The document outlines the importance of incorporating security measures throughout the software development life cycle (SDLC), detailing phases such as planning, designing, implementation, testing, and maintenance. It emphasizes proactive risk management, secure design practices, and thorough testing methods to identify vulnerabilities and ensure compliance with security standards. The document also highlights the financial implications of software security, necessitating a strategic approach to minimize costs and enhance overall software quality.

1. Security
in the
Software
Development
Life
Cycle

2. Our Team
PM
Frances
2nd in Command
Brandon
Writer
Charles
Developer
Justin
Writer
Jordan

3. Phase 1
Frances
❖ Planning
❖ Analyzing Risk
❖ Cost Analysis
❖ Security Requirements
[1][2][3][4][5]

4. How to Approach Risks
Application Security
- issue based, short term
- penetration
- patching
- threat modeling
- code reviews
Software Security
- holistic, long term
- root cause analysis
- organizational change

5. When to Address the Security Vulnerabilities
Most
developers
today test
after the
software is
built.

6. Sample Software Security Costs
Unbudgeted time to fix security
problems 1000 employee hours
Cost of training software developers
in security $100 million
Inadequate software testing costs
$3.3 billion
DoS Attack $500 million
Fixing a Patch with 1K servers, it
costs $300K to test and deploy
Fixing a Defect $6K per defect
Source: Business Week, Gartner
Microsoft, NIST

7. So how do we do it?
● define roadmaps for
software security
● define entry scenarios
● define strategic activity
tracks

8. The Software Development Life Cycle with Security Incorporated

9. Phase 2
Brandon
❖ Designing Securely
❖ Integration of
Security
❖ Implementation

10. Designing Securely
Influence
- Establish and follow best practices
- best time to implement a security plan is early in
the life cycle
- threat modeling must be completed during this
phase
- Security Requirements
- security design review with an advisor for a project
- Privacy Requirements
- complete detailed privacy analysis
- have a privacy subject matter expert

11. Integration of Security
Recommendations
- Functional and Design Spec
- section dedicated to impacts on security
- Security architecture document
- provides a description of security on a software
project
- Attack surface Measurement
- Product structure
- Minimize default attack surface

12. Risk Management
Disaster recovery
- Have a plan
- Disasters are inevitable
- Risk Mitigation
- know what risk are associated
with the project
- Options to handle include
Assume,Avoid,Control,Transfer
Watch/Monitor

13. Security Management Cycle

14. Steps for Creating a Secure
Design
● Making sure proper security protocols are defined
● Having a solid Security Plan and Disaster Recovery Plan
● Review Security protocols with experts in security

15. Phase 3
Charles
❖ Implementation
Phase
❖ Securing the
Implementation

16. What Occurs?
❖ After the system design
documents are received, is time
for the project or application or
project to be brought to life.
❖ This involves whatever actions
that are necessary to get the
project up and running.
❖ Successful completion of this
phase includes: system
deployment, and training on the
system.

17. Activities
❖ Activities in this phase also include
efforts required for utilization
including notification to end users,
execution of training, and data entry
or conversion.
❖ This phase continues until the
production system is operating in
accordance with the defined
requirements and planning for
sustainment has begun.

18. Security in the Implementation
Phase
❖ When security comes into play
in this phase there are several
actions that must be taken.
❖ One must create and maintain a
list of recommended software
frameworks, services and other
software components.

19. Security (cont.)
❖ In addition, one must develop a
list of guiding security principles
as a checklist against detailed
designs.
❖ Also, one must distribute,
promote and apply the design
principles to the project that is
in development.

20. Reviewing
❖ The reviewing and analysis of
the software’s code is also
required to ensure security.
❖ It is essential to review the code
for the software being
developed not only amongst
yourself, but amongst your
peers as well.
❖ This portion of the phase is
essential to the success of the
project.

21. Security in the
Testing Phase
Justin
❖ Security testing in software.
❖ Types of Software Testing
❖ What it means to have
secure software.

22. What is Security Testing in Software
❖ Security Testing in software is the process of
revealing possible vulnerabilities in the
system.
❖ Ensuring software quality
➢ Reliability: All functions within the
software works.
➢ Resiliency: Software that can withstand
attempts of attackers.
➢ Recoverability: Software that can be
restored if something goes wrong with
a function or its resiliency.

23. How to approach Security Testing
❖ Thinking outside the box
➢ Think like an attacker in some cases
from a user’s perspective, and it other
cases from a developer’s perspective.
❖ Must have a passion for technology
➢ Stay up to date with new technologies
and adjust to new attack strategies.
➢ More than 317 million new pieces of
malware was created in 2014.

24. Types of Software Testing
❖ Functional testing
➢ Unit testing breaks the software into smaller parts and tests
each part individually
➢ Logic testing validates the accuracy of the software’s process
logic
❖ Performance testing
➢ How the software performs when subjected to large volumes of
data
➢ How the software performs when the peak load is exceeded
❖ Security testing
➢ Ensures the software is designed and developed in a way that
reduces the risk of exploitation
➢ Black Box/White Box Testing

25. Types of Software Security Testing
❖ Black box testing
➢ A method of testing in which the tester
has no knowledge about the software’s
architecture or how it was built.
➢ Tests how the software behaves from a
users perspective.
❖ White box testing
➢ A method of testing in which the tester
has considerable knowledge about the
software’s architecture, how it was built,
and even about its source code.

