CISSP All-in-One 9e Chapter 24: Software Development PDF

Summary

This document is a chapter from a CISSP study guide about software development. It covers the software development life cycle and various approaches. The summary also details different software development roles.

Full Transcript

Software Development
CHAPTER

24
This chapter presents the following:
Software development life cycle
Development methodologies
Operation and maintenance
Maturity models

Always code as if the guy who ends up maintaining your code will be a violent
psychopath who knows where you live.
—John F. Woods

Software is usually developed with a strong focus on functionality, not security. In many
cases, security controls are bolted on as an afterthought (if at all). To get the best of both
worlds, security and functionality have to be designed and integrated at each phase of the
software development life cycle. Security should be interwoven into the core of a software
product and provide protection at the necessary layers. This is a better approach than try-
ing to develop a front end or wrapper that may reduce the overall functionality and leave
security holes when the software has to be integrated into a production environment.
Before we get too deep into secure software development, however, we have to develop
a shared understanding of how code is developed in the first place. In this chapter we
will cover the complex world of software development so that we can understand the bad
things that can happen when security is not interwoven into products properly (discussed
in Chapter 25).

Software Development Life Cycle
The life cycle of software development deals with putting repeatable and predictable pro-
cesses in place that help ensure functionality, cost, quality, and delivery schedule require-
ments are met. So instead of winging it and just starting to develop code for a project,
how can we make sure we build the best software product possible?

1079
CISSP All-in-One Exam Guide
1080
Several software development life cycle (SDLC) models have been developed over the
years, which we will cover later in this section, but the crux of each model deals with the
following phases:

Requirements gathering Determining why to create this software, what the
software will do, and for whom the software will be created
Design Encapsulating into a functional design how the software will accomplish
the requirements
Development Programming software code to meet specifications laid out in
the design phase and integrating that code with existing systems and/or libraries
Testing Verifying and validating software to ensure that the software works as
planned and that goals are met
Operations and maintenance Deploying the software and then ensuring that
it is properly configured, patched, and monitored

EXAM TIP You don’t need to memorize the phases of the SDLC. We discuss
them here so you understand all the tasks that go into developing software
and how to integrate security throughout the whole cycle.

In the following sections we will cover the different phases that make up an SDLC
model and some specific items about each phase that are important to understand.

Software Development Roles
The specific roles within a software development team will vary based on the
methodology being used, the maturity of the organization, and the size of the proj-
ect (to name just a few parameters). Typically, however, a team has at least the
following roles:

Project manager (PM) This role has overall responsibility for the software
development project, particularly with regard to cost, schedule, performance,
and risk.
Team leads It is rare for software projects to be tackled by a single team,
so we usually divide them up and assign a good developer to lead each part.
Architect Sometimes called a tech lead, this role figures out what
technologies to use internally or when interfacing with external systems.
Software engineer The people who actually write the programming code
are oftentimes specialists in either frontends (e.g., user interfaces) or various
types of backends (e.g., business logic, databases). Engineers that can do all
of this are called full-stack developers.
Quality assurance (QA) Whether this is a single person or an entire team,
this role implements and runs testing processes that detect software defects
as early as possible.
 Chapter 24: Software Development
1081
Keep in mind that the discussion that follows covers phases that may happen repeatedly
and in limited scope depending on the development methodology being used. Before
we get into the phases of the SDLC, let’s take a brief look at the glue that holds them
together: project management.

Project Management
Many developers know that good project management keeps the project moving in the
right direction, allocates the necessary resources, provides the necessary leadership, and
hopes for the best but plans for the worst. Project management processes should be put
into place to make sure the software development project executes each life-cycle phase
properly. Project management is an important part of product development, and security
management is an important part of project management.
The project manager draws up a security plan at the beginning of a development
project and integrates it into the functional plan to ensure that security is not overlooked.
This plan will probably be broad and should refer to documented references for more
detailed information. The references could include computer standards (RFCs, IEEE
standards, and best practices), documents developed in previous projects, security
policies, accreditation statements, incident-handling plans, and national or international
guidelines. This helps ensure that the plan stays on target.
The security plan should have a life cycle of its own. It will need to be added to,
subtracted from, and explained in more detail as the project continues. Keeping the
security plan up to date for future reference is important, because losing track of actions,
activities, and decisions is very easy once a large and complex project gets underway.
The security plan and project management activities could be scrutinized later,
particularly if a vulnerability causes losses to a third party, so we should document
security-related decisions. Being able to demonstrate that security was fully considered
in each phase of the SDLC can prove that the team exercised due care and this, in turn,
can mitigate future liabilities. To this end, the documentation must accurately reflect
how the product was built and how it is supposed to operate once implemented into an
environment.
If a software product is being developed for a specific customer, it is common for a
Statement of Work (SOW) to be developed, which describes the product and customer
requirements. A detailed SOW helps to ensure that all stakeholders understand these
requirements and don’t make any undocumented assumptions.
Sticking to what is outlined in the SOW is important so that scope creep does not
take place. If the scope of a project continually extends (creeps) in an uncontrollable
manner, the project may never end, not meet its goals, run out of funding, or all of the
foregoing. If the customer wants to modify its requirements, it is important that the
SOW is updated and funding is properly reviewed.
A work breakdown structure (WBS) is a project management tool used to define and
group a project’s individual work elements in an organized manner. It is a deliberate
decomposition of the project into tasks and subtasks that result in clearly defined
deliverables. The SDLC should be illustrated in a WBS format, so that each phase is
PART VIII

properly addressed.
CISSP All-in-One Exam Guide
1082
Requirements Gathering Phase
This is the phase in which everyone involved in the software development project
attempts to understand why the project is needed and what the scope of the project
entails. Typically, either a specific customer needs a new application or a demand for the
product exists in the market. During this phase, the software development team exam-
ines the software’s requirements and proposed functionality, engages in brainstorming
sessions, and reviews obvious restrictions.
A conceptual definition of the project should be initiated and developed to ensure
everyone is on the right page and that this is a proper product to develop. This phase
could include evaluating products currently on the market and identifying any demands
not being met by current vendors. This definition could also be a direct request for a
specific product from a current or future customer.
Typically, the following tasks should be accomplished in this phase:

Requirements gathering (including security ones)
Security risk assessment
Privacy risk assessment
Risk-level acceptance

The security requirements of the product should be defined in the categories of
availability, integrity, and confidentiality. What type of security is required for the
software product and to what degree? Some of these requirements may come from
applicable external regulations. For example, if the application will deal with payment
cards, PCI DSS will dictate some requirements, such as encryption for card information.
An initial security risk assessment should be carried out to identify the potential
threats and their associated consequences. This process usually involves asking many,
many questions to elicit and document the laundry list of vulnerabilities and threats,
the probability of these vulnerabilities being exploited, and the outcome if one of these
threats actually becomes real and a compromise takes place. The questions vary from
product to product—such as its intended purpose, the expected environment it will be
implemented in, the personnel involved, and the types of businesses that would purchase
and use the product.
The sensitivity level of the data that many software products store and process has
only increased in importance over the years. After a privacy risk assessment, a privacy
impact rating can be assigned, which indicates the sensitivity level of the data that will be
processed or accessible. Some software vendors incorporate the following privacy impact
ratings in their software development assessment processes:

