If you are doing CISSP then this might be useful for Application security domain, I prepared these slides to make sure i understand software development in an organized manner from security professional's perspective as well as create foundation for the Exam. primary references here are Shaun Harris CISSP book series and ISC2 official CBK as i mentioned in my previous slide shares on similar topics.
3. Water Fall
• Methods
• Structured Programming Development
• Most widely used, studied in academics.
• Promotes discipline, allows introspection ,provides controlled flexibility.
• Required defined processes and modular development.
• Each phase is subject to reviews and approvals.
• Allows security to be added in the beginning and formally.
• Spiral Method
• Nested version of water fall model.
• Each phase is carefully designed.
• In each phase there are four sub-stages based on PDCA(Plan Do Check Act)
• Cost is reviewed at each stage.
• Based on results of Risk assessment decision is made either to continue or leave
the project.
4. Iterative Development
Its flexible model and
allows successive
changes in requirements
, design and coding ,
unlike water fall models
which do not allow that.
Requires change control
management.
Scope of project can
take a toll
Not perfect from
security perspective due
to flexibility of changes
as its difficult to ensure
if security provisions still
hold true after new
changes.
Models
Prototyping
Modified Prototype Model
RAD(Rapid Application
Development)
JAD(Joint Analysis
Development)
Exploratory Model
5. Protyping
• Four step process
• Initial Concept design, Implement the initial
protype
• Refine the prototype until acceptance
• Complete.
• Release final version.
6. Modified prototype Model-MPM
IDEAL FOR WEB DEVELOPMENT ALLOWS BASIC FUNCTIONALITY
FASTER.
MAINTENANCE PHASE BEGINS
AFTER DEPLOYMENT.
IT ENSURES THE PROCESS IS
FLEXIBLE TO REFLECT THE CURRENT
STATE AND OPERATIONS OF THE
ORGANIZATION.
7. Rapid application development - RAD
Rapid prototyping,
requires strict time limits
on each phase.
1
Relies on tools that allow
quick development.
2
Can be hazardous to
security when changes
are made randomly and
at such a pace that
security oversight can
occur.
3
8. Joint Analysis
Development
- JAD
WAS INVENTED FOR
MAINFRAMES DEVELOPMENT.
ITS TECHNIQUES ARE NOW
USED IN RAD, WEB
DEVELOPMENT AND OTHER
METHODS
ALLOWS DEVELOPERS TO
WORK DIRECTLY WITH USERS
TO DEVELOP THE APPLICATION.
ITS SUCCESS IS BASED ON KEY
PLAYERS COMMUNICATING
WITH EACH OTHER AT CRITICAL
STAGES OF THE PROJECT.
FROM SECURITY PERSPECTIVE
INVOLVEMENT OF MULTIPLE
PARTIES IN FUNCTIONAL BUT
LESS SECURE SOFTWARE, DUE
TO POSSIBLE SECURITY
OVERSIGHTS.
9. Exploratory Model
Requirements are built
based on what is
currently available.
1
Assumptions are made
about how system
might work.
2
Over the period further
insights and
suggestions are
incorporated to create
a usable system.
3
Due to lack of structure
security may be
overlooked.
4
12. SDLC-Phases
Project initiation and planning
Functional Requirements
System Design specifications
Development and implementation
Documentation and common program controls
Testing and Evaluation control
Transition to production
Extended Phases
• Operation and maintenance support.
• Revision and system replacement.
14. Functional Requirements Definition
Analysis of current
and possible future
functional
requirements
1
Review
documentation of
previous phase.
2
Security needs to be
formally made part
of requirements
while planning
functionality
3
15. System design Specification
Design the system or software based on the functional
requirements.
System architecture , system outputs and system
interfaces are designed.
Data input,data flow and output requirements are
established.
Security features are incorporated in this phase based on
overall company security policy.
16. Development and Implementation
Source code creation.
Testing-test cases are
developed.
Unit and integration
testing is conducted.
Documentation of
activities of this phase.
Care at this stage should
be done to ensure
quality,reliability and
consistency of operation.
Special care should be
taken to ensure code
does not have common
vulnerabilities that may
lead to exploitation later.
17. Documentation and Common program
controls
Controls used
when editing
data through
program.
1
Type of logging
it should be
doing
2
How program
version should
be stored.
3
Large number of
such controls
may be needed.
4
18. Acceptance
Independent testing of the code by separate group
to test functionality and security requirements.
Testing at all applicable stages by separate group to
prevent separation of duties.
Goal of security testing is to ensure application
meets security requirements.
Security testing should uncover all the design and
implementation flaws.
Testing should be performed in an environment
that simulates the production environment.
It is the first phase of certification and
accreditation.
19. Testing and
evaluation
controls.
Preparing test data and cases that
covers scenarios ensuring functionality
and security requirements are met.
Testing done in parallel with production
Certification and Accredetation.
20. Transition to
production
System is moved into live
production environment.
• Installation
• Data conversation
Users are trained according to
implementation.
Security accreditation.
21. Operation and maintenance
Monitoring system performance
and ensuring availability.
Detect bugs and vulnerabilities Recovering from system problems
Implementing system changes
Security activities like
• Testing backups and recovery procedures,
• Ensuring proper controls for data and
report handling
• Ensuring effectiveness of security process.
• Periodic Risk assessment and recertification
of sensitive application is required when
significant changes occur.
22. Revision and System Replacement
HARDWARE AND SOFTWARE BASELINES
SHOULD BE SUBJECTED TO PERIODIC
EVALUATION AND AUDITS.
THERE MAY BE A POINT IN TIME WHEN
ITS NOT THE BUG IN THE APPLICATION
BUT ADDITIONAL FUNCTIONALITY NOT