & Systems Development A very brief overview of the SDLC and the security issues involved](https://reader030.vdocuments.mx/reader030/viewer/2022032722/56649f4a5503460f94c6bd57/html5/thumbnails/7.jpg)
Cost Estimation Models :-)
• Basic COnstructive COst Model COCOMO – Cost as a function of lines of code
Man Months (MM) = 2.4 * 1000s of delivered source instructionsDevelopment Schedule = 2.5(MM).38
• Function Point Measurement Model– I/O types, internal file types, interfaces, etc
• Software Life Cycle Model (SLIM)– Manpower buildup index– Productivity factor
![Page 8: Applications & Systems Development A very brief overview of the SDLC and the security issues involved](https://reader030.vdocuments.mx/reader030/viewer/2022032722/56649f4a5503460f94c6bd57/html5/thumbnails/8.jpg)
SystemRequirements
SoftwareRequirements
ProductDesign
Coding
IntegrationProduct
Implementa-tion
Operations &Maintenance
Security life cycle componentsValidation
Validation
Verification
Unit Testing
Verification
System Test
Revalidation
Info sec policy, standards, legal issues, early validation of concepts
![Page 9: Applications & Systems Development A very brief overview of the SDLC and the security issues involved](https://reader030.vdocuments.mx/reader030/viewer/2022032722/56649f4a5503460f94c6bd57/html5/thumbnails/9.jpg)
SystemRequirements
SoftwareRequirements
ProductDesign
Coding
IntegrationProduct
Implementa-tion
Operations &Maintenance
Security life cycle componentsValidation
Validation
Verification
Unit Testing
Verification
System Test
Revalidation
Threats, vulnerabilities, sec requirements., reasonable care, due diligence, legal liabilities, cost/benefit, level of protection desired, test plans, validation
![Page 10: Applications & Systems Development A very brief overview of the SDLC and the security issues involved](https://reader030.vdocuments.mx/reader030/viewer/2022032722/56649f4a5503460f94c6bd57/html5/thumbnails/10.jpg)
SystemRequirements
SoftwareRequirements
ProductDesign
Coding
IntegrationProduct
Implementa-tion
Operations &Maintenance
Security life cycle componentsValidation
Validation
Verification
Unit Testing
Verification
System Test
Revalidation
Incorporating security specs, adjust system & security test plans & data, determine access controls, design docs, evaluate encryption options, verification, business continuity plans
![Page 11: Applications & Systems Development A very brief overview of the SDLC and the security issues involved](https://reader030.vdocuments.mx/reader030/viewer/2022032722/56649f4a5503460f94c6bd57/html5/thumbnails/11.jpg)
SystemRequirements
SoftwareRequirements
ProductDesign
Coding
IntegrationProduct
Implementa-tion
Operations &Maintenance
Security life cycle componentsValidation
Validation
Verification
Unit Testing
Verification
System Test
Revalidation
Develop security related code, unit testing, reuse other modules if possible, support business continuity plans, docs
![Page 12: Applications & Systems Development A very brief overview of the SDLC and the security issues involved](https://reader030.vdocuments.mx/reader030/viewer/2022032722/56649f4a5503460f94c6bd57/html5/thumbnails/12.jpg)
SystemRequirements
SoftwareRequirements
ProductDesign
Coding
IntegrationProduct
Implementa-tion
Operations &Maintenance
Security life cycle componentsValidation
Validation
Verification
Unit Testing
Verification
System Test
Revalidation
Integrate security components, test integrated modules per plans, refine docs, conduct security related product verification
![Page 13: Applications & Systems Development A very brief overview of the SDLC and the security issues involved](https://reader030.vdocuments.mx/reader030/viewer/2022032722/56649f4a5503460f94c6bd57/html5/thumbnails/13.jpg)
SystemRequirements
SoftwareRequirements
ProductDesign
Coding
IntegrationProduct
Implementa-tion
Operations &Maintenance
Security life cycle componentsValidation
Validation
Verification
Unit Testing
Verification
System Test
Revalidation
Install security software, run system conduct acceptance testing, test security software, certify docs & accreditation (if necessary)
![Page 14: Applications & Systems Development A very brief overview of the SDLC and the security issues involved](https://reader030.vdocuments.mx/reader030/viewer/2022032722/56649f4a5503460f94c6bd57/html5/thumbnails/14.jpg)
SystemRequirements
SoftwareRequirements
ProductDesign
Coding
IntegrationProduct
Implementa-tion
Operations &Maintenance
Security life cycle componentsValidation
Validation
Verification
Unit Testing
Verification
System Test
Revalidation
Revalidate security controls, penetration testing, vulnerability analyses, manage change requests, implement change control, make changes, evaluate performance, update docs, recertify
![Page 15: Applications & Systems Development A very brief overview of the SDLC and the security issues involved](https://reader030.vdocuments.mx/reader030/viewer/2022032722/56649f4a5503460f94c6bd57/html5/thumbnails/15.jpg)
Testing
• Unit testing
• Done by separate personnel
• Check all I/O, modules, files, security, etc
![Page 16: Applications & Systems Development A very brief overview of the SDLC and the security issues involved](https://reader030.vdocuments.mx/reader030/viewer/2022032722/56649f4a5503460f94c6bd57/html5/thumbnails/16.jpg)
Extreme Programming (XP)Principles
• Feedback: most useful if it is done rapidly.
• Assuming simplicity: treating every problem as if it can be solved "extremely simply".
• Incremental changes: small releases
• Embracing change: not working against changes but embracing them.