P1, High Privacy Risk The feature, product, or service stores or transfers
personally identifiable information (PII), monitors the user with an ongoing transfer
of anonymous data, changes settings or file type associations, or installs software.
P2, Moderate Privacy Risk The sole behavior that affects privacy in the
feature, product, or service is a one-time, user-initiated, anonymous data transfer
(e.g., the user clicks a link and is directed to a website).
 Chapter 24: Software Development
1083
P3, Low Privacy Risk No behaviors exist within the feature, product, or service
that affect privacy. No anonymous or personal data is transferred, no PII is stored
on the machine, no settings are changed on the user’s behalf, and no software is
installed.
The software vendor can develop its own privacy impact ratings and their associated
definitions. As of this writing there are several formal approaches to conducting a
privacy risk assessment, but none stands out as “the” standardized approach to defining
a methodology for an assessment or these rating types, but as privacy increases in
importance, we might see more standardization in these ratings and associated metrics.
The team tasked with documenting the requirements must understand the criteria
for risk-level acceptance to make sure that mitigation efforts satisfy these criteria. Which
risks are acceptable will depend on the results of the security and privacy risk assessments.
The evaluated threats and vulnerabilities are used to estimate the cost/benefit ratios of
the different security countermeasures. The level of each security attribute should be
focused upon so that a clear direction on security controls can begin to take shape and
can be integrated into the design and development phases.
The end state of the requirements gathering phase is typically a document called
the Software (or System) Requirements Specification (SRS), which describes what
the software will do and how it will perform. These two high-level objectives are also
known as functional and nonfunctional requirements. A functional requirement describes
a feature of the software system, such as reporting product inventories or processing
customer orders. A nonfunctional requirement describes performance standards, such as
the minimum number of simultaneous user sessions or the maximum response time for
a query. Nonfunctional requirements also include security requirements, such as what
data must be encrypted and what the acceptable cryptosystems are. The SRS, in a way, is
a checklist that the software development team will use to develop the software and the
customer will use to accept it.
The Unified Modeling Language (UML) is a common language used to graphically
describe all aspects of software development. We will revisit it throughout the different
phases, but in terms of software requirements, it allows us to capture both functional
and nonfunctional requirements with use case diagrams (UCDs). We already saw these
in Chapter 18 when we discussed testing of technical controls. If you look back to
Figure 18-3, each use case (shown as verb phrases inside ovals) represents a high-level
functional requirement. The associations can capture nonfunctional requirements
through special labels, or these requirements can be spelled out in an accompanying use
case description.

Design Phase
Once the requirements are formally documented, the software development team can
begin figuring out how they will go about satisfying them. This is the phase that starts
to map theory to reality. The theory encompasses all the requirements that were identi-
fied in the previous phase, and the design outlines how the product is actually going to
PART VIII

accomplish these requirements.
CISSP All-in-One Exam Guide
1084
Some organizations skip the design phase, but this can cause major delays and
redevelopment efforts down the road because a broad vision of the product needs to
be understood before looking strictly at the details. Instead, software development
teams should develop written plans for how they will build software that satisfies each
requirement. This plan usually comprises three different but interrelated models:

Informational model Dictates the type of information to be processed and
how it will move around the software system
Functional model Outlines the tasks and functions the application needs to
carry out and how they are sequenced and synchronized
Behavioral model Explains the states the application will be in during and
after specific transitions take place

For example, consider an antimalware software application. Its informational model
would dictate how it processes information, such as virus signatures, modified system
files, checksums on critical files, and virus activity. Its functional model would dictate
how it scans a hard drive, checks e-mail for known virus signatures, monitors critical
system files, and updates itself. Its behavioral model would indicate that when the system
starts up, the antimalware software application will scan the hard drive and memory
segments. The computer coming online would be the event that changes the state of the
application. If it finds a virus, the application would change state and deal with the virus
appropriately. Each state must be accounted for to ensure that the product does not go
into an insecure state and act in an unpredictable way.
The data from the informational, functional, and behavioral models is incorporated
into the software design document, which includes the data, architectural, and procedural
design, as shown in Figure 24-1.

Functional
model

Data
Behavioral design
Design
model Architectural
design

Informational
model
Code
Procedural
design Program
modules

Test
Validated
software

Figure 24-1 Information from three models can go into the design.
 Chapter 24: Software Development
1085
From a security point of view, the following items should also be accomplished in the
design phase:

Attack surface analysis
Threat modeling
An attack surface is what is available to be used by an attacker against the product itself.
As an analogy, if you were wearing a suit of armor and it covered only half of your body,
the other half would be your vulnerable attack surface. Before you went into battle, you
would want to reduce this attack surface by covering your body with as much protective
armor as possible. The same can be said about software. The software development team
should reduce the attack surface as much as possible because the greater the attack surface
of software, the more avenues for the attacker; and hence, the greater the likelihood of
a successful compromise.
The aim of an attack surface analysis is to identify and reduce the amount of code
and functionality accessible to untrusted users. The basic strategies of attack surface
reduction are to reduce the amount of code running, reduce entry points available to
untrusted users, reduce privilege levels as much as possible, and eliminate unnecessary
services. Attack surface analysis is generally carried out through specialized tools to
enumerate different parts of a product and aggregate their findings into a numeral value.
Attack surface analyzers scrutinize files, Registry keys, memory data, session information,
processes, and services details. A sample attack surface report is shown in Figure 24-2.

PART VIII

Figure 24-2 Attack surface analysis result
CISSP All-in-One Exam Guide
1086
Threat modeling, which we covered in detail in Chapter 9 in the context of risk
management, is a systematic approach used to understand how different threats could be
realized and how a successful compromise could take place. As a hypothetical example,
if you were responsible for ensuring that the government building in which you work is
safe from terrorist attacks, you would run through scenarios that terrorists would most
likely carry out so that you fully understand how to protect the facility and the people
within it. You could think through how someone could bring a bomb into the building,
and then you would better understand the screening activities that need to take place at
each entry point. A scenario of someone running a car into the building would bring
up the idea of implementing bollards around the sensitive portions of the facility. The
scenario of terrorists entering sensitive locations in the facility (data center, CEO office)
would help illustrate the layers of physical access controls that should be implemented.
These same scenario-based exercises should take place during the design phase of
software development. Just as you would think about how potential terrorists could enter
and exit a facility, the software development team should think through how potentially
malicious activities can happen at different input and output points of the software and
the types of compromises that can take place within the guts of the software itself.
It is common for software development teams to develop threat trees, as shown in
Figure 24-3. A threat tree is a tool that allows the development team to understand all the
ways specific threats can be realized; thus, it helps them understand what type of security
controls they should implement in the software to mitigate the risks associated with each
threat type.

