Integrating Security Into SDLC

Questions and Answers

What is primarily enhanced in the secure development life cycle (SDLC)?

• User interface design
• Cost management practices
• Quality assurance checkpoints
• Security measures and processes (correct)

Which of the following best differentiates software security from system security?

• Software security is reactive, whereas system security is proactive.
• Software security focuses on code quality, while system security emphasizes broader network safeguards. (correct)
• System security addresses software defects, while software security does not.
• System security is focused on source code defects, while software security is about safeguards.

Which of the following is NOT considered a typical element of system security?

• Source code audits (correct)
• Firewalls and intrusion detection systems
• Network-level encryption
• User authentication

What is the primary goal of adapting existing SDLC activities in secure software development?

To increase the robustness and reliability of software (C)

What do methodologies in the SDLC primarily refer to?

Step-by-step approaches for product development (B)

Which of the following practices is categorized under system security?

Network traffic monitoring (C)

Which of the following tools is NOT typically associated with system security?

Version control systems (D)

What is a key aspect of 'security enhancement' in the SDLC?

Integrating security practices into all phases (D)

What is the main purpose of the Planning phase in the SDLC?

To identify and prioritize the total information system needs of an organization. (A)

Which phase of the SDLC involves coding, testing, and supporting the information system?

Implementation (C)

What characteristic is associated with the Traditional Waterfall SDLC methodology?

Limited backtracking and looping during phases. (D)

During which phase are system requirements studied and structured?

Analysis (D)

What is likely the outcome of the Analysis phase?

A description of alternative solutions for the system. (B)

What is a significant drawback of the Traditional Waterfall SDLC?

Systems requirements being locked in after determination. (A)

During which phase are logical and physical specifications of the system created?

Design (B)

What happens during the Maintenance phase of the SDLC?

The system is systematically repaired and improved. (D)

What is a key feature of Prototyping in software development?

It allows for iterative feedback through early models. (C)

Which approach focuses on using automated tools to oversee software processes?

Computer-Aided Software Engineering (CASE) Tools (B)

In which phase does an architect add security criteria during reviews?

Architecture & Design (D)

What is the purpose of Misuse Case development?

To identify potential security threats. (C)

Which component is primarily responsible for unit testing in the secure development life cycle?

Programmer (B)

Which of the following is NOT an activity typically included in the Implementation phase?

Automated vulnerability scans (B)

Which practice enhances Configuration Management for secure software?

Use of Secure CM tools (D)

What type of testing is performed to assess the security of the integration build?

Security criteria build process testing (B)

What is the focus of Attack Modeling in the secure development life cycle?

Identifying potential vulnerabilities and threats (B)

Who is primarily responsible for conducting penetration tests?

Tester (C)

Which of the following is a goal of Rapid Application Development (RAD)?

To produce prototypes in a shared environment (D)

Which phase involves the definition of test cases specific to verifying software security?

Requirements (C)

Security considerations in which activity might influence component selection during integration?

Architecture level trade-off analyses (C)

What purpose does the selection of secure coding standards serve in software development?

To ensure security best practices are followed (C)

Flashcards

SDLC

System Development Life Cycle; a structured approach for developing information systems, including a sequence of steps and processes.

Software Security

Focuses on preventing vulnerabilities in source code and executables.

System Security

Focuses on safeguards and countermeasures outside the software itself (e.g., firewalls).

SDLC Activities/Practices

Activities and procedures for building secure and reliable software systems.

SDLC Methodologies

Step-by-step approaches for developing information systems.

SDLC Techniques

Processes that analysts use to ensure detailed, complete, and understandable work.

SDLC

System Development Life Cycle; a standard process for building information systems.

Planning (SDLC)

Identifying, analyzing, prioritizing, and arranging needed information systems.

Analysis (SDLC)

Studying system requirements and structuring them for development.

Design (SDLC)

Converting system solutions into detailed specifications.

Implementation (SDLC)

Coding, testing, installing, and supporting the information system.

