Integrating Security Into SDLC PDF

Summary

This document provides an overview of integrating security into the system development life cycle (SDLC). It details the different phases of SDLC, including planning, analysis, design, implementation, and maintenance, and how security considerations can be incorporated at each stage. The document also compares software security with system security, highlighting the importance of secure coding practices and security-sensitive designs. Also discussed are methodology, techniques, tools used in the development process.

Full Transcript

1
 Introduction

System development life cycle (SDLC)

Secure development life cycle activities and practices

2
Introduction to Secure Software
Development

3
Introduction

“Security enhancement” of the software development life cycle

(SDLC) process mainly involves the adaptation of existing

SDLC activities, practices, and checkpoints included in the

SDLC process.

It will result in the production of more dependable, trustworthy,

and resilient software-based systems.

4
Software security VS. System security
Software security relies heavily on the absence of exploitable defects in
the source code and the non-exposure of defects in the binary executable.
By contrast.
System security relies heavily on safeguards and countermeasures, such

cryptography,
Network-level and Firewalls, proxy
access controls, and
data-level Digital signature; filters, and security
enforcement of
encryption; gateways;
security boundaries

Identification,
Intrusion detection Network traffic
Virus scanners and authentication, and
and prevention monitoring and trend
spyware detectors; authorization of
systems; analysis;
users;

User activity Platform
Access control of logging/auditing and Mobile code virtualization
data and resources; non-repudiation containment; (hardware or
measures; software).
5
System development life cycle
SDLC

6
SDLC

Methodologies: are a sequence of step-by-step approaches that help
develop your final product (Information System).

Techniques: are processes that an analyst will follow to help ensure that
the work is well thought-out, complete, and comprehensible.

Tools: are computer programs, such as computer-aided software
engineering (CASE) tools, that make it easy to use specific techniques.

 System Development Methodology: is a standard process
followed in an organization to conduct all the steps necessary to
analyze, design, implement, and maintain information systems.

7
SDLC
 SDLC :The traditional methodology used to develop, maintain, and
replace information systems.

 Phases in SDLC:

 Planning

 Analysis

 Design

 Implementation

 Maintenance

8
SDLC
Planning

The first phase of the SDLC in which an organization’s total information
system needs are identified, analyzed, prioritized, and arranged
These needs can be translated into a plan of IS department including a
schedule for developing new major systems.

Analysis

The second phase of the SDLC in which system requirements are studied and
structured
Two sub-phases
Requirements determination.
Requirements studying and structuring.
Output
Description of alternative solution recommended.

Design
The third phase of the SDLC in which the description of the recommended
solution is converted into logical and then physical system specifications
The analyst must design all aspects of the system from input and output
screens to reports, databases, and computer processes.

9
SDLC

Implementation

The fourth phase of the SDLC in which the
information system is coded, tested, installed and
supported in the organization.
The code may be generated by the tool used in
building the detailed model.
The test will be done for individual modules & for
entire system.

Maintenance

The final phase of the SDLC in which an information
system is systematically repaired and improved.

10
SDLC

11
Traditional Waterfall SDLC

One phase begins when another completes, little backtracking
and looping

12
Traditional Waterfall SDLC

 System requirements “locked in” after being determined
(can't change).

 Limited user involvement (only in requirements phase).

 Too much focus on milestone deadlines of SDLC phases to
the detriment of sound development practices.

13
Different Approaches to Improving Development

Prototyping

Computer-Aided Software Engineering (CASE) Tools

Joint Application Design (JAD)

Rapid Application Development (RAD)

Agile Methodologies

eXtreme Programming

14
Secure development life cycle
activities and practices

15
Secure development life cycle activities and practices
Phase Responsible Activities Additional/Enhanced Activities for Secure
role(s)* Software
Version Secure CM practices
Configuration
Whole SDLC control, Secure CM tools
manager
change control
Use Case Security use case development
Development Misuse Case and Abuse Case development
Requirements Attack Modeling (also referred to as Threat
modeling Modeling)
Specification of functional requirements for
Requirements

Requirements

software security functions (e.g., for code
analyst

signature validation, input validation, etc.)
Functional requirements
Specification of non-functional requirements to
specification
ensure the security of software (e.g., through
use of formal methods, secure coding standards,
etc.)
Definition of test cases for verifying software
Test case definition
security
Definition and selection of secure coding
Definition and selection of
standards, secure programming languages, and
coding standards
secure development tools

16
Secure development life cycle activities and practices
Phase Responsible Activities Additional/Enhanced Activities for Secure
role(s)* Software
Architecture Architect Architecture and Addition of security criteria in
&
Design
Designer design reviews architecture and design reviews
Architecture level Security considerations in trade-off
Component
integration

trade-off analyses analyses
Integrator Security criteria in component
Component selection
evaluation
Integration testing Security criteria in integration testing

17
Secure development life cycle activities and practices
Phase Responsible Activities Additional/Enhanced Activities for Secure
role(s)* Software
Implementation

Code reviews Static code security analyses
Programmer
Unit testing Security criteria in unit testing
Build process
Security criteria build process testing
testing
Binary security tests (e.g., fault
Functional integration injection, fuzzing)
Testing

Tester

and system tests Automated vulnerability scans
Penetration tests
Code reviews white box security tests

18
Secure development life cycle activities and practices
Phase Responsible Activities Additional/Enhanced Activities for Secure
role(s)* Software

Tester Deployment Automated vulnerability scans
Configuration testing Penetration tests
Distribution &
deployment

manager Distribution Secure installation configuration
Distribution
(online/offline)
manager
Installer Installation
configuration

19