Threat 1
Compromise
password

1.1 1.3 1.2
Access “in-use” Access Guess
password password in DB password

1.1.1 1.1.2 1.3.1 1.3.2 1.2.1 1.2.2
Password is Compromise Password Brute-force
Sniff network Phishing attack in cleartext database is weak attack

1.3.2.1 1.3.2.2
SQL injection Access database
attack directly

1.3.2.2.2
1.3.2.2.1
Weak DB account
Port open
password(s)

Figure 24-3 Threat tree used in threat modeling
 Chapter 24: Software Development
1087
Figure 24-4 Trust boundary
A simple flow
Request Query
diagram for
threat modeling

Web Web Database
client server server

Response Result

There are many automated tools in the industry that software development teams
can use to ensure that they address the various threat types during the design stage. One
popular open-source solution is the Open Web Application Security Project (OWASP)
Threat Dragon. This web-based tool enables the development team to describe threats
visually using flow diagrams. Figure 24-4 shows a simple diagram of a three-tier web
system showing its trust boundary and the four ways in which the tiers interact. The
next step in building the threat model would be to consider how each of these four
interactions could be exploited by a threat actor. For example, stolen credentials could
allow an adversary to compromise the web server and, from there, issue queries to the
database server that could compromise the integrity or availability of records stored there.
For each threat identified through this process, the software development team would
develop controls to mitigate it.
The decisions made during the design phase are pivotal steps to the development
phase. Software design serves as a foundation and greatly affects software quality. If good
product design is not put into place in the beginning of the project, the following phases
will be much more challenging.

Development Phase
This is the phase where the programmers become deeply involved. The software design
that was created in the previous phase is broken down into defined deliverables, and
programmers develop code to meet the deliverable requirements.
There are many computer-aided software engineering (CASE) tools that programmers
can use to generate code, test software, and carry out debugging activities. When these
types of activities are carried out through automated tools, development usually takes
place more quickly with fewer errors.
CASE refers to any type of software tool that supports automated development of
software, which can come in the form of program editors, debuggers, code analyzers,
version-control mechanisms, and more. These tools aid in keeping detailed records
of requirements, design steps, programming activities, and testing. A CASE tool is
designed to support one or more software engineering tasks in the process of developing
PART VIII

software. Many vendors can get their products to the market faster because they are
“computer aided.”
CISSP All-in-One Exam Guide
1088
In the next chapter we will delve into the abyss of “secure coding,” but let’s take a quick
peek at it here to illustrate its importance in the development phase. As stated previously,
most vulnerabilities that corporations, organizations, and individuals have to worry
about reside within the programming code itself. When programmers do not follow
strict and secure methods of creating programming code, the effects can be widespread
and the results can be devastating. But programming securely is not an easy task. The list
of errors that can lead to serious vulnerabilities in software is long.
The MITRE organization’s Common Weakness Enumeration (CWE) initiative
(https://cwe.mitre.org/top25) describes “a demonstrative list of the most common and
impactful issues experienced over the previous two calendar years.” Table 24-1 shows the
most recent list.

Rank Name
1 Out-of-bounds Write
2 Improper Neutralization of Input During Web Page Generation (“Cross-site Scripting”)
3 Out-of-bounds Read
4 Improper Input Validation
5 Improper Neutralization of Special Elements used in an OS Command (“OS Command
Injection”)
6 Improper Neutralization of Special Elements used in an SQL Command (“SQL Injection”)
7 Use After Free
8 Improper Limitation of a Pathname to a Restricted Directory (“Path Traversal”)
9 Cross-Site Request Forgery (CSRF)
10 Unrestricted Upload of File with Dangerous Type
11 Missing Authentication for Critical Function
12 Integer Overflow or Wraparound
13 Deserialization of Untrusted Data
14 Improper Authentication
15 NULL Pointer Dereference
16 Use of Hard-coded Credentials
17 Improper Restriction of Operations within the Bounds of a Memory Buffer
18 Missing Authorization
19 Incorrect Default Permissions
20 Exposure of Sensitive Information to an Unauthorized Actor
21 Insufficiently Protected Credentials
22 Incorrect Permission Assignment for Critical Resource
23 Improper Restriction of XML External Entity Reference
24 Server-Side Request Forgery (SSRF)
25 Improper Neutralization of Special Elements used in a Command (“Command Injection”)
Table 24-1 2021 CWE Top 25 Most Dangerous Software Weaknesses List
 Chapter 24: Software Development
1089
Many of these software issues are directly related to improper or faulty programming
practices. Among other issues to address, the programmers need to check input lengths
so buffer overflows cannot take place, inspect code to prevent the presence of covert
channels, check for proper data types, make sure checkpoints cannot be bypassed by
users, verify syntax, and verify checksums. The software development team should play
out different attack scenarios to see how the code could be attacked or modified in
an unauthorized fashion. Code reviews and debugging should be carried out by peer
developers, and everything should be clearly documented.
A particularly important area of scrutiny is input validation because it can lead to
serious vulnerabilities. Essentially, we should treat every single user input as malicious
until proven otherwise. For example, if we don’t put limits on how many characters
users can enter when providing, say, their names on a web form, they could cause a
buffer overflow, which is a classic example of a technique used to exploit improper input
validation. A buffer overflow (which is described in detail in Chapter 18) takes place when
too much data is accepted as input to a specific process. The process’s memory buffer can
be overflowed by shoving arbitrary data into various memory segments and inserting a
carefully crafted set of malicious instructions at a specific memory address.
Buffer overflows can also lead to illicit escalation of privileges. Privilege escalation is
the process of exploiting a process or configuration setting to gain access to resources
that would normally not be available to the process or its user. For example, an attacker
can compromise a regular user account and escalate its privileges to gain administrator or
even system privileges on that computer. This type of attack usually exploits the complex
interactions of user processes with device drivers and the underlying operating system.
A combination of input validation and configuring the system to run with least privilege
can help mitigate the threat of escalation of privileges.
What is important to understand is that secure coding practices need to be integrated
into the development phase of the SDLC. Security has to be addressed at each phase of
the SDLC, with this phase being one of the most critical.

Testing Phase
Formal and informal testing should begin as soon as possible. Unit testing is concerned
with ensuring the quality of individual code modules or classes. Mature developers
develop the unit tests for their modules before they even start coding, or at least in paral-
lel with the coding. This approach is known as test-driven development and tends to result
in much higher-quality code with significantly fewer vulnerabilities.
Unit tests are meant to simulate a range of inputs to which the code may be exposed.
These inputs range from the mundanely expected, to the accidentally unfortunate, to
the intentionally malicious. The idea is to ensure the code always behaves in an expected
and secure manner. Once a module and its unit tests are finished, the unit tests are run
(usually in an automated framework) on that code. The goal of this type of testing is to
isolate each part of the software and show that the individual parts are correct.
Unit testing usually continues throughout the development phase. A totally different
group of people should carry out the formal testing. Depending on the methodology and
PART VIII

the organization, this could be a QA, testing, audit, or even red team. This is an example
CISSP All-in-One Exam Guide
1090

Separation of Duties
Different environmental types (development, testing, and production) should be
properly separated, and functionality and operations should not overlap. Develop-
ers should not have access to modify code used in production. The code should be
tested, submitted to a library, and then sent to the production environment.

of separation of duties. A programmer should not develop, test, and release software. The
more eyes that see the code, the greater the chance that flaws will be found before the
product is released.
No cookie-cutter recipe exists for security testing because the applications and products
can be so diverse in functionality and security objectives. It is important to map security
risks to test cases and code. The software development team can take a linear approach
by identifying a vulnerability, providing the necessary test scenario, performing the test,
and reviewing the code for how it deals with such a vulnerability. At this phase, tests are
conducted in an environment that should mirror the production environment to ensure
the code does not work only in the labs.
Security attacks and penetration tests usually take place during the testing phase
to identify any missed vulnerabilities. Functionality, performance, and penetration
resistance are evaluated. All the necessary functionality required of the product should be
in a checklist to ensure each function is accounted for.
Security tests should be run to test against the vulnerabilities identified earlier in the
project. Buffer overflows should be attempted, interfaces should be hit with unexpected
inputs, denial-of-service (DoS) situations should be tested, unusual user activity should
take place, and if a system crashes, the product should react by reverting to a secure
state. The product should be tested in various environments with different applications,
configurations, and hardware platforms. A product may respond fine when installed on a
clean Windows 10 installation on a stand-alone PC, but it may throw unexpected errors
when installed on a laptop that is remotely connected to a network and has a virtual
private network (VPN) client installed.