Maintenance (SDLC)

Improving and repairing the information system after implementation.

Waterfall SDLC

A sequential SDLC where one phase must complete before the next.

CASE Tools

Software tools that make it easier to use specific techniques.

System Development Methodology

Specified process for information system creation and management.

Prototyping

A development method where a functional model of the software is created first, then revisions are made.

CASE tools

Computer-aided software engineering tools that automate various software development tasks.

JAD

Joint Application Design; a collaborative approach where stakeholders work together to design the software.

RAD

Rapid Application Development; focuses on rapid software development through iterative cycles.

Agile Methodologies

Development approaches that emphasize flexibility, iterative development, and frequent feedback.

eXtreme Programming

A type of agile method emphasizing frequent releases and close teamwork.

Secure Development Life Cycle

A structured approach for building secure software throughout the development process.

Requirements phase

Defining the features and functions needed in the software.

Architectural Design

The design of the overall structure and components of the software system, including security considerations.

Implementation phase

Writing the code and building the software.

Testing phase

Verifying that the software functions correctly and meets security requirements.

Deployment phase

Deploying and installing the software.

Study Notes

Integrating Security Into SDLC

• Secure development enhances the software development life cycle (SDLC) by adapting existing SDLC activities, practices, and checkpoints.
• This results in more dependable, trustworthy, and resilient software systems.
• Software security relies on the absence of exploitable defects in source code and the binary executable.
• System security emphasizes safeguards and countermeasures like cryptography, access controls, and security boundaries.

SDLC Outline

• Introduction to SDLC
• System development life cycle (SDLC) explanation
• Secure development life cycle activities and practices

Introduction to Secure Software Development

• Focus on security enhancements within the SDLC.

Introduction

• Security enhancement within the SDLC involves adapting existing SDLC activities, practices, and checkpoints.
• The result is more dependable, trustworthy, and resilient software-based systems.

Software Security vs. System Security

• Software security relies on the absence of exploitable defects in source code and executables.
• System security relies on safeguards like cryptography, access controls, and security boundaries.

System Development Life Cycle (SDLC)

• A traditional methodology for systems development, maintenance, and replacement.

SDLC Methodologies, Techniques, Tools

• Methodologies are step-by-step approaches for developing information systems.
• Techniques are processes analysts follow to ensure well-thought-out complete and comprehensible work.
• Tools are computer programs to aid in using specific techniques (e.g., CASE tools).
• System development methodology is a standard process for organizations in analyzing, designing, implementing and maintaining information systems.

SDLC Phases

• Planning: Determining, analyzing, prioritizing and arranging total information system needs to translate into a plan for the IS department schedule.
• Analysis: Studying and structuring system requirements in two sub-phases - requirements determination and requirements studying and structuring.
• Design: Describing the recommended solution (logical and physical system specifications).
• Implementation: Coding, testing, installing, and supporting information systems within the organization.
• Maintenance: Systematically repairing and improving the system.

Products, Outputs, or Deliverables (by Phase)

• Planning - Priorities, architecture, detailed steps or work plans for projects, specifications, and assignment of resources.
• Analysis - System justification, business case, description of current systems, and recommendations for fixing systems.
• Design - Explanation of alternative systems, functional and technical specifications, plan for new technology.
• Implementation - Code, documentation, training procedures, and support capabilities.
• Maintenance - New versions or releases of software with updates
• Detailed specifications
• System elements

Traditional Waterfall SDLC

• One phase starts when the preceding phase is completed, with limited backtracking and looping.
• System requirements are "locked-in" after determination and can't change.
• User involvement is limited primarily during the requirements phase.
• Emphasis on milestone deadlines is sometimes detrimental to practices.

Different Approaches to Improving Development

• Prototyping, Computer-Aided Software Engineering (CASE) Tools, Joint Application Design (JAD), Rapid Application Development (RAD), Agile Methodologies, Extreme Programming

Secure Development Life Cycle Activities and Practices

• The table in the document lists phases, roles, activities, and additional/enhanced secure software activities.