Integrating Security Into SDLC PDF

Document Details

Uploaded by Deleted User

Alexandria National University

Tags

system development lifecycle software security sdlc information technology

Summary

This document provides an overview of integrating security into the system development life cycle (SDLC). It details the different phases of SDLC, including planning, analysis, design, implementation, and maintenance, and how security considerations can be incorporated at each stage. The document also compares software security with system security, highlighting the importance of secure coding practices and security-sensitive designs. Also discussed are methodology, techniques, tools used in the development process.

Full Transcript

1 Introduction System development life cycle (SDLC) Secure development life cycle activities and practices 2 Introduction to Secure Software Development 3 Introduction “Security enhancement” of the software development life cycle...

1 Introduction System development life cycle (SDLC) Secure development life cycle activities and practices 2 Introduction to Secure Software Development 3 Introduction “Security enhancement” of the software development life cycle (SDLC) process mainly involves the adaptation of existing SDLC activities, practices, and checkpoints included in the SDLC process. It will result in the production of more dependable, trustworthy, and resilient software-based systems. 4 Software security VS. System security Software security relies heavily on the absence of exploitable defects in the source code and the non-exposure of defects in the binary executable. By contrast. System security relies heavily on safeguards and countermeasures, such cryptography, Network-level and Firewalls, proxy access controls, and data-level Digital signature; filters, and security enforcement of encryption; gateways; security boundaries Identification, Intrusion detection Network traffic Virus scanners and authentication, and and prevention monitoring and trend spyware detectors; authorization of systems; analysis; users; User activity Platform Access control of logging/auditing and Mobile code virtualization data and resources; non-repudiation containment; (hardware or measures; software). 5 System development life cycle SDLC 6 SDLC Methodologies: are a sequence of step-by-step approaches that help develop your final product (Information System). Techniques: are processes that an analyst will follow to help ensure that the work is well thought-out, complete, and comprehensible. Tools: are computer programs, such as computer-aided software engineering (CASE) tools, that make it easy to use specific techniques.  System Development Methodology: is a standard process followed in an organization to conduct all the steps necessary to analyze, design, implement, and maintain information systems. 7 SDLC  SDLC :The traditional methodology used to develop, maintain, and replace information systems.  Phases in SDLC:  Planning  Analysis  Design  Implementation  Maintenance 8 SDLC Planning The first phase of the SDLC in which an organization’s total information system needs are identified, analyzed, prioritized, and arranged These needs can be translated into a plan of IS department including a schedule for developing new major systems. Analysis The second phase of the SDLC in which system requirements are studied and structured Two sub-phases Requirements determination. Requirements studying and structuring. Output Description of alternative solution recommended. Design The third phase of the SDLC in which the description of the recommended solution is converted into logical and then physical system specifications The analyst must design all aspects of the system from input and output screens to reports, databases, and computer processes. 9 SDLC Implementation The fourth phase of the SDLC in which the information system is coded, tested, installed and supported in the organization. The code may be generated by the tool used in building the detailed model. The test will be done for individual modules & for entire system. Maintenance The final phase of the SDLC in which an information system is systematically repaired and improved. 10 SDLC 11 Traditional Waterfall SDLC One phase begins when another completes, little backtracking and looping 12 Traditional Waterfall SDLC  System requirements “locked in” after being determined (can't change).  Limited user involvement (only in requirements phase).  Too much focus on milestone deadlines of SDLC phases to the detriment of sound development practices. 13 Different Approaches to Improving Development Prototyping Computer-Aided Software Engineering (CASE) Tools Joint Application Design (JAD) Rapid Application Development (RAD) Agile Methodologies eXtreme Programming 14 Secure development life cycle activities and practices 15 Secure development life cycle activities and practices Phase Responsible Activities Additional/Enhanced Activities for Secure role(s)* Software Version Secure CM practices Configuration Whole SDLC control, Secure CM tools manager change control Use Case Security use case development Development Misuse Case and Abuse Case development Requirements Attack Modeling (also referred to as Threat modeling Modeling) Specification of functional requirements for Requirements Requirements software security functions (e.g., for code analyst signature validation, input validation, etc.) Functional requirements Specification of non-functional requirements to specification ensure the security of software (e.g., through use of formal methods, secure coding standards, etc.) Definition of test cases for verifying software Test case definition security Definition and selection of secure coding Definition and selection of standards, secure programming languages, and coding standards secure development tools 16 Secure development life cycle activities and practices Phase Responsible Activities Additional/Enhanced Activities for Secure role(s)* Software Architecture Architect Architecture and Addition of security criteria in & Design Designer design reviews architecture and design reviews Architecture level Security considerations in trade-off Component integration trade-off analyses analyses Integrator Security criteria in component Component selection evaluation Integration testing Security criteria in integration testing 17 Secure development life cycle activities and practices Phase Responsible Activities Additional/Enhanced Activities for Secure role(s)* Software Implementation Code reviews Static code security analyses Programmer Unit testing Security criteria in unit testing Build process Security criteria build process testing testing Binary security tests (e.g., fault Functional integration injection, fuzzing) Testing Tester and system tests Automated vulnerability scans Penetration tests Code reviews white box security tests 18 Secure development life cycle activities and practices Phase Responsible Activities Additional/Enhanced Activities for Secure role(s)* Software Tester Deployment Automated vulnerability scans Configuration testing Penetration tests Distribution & deployment manager Distribution Secure installation configuration Distribution (online/offline) manager Installer Installation configuration 19

Use Quizgecko on...
Browser
Browser