Verification vs. Validation
Verification determines if the software product accurately represents and meets the
specifications. After all, a product can be developed that does not match the origi-
nal specifications, so this step ensures the specifications are being properly met. It
answers the question, “Did we build the product right?”
Validation determines if the software product provides the necessary solution
for the intended real-world problem. In large projects, it is easy to lose sight of the
overall goal. This exercise ensures that the main goal of the project is met. It answers
the question, “Did we build the right product?”
 Chapter 24: Software Development
1091
Testing Types
Software testers on the software development team should subject the software to vari-
ous types of tests to discover the variety of potential flaws. The following are some of the
most common testing approaches:
Unit testing Testing individual components in a controlled environment where
programmers validate data structure, logic, and boundary conditions
Integration testing Verifying that components work together as outlined in
the design specifications
Acceptance testing Ensuring that the code meets customer requirements
Regression testing After a change to a system takes place, retesting to ensure
functionality, performance, and protection
A well-rounded security test encompasses both manual tests and automated tests.
Automated tests help locate a wide range of flaws generally associated with careless or
erroneous code implementations. Some automated testing environments run specific
inputs in a scripted and repeatable manner. While these tests are the bread and butter
of software testing, we sometimes want to simulate random and unpredictable inputs to
supplement the scripted tests.
A manual test is used to analyze aspects of the program that require human intuition
and can usually be judged using computing techniques. Testers also try to locate design
flaws. These include logical errors, which may enable attackers to manipulate program
flow by using shrewdly crafted program sequences to access greater privileges or bypass
authentication mechanisms. Manual testing involves code auditing by security-centric
programmers who try to modify the logical program structure using rogue inputs and
reverse-engineering techniques. Manual tests simulate the live scenarios involved in real-
world attacks. Some manual testing also involves the use of social engineering to analyze
the human weakness that may lead to system compromise.
At this stage, issues found in testing procedures are relayed to the development team in
problem reports. The problems are fixed and programs retested. This is a continual process
until everyone is satisfied that the product is ready for production. If there is a specific
customer, the customer would run through a range of tests before formally accepting the
product; if it is a generic product, beta testing can be carried out by various potential
customers and agencies. Then the product is formally released to the market or customer.

NOTE Sometimes developers include lines of code in a product that will
allow them to do a few keystrokes and get right into the application.
This allows them to bypass any security and access controls so they can
quickly access the application’s core components. This is referred to as a
“back door” or “maintenance hook” and must be removed before the code
goes into production.

Operations and Maintenance Phase
PART VIII

Once the software code is developed and properly tested, it is released so that it can be imple-
mented within the intended production environment. The software development team’s role
is not finished at this point. Newly discovered problems and vulnerabilities are commonly
CISSP All-in-One Exam Guide
1092
identified at this phase. For example, if a company developed a customized application for a
specific customer, the customer could run into unforeseen issues when rolling out the prod-
uct within its various networked environments. Interoperability issues might come to the
surface, or some configurations may break critical functionality. The developers would need
to make the necessary changes to the code, retest the code, and re-release the code.
Almost every software system requires the addition of new features over time.
Frequently, these have to do with changing business processes or interoperability with
other systems. This highlights the need for the operations and development teams to
work particularly closely during the operations and maintenance (O&M) phase. The
operations team, which is typically the IT department, is responsible for ensuring the
reliable operation of all production systems. The development team is responsible for
any changes to the software in development systems up until the time the software goes
into production. Together, the operations and development teams address the transition
from development to production as well as management of the system’s configuration.
Another facet of O&M is driven by the fact that new vulnerabilities are regularly
discovered. While the developers may have carried out extensive security testing, it is close to
impossible to identify all the security issues at one point and time. Zero-day vulnerabilities
may be identified, coding errors may be uncovered, or the integration of the software
with another piece of software may uncover security issues that have to be addressed. The
development team must develop patches, hotfixes, and new releases to address these items.
In all likelihood, this is where you as a CISSP will interact the most with the SDLC.

Change Management
One of the key processes on which to focus for improvement involves how we deal with
the inevitable changes. These can cause a lot of havoc if not managed properly and in a
deliberate manner. We already discussed change management in general in Chapter 20,
but it is particularly important during the lifetime of a software development project.
The need to change software arises for several reasons. During the development phase,
a customer may alter requirements and ask that certain functionalities be added, removed,
or modified. In production, changes may need to happen because of other changes in
the environment, new requirements of a software product or system, or newly released
patches or upgrades. These changes should be carefully analyzed, approved, and properly
incorporated such that they do not affect any original functionality in an adverse way.
Change management is a systematic approach to deliberately regulating the changing
nature of projects, including software development projects. It is a management process
that takes into account not just the technical issues but also resources (like people and
money), project life cycle, and even organizational climate. Many times, the hardest part
of managing change is not the change itself, but the effects it has in the organization.
Many of us have been on the receiving end of a late-afternoon phone call in which we’re
told to change our plans because of a change in a project on which we weren’t even
working. An important part of change management is controlling change.