![Page 17: Applications & Systems Development A very brief overview of the SDLC and the security issues involved](https://reader030.vdocuments.mx/reader030/viewer/2022032722/56649f4a5503460f94c6bd57/html5/thumbnails/17.jpg)
Manifesto for Agile Software Development
• We are uncovering better ways of developing software by doing it and helping others do it. Through this work we have come to value: – Individuals and interactions over processes and tools– Working software over comprehensive documentation– Customer collaboration over contract negotiation– Responding to change over following a plan
• That is, while there is value in the items on the right, we value the items on the left more.
![Page 18: Applications & Systems Development A very brief overview of the SDLC and the security issues involved](https://reader030.vdocuments.mx/reader030/viewer/2022032722/56649f4a5503460f94c6bd57/html5/thumbnails/18.jpg)
Maintenance Phase
1. Request Control• Establish request priorities, do• Cost estimates• User Interface• Determine tools to use, determine change effects
on other code2. Change Control
• Recreate & Analyze the problem• Develop changes & tests• Quality Control• Document changes, & recertify
3. Release Control
![Page 19: Applications & Systems Development A very brief overview of the SDLC and the security issues involved](https://reader030.vdocuments.mx/reader030/viewer/2022032722/56649f4a5503460f94c6bd57/html5/thumbnails/19.jpg)
Software Capability Maturity Model (CMM)
• Phase 1: Initiate– Format improvement initiative– Management approval
• Phase 2: Diagnose– Assess current systems
• Phase 3: Establish Action Plan• Phase 4: Action• Phase 5: Leverage
– Review changes and process looking for improvements
![Page 20: Applications & Systems Development A very brief overview of the SDLC and the security issues involved](https://reader030.vdocuments.mx/reader030/viewer/2022032722/56649f4a5503460f94c6bd57/html5/thumbnails/20.jpg)
Object Oriented Systems
• OO Requirements Analysis
• OO Aanalysis
• Domain Analysis
• OO Design
• OO Programming
• Object Request Brokers: CORBA, SOAP
![Page 21: Applications & Systems Development A very brief overview of the SDLC and the security issues involved](https://reader030.vdocuments.mx/reader030/viewer/2022032722/56649f4a5503460f94c6bd57/html5/thumbnails/21.jpg)
Artificial Intelligence Systems
• Expert Systems (ES)– algorithm + data structures = Normal Program– Inference engine + knowledge base = ES
• Blackboards• Bayesian Networks• Fuzzy logic• Neural Networks: weighted inputs to “neurons”
yield outputs, “training period”• Genetic Algorithms: evolutionary computing,
fitness values, cross breeding, mutation
![Page 22: Applications & Systems Development A very brief overview of the SDLC and the security issues involved](https://reader030.vdocuments.mx/reader030/viewer/2022032722/56649f4a5503460f94c6bd57/html5/thumbnails/22.jpg)
Database Systems
• Hierarchical• Mesh
• Object Oriented• Relational
![Page 23: Applications & Systems Development A very brief overview of the SDLC and the security issues involved](https://reader030.vdocuments.mx/reader030/viewer/2022032722/56649f4a5503460f94c6bd57/html5/thumbnails/23.jpg)
DB Security Issues
• Views
• Granularity
• Aggregation: – combining higher sensitivity with lower
• Inference– Users “guessing” higher level values
• Multiple connections, backups, etc
• Data warehousing & Mining
![Page 24: Applications & Systems Development A very brief overview of the SDLC and the security issues involved](https://reader030.vdocuments.mx/reader030/viewer/2022032722/56649f4a5503460f94c6bd57/html5/thumbnails/24.jpg)
Application Controls
• Service Level Agreements– Turn around time, avg response time, number
of users, system utilization rates, up times, transaction volumes, problem resolution
• Control Types– Preventative– Detective– Corrective
![Page 25: Applications & Systems Development A very brief overview of the SDLC and the security issues involved](https://reader030.vdocuments.mx/reader030/viewer/2022032722/56649f4a5503460f94c6bd57/html5/thumbnails/25.jpg)
Preventative Controls
• Accuracy– Data checks, forms, custom screens, validity checks,
contingency planning, & backups
• Security– Firewalls, reference monitors, sensitivity labels, traffic
padding, encryption, data classification, one-time passwords, separation of development & testing
• Consistency– Data dictionary, programming standards & database
![Page 26: Applications & Systems Development A very brief overview of the SDLC and the security issues involved](https://reader030.vdocuments.mx/reader030/viewer/2022032722/56649f4a5503460f94c6bd57/html5/thumbnails/26.jpg)
Detective Controls
• Accuracy– Cyclic redundancy checks, structured walk-
throughs, hash totals, reasonableness checks
• Security– Intrusion detection systems, audit trails
• Consistency– Comparison controls, relationship tests,
reconciliation controls
![Page 27: Applications & Systems Development A very brief overview of the SDLC and the security issues involved](https://reader030.vdocuments.mx/reader030/viewer/2022032722/56649f4a5503460f94c6bd57/html5/thumbnails/27.jpg)
Corrective Controls
• Accuracy– Backups, control reports, before/after
imaging, checkpoint restarts
• Security– Emergency response & reference monitor
• Consistency– Program comments & database controls
![Page 28: Applications & Systems Development A very brief overview of the SDLC and the security issues involved](https://reader030.vdocuments.mx/reader030/viewer/2022032722/56649f4a5503460f94c6bd57/html5/thumbnails/28.jpg)
System Architecture Issues
• Distributed Systems– Agents, applets, “sandbox,” virtual machines– P2P
• Centralized– Easier to protect
• Real Time