Change Control
Change control is the process of controlling the specific changes that take place during
the life cycle of a system and documenting the necessary change control activities.
Whereas change management is the project manager’s responsibility as an overarching
 Chapter 24: Software Development
1093
process, change control is what developers do to ensure the software doesn’t break when
they change it.
Change control involves a bunch of things to consider. The change must be approved,
documented, and tested. Some tests may need to be rerun to ensure the change does
not affect the product’s capabilities. When a programmer makes a change to source
code, she should do so on the test version of the code. Under no conditions should a
programmer change the code that is already in production. After making changes to the
code, the programmer should test the code and then deliver the new code to the librarian.
Production code should come only from the librarian and not from a programmer or
directly from a test environment.
A process for controlling changes needs to be in place at the beginning of a project so
that everyone knows how to deal with changes and knows what is expected of each entity
when a change request is made. Some projects have been doomed from the start because
proper change control was not put into place and enforced. Many times in development,
the customer and vendor agree on the design of the product, the requirements, and the
specifications. The customer is then required to sign a contract confirming this is
the agreement and that if they want any further modifications, they will have to pay the
vendor for that extra work. If this agreement is not put into place, then the customer can
continually request changes, which requires the software development team to put in the
extra hours to provide these changes, the result of which is that the vendor loses money,
the product does not meet its completion deadline, and scope creep occurs.
Other reasons exist to have change control in place. These reasons deal with
organizational policies, standard procedures, and expected results. If a software product
is in the last phase of development and a change request comes in, the development team
should know how to deal with it. Usually, the team leader must tell the project manager
how much extra time will be required to complete the project if this change is incorporated
and what steps need to be taken to ensure this change does not affect other components
within the product. If these processes are not controlled, one part of a development team
could implement the change without another part of the team being aware of it. This
could break some of the other development team’s software pieces. When the pieces of
the product are integrated and some pieces turn out to be incompatible, some jobs may
be in jeopardy, because management never approved the change in the first place.
Change control processes should be evaluated during system audits. It is possible to
overlook a problem that a change has caused in testing, so the procedures for how change
control is implemented and enforced should be examined during a system audit.
The following are some necessary steps for a change control process:
1. Make a formal request for a change.
2. Analyze the request:
a. Develop the implementation strategy.
b. Calculate the costs of this implementation.
c. Review security implications.
PART VIII

3. Record the change request.
4. Submit the change request for approval.
CISSP All-in-One Exam Guide
1094
5. Develop the change:
a. Recode segments of the product and add or subtract functionality.
b. Link these changes in the code to the formal change control request.
c. Submit software for testing and quality control.
d. Repeat until quality is adequate.
e. Make version changes.
6. Report results to management.

The changes to systems may require another round of certification and accreditation.
If the changes to a system are significant, then the functionality and level of protection

SDLC and Security
The main phases of a software development life cycle are shown here with some
specific security tasks.

Requirements gathering:
Security risk assessment
Privacy risk assessment
Risk-level acceptance
Informational, functional, and behavioral requirements

Design:
Attack surface analysis
Threat modeling
Development:
Automated CASE tools
Secure coding
Testing:
Automated testing
Manual testing
Unit, integration, acceptance, and regression testing
Operations and maintenance:
Vulnerability patching
Change management and control
 Chapter 24: Software Development
1095
may need to be reevaluated (certified), and management would have to approve the
overall system, including the new changes (accreditation).

Development Methodologies
Several software development methodologies are in common use around the world.
While some include security issues in certain phases, these are not considered “security-
centric development methodologies.” They are simply classical approaches to building
and developing software. Let’s dive into some of the methodologies that you should
know as a CISSP.

EXAM TIP It is exceptionally rare to see a development methodology used
in its pure form in the real world. Instead, organizations typically start with
a base methodology and modify it to suit their own unique environment.
For purposes of the CISSP exam, however, you should focus on what
differentiates each development approach.

Waterfall Methodology
The Waterfall methodology uses a linear-sequential life-cycle approach, illustrated in
Figure 24-5. Each phase must be completed in its entirety before the next phase can
begin. At the end of each phase, a review takes place to make sure the project is on the
correct path and should continue.
In this methodology all requirements are gathered in the initial phase and there is no
formal way to integrate changes as more information becomes available or requirements
change. It is hard to know everything at the beginning of a project, so waiting until the
whole project is complete to integrate necessary changes can be ineffective and time
consuming. As an analogy, let’s say that you are planning to landscape your backyard that
is one acre in size. In this scenario, you can go to the gardening store only one time to get

Figure 24-5 Feasibility
Waterfall
methodology Analysis
used for software
development Design

Implement

Test

Maintain
PART VIII
CISSP All-in-One Exam Guide
1096
all your supplies. If you identify during the project that you need more topsoil, rocks, or
pipe for the sprinkler system, you have to wait and complete the whole yard before you
can return to the store for extra or more suitable supplies.
The Waterfall methodology is a very rigid approach that could be useful for smaller
projects in which all the requirements are fully understood up front. It may also be a good
choice in some large projects for which different organizations will perform the work at
each phase. Overall, however, it is not an ideal methodology for most complex projects,
which commonly contain many variables that affect the scope as the project continues.

Prototyping
A prototype is a sample of software code or a model that can be developed to explore a
specific approach to a problem before investing expensive time and resources. A team can
identify the usability and design problems while working with a prototype and adjust
their approach as necessary. Within the software development industry, three main pro-
totype models have been invented and used. These are the rapid prototype, evolutionary
prototype, and operational prototype.
Rapid prototyping is an approach that allows the development team to quickly create
a prototype (sample) to test the validity of the current understanding of the project
requirements. In a software development project, the team could develop a rapid
prototype to see if their ideas are feasible and if they should move forward with their
current solution. The rapid prototype approach (also called throwaway) is a “quick and
dirty” method of creating a piece of code and seeing if everyone is on the right path or if
another solution should be developed. The rapid prototype is not developed to be built
upon, but to be discarded after serving its purposes.
When evolutionary prototypes are developed, they are built with the goal of incremental
improvement. Instead of being discarded after being developed, as in the rapid prototype
approach, the evolutionary prototype is continually improved upon until it reaches the
final product stage. Feedback that is gained through each development phase is used to
improve the prototype and get closer to accomplishing the customer’s needs.
Operational prototypes are an extension of the evolutionary prototype method. Both
models (operational and evolutionary) improve the quality of the prototype as more data is
gathered, but the operational prototype is designed to be implemented within a production
environment as it is being tweaked. The operational prototype is updated as customer
feedback is gathered, and the changes to the software happen within the working site.
In summary, a rapid prototype is developed to give a quick understanding of the
suggested solution, an evolutionary prototype is created and improved upon within a lab
environment, and an operational prototype is developed and improved upon within a
production environment.

Incremental Methodology
If a development team follows the Incremental methodology, this allows them to carry out
multiple development cycles on a piece of software throughout its development stages.
This would be similar to “multi-Waterfall” cycles taking place on one piece of software as
 Chapter 24: Software Development
1097
System/information
Increment 1
engineering
Delivery of
Analysis Design Code Test
1st increment

Delivery of
Increment 2 Analysis Design Code Test
2nd increment

Delivery of
Increment 3 Analysis Design Code Test
3rd increment

Delivery of
Increment 4 Analysis Design Code Test
4th increment

Figure 24-6 Incremental development methodology

it matures through the development stages. A version of the software is created in the first
iteration and then it passes through each phase (requirements analysis, design, coding,
testing, implementation) of the next iteration process. The software continues through
the iteration of phases until a satisfactory product is produced. This methodology is
illustrated in Figure 24-6.
When using the Incremental methodology, each incremental phase results in a
deliverable that is an operational product. This means that a working version of the
software is produced after the first iteration and that version is improved upon in each
of the subsequent iterations. Some benefits to this methodology are that a working piece
of software is available in early stages of development, the flexibility of the methodology
allows for changes to take place, testing uncovers issues more quickly than the Waterfall
methodology since testing takes place after each iteration, and each iteration is an easily
manageable milestone.
Because each incremental phase delivers an operational product, the customer can
respond to each build and help the development team in its improvement processes, and
because the initial product is delivered more quickly compared to other methodologies,
the initial product delivery costs are lower, the customer gets its functionality earlier, and
the risks of critical changes being introduced are lower.
This methodology is best used when issues pertaining to risk, program complexity,
funding, and functionality requirements need to be understood early in the product
development life cycle. If a vendor needs to get the customer some basic functionality
quickly as it works on the development of the product, this can be a good methodology
to follow.
PART VIII
CISSP All-in-One Exam Guide
1098
Spiral Methodology
The Spiral methodology uses an iterative approach to software development and places
emphasis on risk analysis. The methodology is made up of four main phases: determine
objectives, identify and resolve risks, development and test, and plan the next iteration.
The development team starts with the initial requirements and goes through each of
these phases, as shown in Figure 24-7. Think about starting a software development proj-
ect at the center of this graphic. You have your initial understanding and requirements of
the project, develop specifications that map to these requirements, identify and resolve
risks, build prototype specifications, test your specifications, build a development plan,
integrate newly discovered information, use the new information to carry out a new risk
analysis, create a prototype, test the prototype, integrate resulting data into the process,
and so forth. As you gather more information about the project, you integrate it into the
risk analysis process, improve your prototype, test the prototype, and add more granular-
ity to each step until you have a completed product.
The iterative approach provided by the Spiral methodology allows new requirements
to be addressed as they are uncovered. Each prototype allows for testing to take place

Cumulative cost
Progress
2. Identify and
1. Determine objectives resolve risks

Risk analysis
Risk analysis
Risk analysis
Require- Operational
Review ments plan Prototype 2 prototype
Prototype 1

Concept of Concept of
require-
Require-
operation Draft Detailed
ments ments
design
Development Verification
plan and validation
Code

Test plan Verification
and validation Integration

Test

Release Implementation
4. Plan the next
iteration
3. Development and test

Figure 24-7 Spiral methodology for software development
 Chapter 24: Software Development
1099
early in the development project, and feedback based upon these tests is integrated
into the following iteration of steps. The risk analysis ensures that all issues are actively
reviewed and analyzed so that things do not “slip through the cracks” and the project
stays on track.
In the Spiral methodology the last phase allows the customer to evaluate the product
in its current state and provide feedback, which is an input value for the next spiral of
activity. This is a good methodology for complex projects that have fluid requirements.

NOTE Within this methodology the angular aspect represents progress and
the radius of the spirals represents cost.

Rapid Application Development
The Rapid Application Development (RAD) methodology relies more on the use of rapid
prototyping than on extensive upfront planning. In this methodology, the planning of
how to improve the software is interleaved with the processes of developing the software,
which allows for software to be developed quickly. The delivery of a workable piece of
software can take place in less than half the time compared to the Waterfall methodol-
ogy. The RAD methodology combines the use of prototyping and iterative development
procedures with the goal of accelerating the software development process. The devel-
opment process begins with creating data models and business process models to help
define what the end-result software needs to accomplish. Through the use of prototyp-
ing, these data and process models are refined. These models provide input to allow for
the improvement of the prototype, and the testing and evaluation of the prototype allow
for the improvement of the data and process models. The goal of these steps is to com-
bine business requirements and technical design statements, which provide the direction
in the software development project.
Figure 24-8 illustrates the basic differences between traditional software development
approaches and RAD. As an analogy, let’s say that the development team needs you to tell
them what it is you want so that they can build it for you. You tell them that the thing you
want has four wheels and an engine. They bring you a two-seat convertible and ask, “Is
this what you want?” You say, “No, it must be able to seat four adults.” So they leave the
prototype with you and go back to work. They build a four-seat convertible and deliver it
to you, and you tell them they are getting closer but it still doesn’t fit your requirements.
They get more information from you, deliver another prototype, get more feedback, and
on and on. That back and forth is what is taking place in the circle portion of Figure 24-8.
The main reason that RAD was developed was that by the time software was completely
developed following other methodologies, the requirements changed and the developers
had to “go back to the drawing board.” If a customer needs you to develop a software
product and it takes you a year to do so, by the end of that year the customer’s needs for
the software have probably advanced and changed. The RAD methodology allows for the
customer to be involved during the development phases so that the end result maps to
PART VIII

their needs in a more realistic manner.
CISSP All-in-One Exam Guide
1100
Traditional

Analysis High-level design Detailed design Construction Testing Implementation

RAD

O N S T R AT
EM E
D

Analysis and
Testing Implementation
quick design Prototype

IL D
Cycles

RE
BU

FI
N
E

Figure 24-8 Rapid Application Development methodology

Agile Methodologies
The industry seems to be full of software development methodologies, each trying to
improve upon the deficiencies of the ones before it. Before the Agile approach to devel-
opment was created, teams were following rigid process-oriented methodologies. These
approaches focused more on following procedures and steps instead of potentially carry-
ing out tasks in a more efficient manner. As an analogy, if you have ever worked within
or interacted with a large government agency, you may have come across silly processes
that took too long and involved too many steps. If you are a government employee and
need to purchase a new chair, you might have to fill out four sets of documents that need
to be approved by three other departments. You probably have to identify three different
chair vendors, who have to submit a quote, which goes through the contracting office.
It might take you a few months to get your new chair. The focus is to follow a protocol
and rules instead of efficiency.
Many of the classical software development approaches, as in Waterfall, provide rigid
processes to follow that do not allow for much flexibility and adaptability. Commonly, the
software development projects that follow these approaches end up failing by not meeting
schedule time release, running over budget, and/or not meeting the needs of the customer.
Sometimes you need the freedom to modify steps to best meet the situation’s needs.
Agile methodology is an umbrella term for several development methodologies. The
overarching methodology focuses not on rigid, linear, stepwise processes, but instead on
incremental and iterative development methods that promote cross-functional teamwork
 Chapter 24: Software Development
1101
and continuous feedback mechanisms. This methodology is considered “lightweight”
compared to the traditional methodologies that are “heavyweight,” which just means this
methodology is not confined to a tunnel-visioned and overly structured approach. It is
nimble and flexible enough to adapt to each project’s needs. The industry found out that
even an exhaustive library of defined processes cannot handle every situation that could
arise during a development project. So instead of investing time and resources into deep
upfront design analysis, the Agile methodology focuses on small increments of functional
code that are created based on business need.
The various methodologies under the Agile umbrella focus on individual interaction
instead of processes and tools. They emphasize developing the right software product
over comprehensive and laborious documentation. They promote customer collaboration
instead of contract negotiation, and emphasize abilities to respond to change instead of
strictly following a plan.
A notable element of many Agile methodologies is their focus on user stories. A user
story is a sentence that describes what a user wants to do and why. For instance, a user
story could be “As a customer, I want to search for products so that I can buy some.”
Notice the structure of the story is “As a , I want to
so that.” For example, “As a network analyst, I want
to record pcap (packet capture) files so that I can analyze downloaded malware.” This
method of documenting user requirements is very familiar to the customers and enables
their close collaboration with the development team. Furthermore, by keeping this user
focus, validation of the features is simpler because the “right system” is described up front
by the users in their own words.

EXAM TIP The Agile methodologies do not use prototypes to represent the
full product, but break the product down into individual features that are
continuously being delivered.

Another important characteristic of the Agile methodologies is that the development
team can take pieces and parts of all of the available SDLC methodologies and combine
them in a manner that best meets the specific project needs. These various combinations
have resulted in many methodologies that fall under the Agile umbrella.

Scrum
Scrum is one of the most widely adopted Agile methodologies in use today. It lends itself
to projects of any size and complexity and is very lean and customer focused. Scrum is
a methodology that acknowledges the fact that customer needs cannot be completely
understood and will change over time. It focuses on team collaboration, customer
involvement, and continuous delivery.
The term scrum originates from the sport of rugby. Whenever something interrupts
play (e.g., a penalty or the ball goes out of bounds) and the game needs to be restarted,
all players come together in a tight formation. The ball is then thrown into the middle
and the players struggle with each other until one team or the other gains possession of
PART VIII

the ball, allowing the game to continue. Extending this analogy, the Scrum methodology
CISSP All-in-One Exam Guide
1102
allows the project to be reset by allowing product features to be added, changed, or
removed at clearly defined points. Since the customer is intimately involved in the
development process, there should be no surprises, cost overruns, or schedule delays.
This allows a product to be iteratively developed and changed even as it is being built.
The change points happen at the conclusion of each sprint, a fixed-duration
development interval that is usually (but not always) two weeks in length and promises
delivery of a very specific set of features. These features are chosen by the team, but with
a lot of input from the customer. There is a process for adding features at any time by
inserting them in the feature backlog. However, these features can be considered for
actual work only at the beginning of a new sprint. This shields the development team
from changes during a sprint, but allows for changes in between sprints.

Extreme Programming
If you take away the regularity of Scrum’s sprints and backlogs and add a lot of code
reviewing, you get our next Agile methodology. Extreme Programming (XP) is a devel-
opment methodology that takes code reviews (discussed in Chapter 18) to the extreme
(hence the name) by having them take place continuously. These continuous reviews are
accomplished using an approach called pair programming, in which one programmer
dictates the code to her partner, who then types it. While this may seem inefficient, it
allows two pairs of eyes to constantly examine the code as it is being typed. It turns out
that this approach significantly reduces the incidence of errors and improves the overall
quality of the code.
Another characteristic of XP is its reliance on test-driven development, in which the
unit tests are written before the code. The programmer first writes a new unit test case,
which of course fails because there is no code to satisfy it. The next step is to add just
enough code to get the test to pass. Once this is done, the next test is written, which fails,
and so on. The consequence is that only the minimal amount of code needed to pass
the tests is developed. This extremely minimal approach reduces the incidence of errors
because it weeds out complexity.

Kanban
Kanban is a production scheduling system developed by Toyota to more efficiently sup-
port just-in-time delivery. Over time, Kanban was adopted by IT and software systems
developers. In this context, the Kanban development methodology is one that stresses
visual tracking of all tasks so that the team knows what to prioritize at what point in
time in order to deliver the right features right on time. Kanban projects used to be very
noticeable because entire walls in conference rooms would be covered in sticky notes rep-
resenting the various tasks that the team was tracking. Nowadays, many Kanban teams
opt for virtual walls on online systems.
The Kanban wall is usually divided vertically by production phase. Typical columns
are labeled Planned, In Progress, and Done. Each sticky note can represent a user story
as it moves through the development process, but more importantly, the sticky note can
also be some other work that needs to be accomplished. For instance, suppose that one
of the user stories is the search feature described earlier in this section. While it is being
developed, the team realizes that the searches are very slow. This could result in a task being
 Chapter 24: Software Development
1103
added to change the underlying data or network architecture or to upgrade hardware.
This sticky note then gets added to the Planned column and starts being prioritized
and tracked together with the rest of the remaining tasks. This process highlights how
Kanban allows the project team to react to changing or unknown requirements, which is
a common feature among all Agile methodologies.

DevOps
Traditionally, the software development team and the IT team are two separate (and
sometimes antagonistic) groups within an organization. Many problems stem from poor
collaboration between these two teams during the development process. It is not rare to
have the IT team berating the developers because a feature push causes the IT team to
have to stay late or work on a weekend or simply drop everything they were doing in
order to “fix” something that the developers “broke.” This friction makes a lot of sense
when you consider that each team is incentivized by different outcomes. Developers
want to push out finished code, usually under strict schedules. The IT staff, on the other
hand, wants to keep the IT infrastructure operating effectively. Many project managers
who have managed software development efforts will attest to having received complaints
from developers that the IT team was being unreasonable and uncooperative, while the
IT team was simultaneously complaining about buggy code being tossed over the fence
at them at the worst possible times and causing problems on the rest of the network.
A good way to solve this friction is to have both developers and members of the
operations staff (hence the term DevOps) on the software development team. DevOps
is the practice of incorporating development, IT, and quality assurance (QA) staff into
software development projects to align their incentives and enable frequent, efficient,
and reliable releases of software products. This relationship is illustrated in Figure 24-9.

Figure 24-9
DevOps exists at
the intersection
of software
development, Software IT
IT, and QA. development operations

DevOps

Quality
assurance
PART VIII
CISSP All-in-One Exam Guide
1104
Ultimately, DevOps is about changing the culture of an organization. It has a huge
positive impact on security, because in addition to QA, the IT teammates will be
involved at every step of the process. Multifunctional integration allows the team to
identify potential defects, vulnerabilities, and friction points early enough to resolve
them proactively. This is one of the biggest selling points for DevOps. According
to multiple surveys, there are a few other, perhaps more powerful benefits: DevOps
increases trust within an organization and increases job satisfaction among developers,
IT staff, and QA personnel. Unsurprisingly, it also improves the morale of project
managers.

DevSecOps
It is not all that common for the security team to be involved in software development
efforts, but it makes a lot of sense for them to be. Their job is to find vulnerabilities
before the threat actors can and then do something about it. As a result, most security
professionals develop an “adversarial mindset” that allows them to think like attackers
in order to better defend against them. Imagine being a software developer and hav-
ing someone next to you telling you all the ways they could subvert your code to do
bad things. It’d be kind of like having a spell-checker but for vulnerabilities instead
of spelling!
DevSecOps is the integration of development, security, and operations professionals
into a software development team. It’s just like DevOps but with security added in. One
of the main advantages of DevSecOps is that it bakes security right into the development
process, rather than bolting it on at the end of it. Rather than implementing controls to
mitigate vulnerabilities, the vulnerabilities are prevented from being implemented in the
first place.

Other Methodologies
There seems to be no shortage of SDLC and software development methodologies in the
industry. The following is a quick summary of a few others that can also be used:

Exploratory methodology A methodology that is used in instances where
clearly defined project objectives have not been presented. Instead of focusing
on explicit tasks, the exploratory methodology relies on covering a set of
specifications likely to affect the final product’s functionality. Testing is an
important part of exploratory development, as it ascertains that the current phase
of the project is compliant with likely implementation scenarios.
Joint Application Development (JAD) A methodology that uses a team
approach in application development in a workshop-oriented environment. This
methodology is distinguished by its inclusion of members other than coders in
the team. It is common to find executive sponsors, subject matter experts, and
end users spending hours or days in collaborative development workshops.
 Chapter 24: Software Development
1105

Integrated Product Team
An integrated product team (IPT) is a multidisciplinary development team with rep-
resentatives from many or all the stakeholder populations. The idea makes a lot of
sense when you think about it. Why should programmers learn or guess the man-
ner in which the accounting folks handle accounts payable? Why should testers and
quality control personnel wait until a product is finished before examining it? Why
should the marketing team wait until the project (or at least the prototype) is fin-
ished before determining how best to sell it? A comprehensive IPT includes business
executives and end users and everyone in between.
The Joint Application Development methodology, in which users join developers
during extensive workshops, works well with the IPT approach. IPTs extend this
concept by ensuring that the right stakeholders are represented in every phase of
the development as formal team members. In addition, whereas JAD is focused on
involving the user community, an IPT is typically more inward facing and focuses
on bringing in the business stakeholders.
An IPT is not a development methodology. Instead, it is a management technique.
When project managers decide to use IPTs, they still have to select a methodology.
These days, IPTs are often associated with Agile methodologies.

Reuse methodology A methodology that approaches software development by
using progressively developed code. Reusable programs are evolved by gradually
modifying preexisting prototypes to customer specifications. Since the reuse
methodology does not require programs to be built from scratch, it drastically
reduces both development cost and time.
Cleanroom An approach that attempts to prevent errors or mistakes by following
structured and formal methods of developing and testing. This approach is used
for high-quality and mission-critical applications that will be put through a strict
certification process.
We covered only the most commonly used methodologies in this section, but there
are many more that exist. New methodologies have evolved as technology and research
have advanced and various weaknesses of older approaches have been addressed.
Most of the methodologies exist to meet a specific software development need, and
choosing the wrong approach for a certain project could be devastating to its overall
success.

EXAM TIP While all the methodologies we covered are used in many
organizations around the world, you should focus on Agile, Waterfall,
DevOps, and DevSecOps for the CISSP exam.
PART VIII
CISSP All-in-One Exam Guide
1106

Review of Development Methodologies
A quick review of the various methodologies we have covered up to this point is
provided here:

Waterfall Very rigid, sequential approach that requires each phase to
complete before the next one can begin. Difficult to integrate changes.
Inflexible methodology.
Prototyping Creating a sample or model of the code for proof-of-concept
purposes.
Incremental Multiple development cycles are carried out on a piece of
software throughout its development stages. Each phase provides a usable
version of software.
Spiral Iterative approach that emphasizes risk analysis per iteration.
Allows for customer feedback to be integrated through a flexible
evolutionary approach.
Rapid Application Development Combines prototyping and iterative
development procedures with the goal of accelerating the software
development process.
Agile Iterative and incremental development processes that encourage
team-based collaboration. Flexibility and adaptability are used instead of a
strict process structure.
DevOps The software development and IT operations teams work
together at all stages of the project to ensure a smooth transition from
development to production environments.
DevSecOps Just like DevOps, but also integrates the security team into
every stage of the project.

Maturity Models
Regardless of which software development methodology an organization adopts, it is
helpful to have a framework for determining how well-defined and effective its devel-
opment activities are. Maturity models identify the important components of software
development processes and then organize them in an evolutionary scale that proceeds
from ad hoc to mature. Each maturity level comprises a set of goals that, when they are
met, stabilize one or more of those components. As an organization moves up this matu-
rity scale, the effectiveness, repeatability, and predictability of its software development
processes increase, leading to higher-quality code. Higher-quality code, in turn, means
fewer vulnerabilities, which is why we care so deeply about this topic as cybersecurity
leaders. Let’s take a look at the two most popular models: the Capability Maturity Model
Integration (CMMI) and the Software Assurance Maturity Model (SAMM).
 Chapter 24: Software Development
1107
Capability Maturity Model Integration
Capability Maturity Model Integration (CMMI) is a comprehensive set of models for
developing software. It addresses the different phases of a software development life cycle,
including concept definition, requirements analysis, design, development, integration,
installation, operations, and maintenance, and what should happen in each phase. It can
be used to evaluate security engineering practices and identify ways to improve them.
It can also be used by customers in the evaluation process of a software vendor. Ideally,
software vendors would use the model to help improve their processes, and customers
would use the model to assess the vendors’ practices.

EXAM TIP For exam purposes, the terms CMM and CMMI are equivalent.

CMMI describes procedures, principles, and practices that underlie software
development process maturity. This model was developed to help software vendors
improve their development processes by providing an evolutionary path from an ad hoc
“fly by the seat of your pants” approach to a more disciplined and repeatable method that
improves software quality, reduces the life cycle of development, provides better project
management capabilities, allows for milestones to be created and met in a timely manner,
and takes a more proactive approach than the less effective reactive approach. It provides
best practices to allow an organization to develop a standardized approach to software
development that can be used across many different groups. The goal is to continue to
review and improve upon the processes to optimize output, increase capabilities, and
provide higher-quality software at a lower cost through the implementation of continuous
improvement steps.
If the company Stuff-R-Us wants a software development company, Software-R-Us,
to develop an application for it, it can choose to buy into the sales hype about how
wonderful Software-R-Us is, or it can ask Software-R-Us whether it has been evaluated
against CMMI. Third-party companies evaluate software development companies
to certify their product development processes. Many software companies have this
evaluation done so they can use this as a selling point to attract new customers and
provide confidence for their current customers.
The five maturity levels of CMMI are shown in Figure 24-10 and described here:

Level 0: Incomplete Development process is ad hoc or even chaotic. Tasks are
not always completed at all, so projects are regularly cancelled or abandoned.
Level 1: Initial The organization does not use effective management procedures
and plans. There is no assurance of consistency, and quality is unpredictable.
Success is usually the result of individual heroics.
Level 2: Managed A formal management structure, change control, and quality
assurance are in place for individual projects. The organization can properly repeat
PART VIII

processes throughout each project.
CISSP All-in-One Exam Guide
1108
Figure 24-10 Level
Optimizing
CMMI staged 5
maturity levels
Level Quantitatively
4 Managed

Level
Defined
3
Level
Managed
2
Level
Initial
1
Level
Incomplete
0

Level 3: Defined Formal procedures are in place that outline and define
processes carried out in all projects across the organization. This allows the
organization to be proactive rather than reactive.
Level 4: Quantitatively Managed The organization has formal processes in
place to collect and analyze quantitative data, and metrics are defined and fed
into the process-improvement program.
Level 5: Optimizing The organization has budgeted and integrated plans
for continuous process improvement, which allow it to quickly respond to
opportunities and changes.

Each level builds upon the previous one. For example, a company that accomplishes a
Level 5 CMMI rating must meet all the requirements outlined in Levels 1–4 along with
the requirements of Level 5.
If a software development vendor is using the Prototyping methodology that was
discussed earlier in this chapter, the vendor would most likely only achieve a CMMI
Level 1, particularly if its practices are ad hoc, not consistent, and the level of the
quality that its software products contain is questionable. If this company practiced
a strict Agile SDLC methodology consistently and carried out development, testing,
and documentation precisely, it would have a higher chance of obtaining a higher
CMMI level.
Capability maturity models (CMMs) are used for many different purposes, software
development processes being one of them. They are general models that allow for
 Chapter 24: Soft