26. What is means to have secure software
❖ Successfully testing software
means to have quality software and
achieve software assurance.
❖ Can we adequately secure software
through testing?

27. Phase 5
Jordan
❖ Maintenance Phase

28. Maintenance Phase
❖ According to ithandbook.ffiec.gov, The Maintenance Phase involves making
changes to hardware, software, and documentation to support its operational
effectiveness
❖ This includes making changes to improve a system’s performance, enhance
security, correct problems, and/or address user requirements
❖ Establishing appropriate change management standards and procedures
helps to ensure mods do not disrupt operations or negatively affects a
system’s security or performance.

29. Maintenance Phase
❖ Systems and Products are put in place and operating enhancements are developed and
tested, also hardware and software components are added or replaced.
❖ Configuration Management and control activities should be conducted to document any
proposed or actual changes in security plan of the system.
❖ Documenting information system modifications and evaluating the impact of these
changes on the security of a system are ideal when trying to prevent lapses in the system
security accreditation

31. Security Enhancing
Process Models
❖ Microsoft’s Trustworthy
Computing Security Development
Lifecycle
❖ Support & Servicing
➢ Response Execution
➢ Security Servicing
❖ Control Gates
➢ Operational Readiness Review
➢ Change Control Board Review of
Proposed Changes
➢ Review of POA&Ms
➢ Accreditation Decisions (Every
three years or after a major
system change)

32. Key Security Activities
❖ Conduct an Operational Readiness Review
➢ Many times when a system transitions to a
production environment, unplanned modifications
to the system occur;should be considered to help
mitigate risk and efficiently address last-minute
surprises.
❖ Manage the Configuration of the system
➢ An effective agency configuration management and
control policy and associated procedures are essential to
ensure adequate consideration of the potential security
impacts due to specific changes to an information
system or its surrounding environment.
➢ Establishing an initial baseline of hardware, software, and
firmware components for the information system and
also for controlling and maintaining an accurate
inventory of any changes to the system.
❖ Institute processes and procedures for
assured operations and continuous
monitoring of the information system’s
security controls
➢ The ultimate objective is to determine if the security controls in
the information system continue to be effective over time in light
of the inevitable changes that occur in the system as well as the
environment in which the system operates.
➢ Can be done in many ways such as security reviews, self-
assessments, configuration management, antivirus
management, patch management, security testing and
evaluation, or audits
❖ Perform Reauthorization as required
➢ The static, single point-in-time risk determination and
risk acceptance decision that occurs after initial
authorization

33. Steps to Improve Development Methodology
❖ Assigning a security team to every development project
➢ Make it known that they are a big part of the team
❖ Educate developers about security and the attack surface;
➢ The developers should understand the importance of security and all points of exposure
❖ Evaluate policies and procedures
➢ Review existing policies and procedures and in certain cases create new policies and
procedures focused on security
❖ Measure Success
➢ Building security into the SDLC reduces errors, reduces costs and creates a more secure
application

34. References
[1] R. Baskerville. Information systems security design methods: Implications for information systems development. ACM Computing
Surveys, 25(4):375–414, Dec. 1993.
[2] G. Brose. A typed access control model for CORBA. In F. Cuppens, Y. Deswarte, D. Gollmann, and M. Weidner, editors, Proc.
European Symposium on Research in Computer Security (ESORICS), LNCS 1895, pages 88–105. Springer, 2000.
[3] G. Brose. Access Control Management in Distributed Object Systems. PhD thesis, Freie Universität Berlin, 2001.
[4] The Ten Best Practices for Secure Software Development: https://www.isc2.org/uploadedfiles/(isc)
2_public_content/certification_programs/csslp/isc2_wpiv.pdf
[5] Processes to Produce Secure Software: https://www.cigital.com/papers/download/secure_software_process.pdf
[6] Risk Mitigation Planning, Implementation, and Progress Monitoring: http://www.mitre.org/publications/systems-engineering-
guide/acquisition-systems-engineering/risk-management/risk-mitigation-planning-implementation-and-progress-monitoring

35. [7] Disaster Recovery:Best Practices: http://www.cisco.com/en/US/technologies/collateral/tk869/tk769/white_paper_c11-
453495.html
[8] Eternal Sunshine Of The IS Mind: https://eternalsunshineoftheismind.wordpress.com/2013/03/10/sdlc-phase-5-maintenance/
[9] On Point : http://www.onpointcorp.com/uploads/1385/doc/SecurityandtheSystemDevelopmentLifestyle_TimSmith_OnPoint0.
pdf
[10] Nearly 1 million new malware attacks every day: http://money.cnn.com/2015/04/14/technology/security/cyber-attack-hacks-
security/
[11] Software Security Testing: https://www.cs.purdue.edu/homes/xyzhang/fall07/Papers/sw-test.pdf
[12] Assuring Software Security Through Testing: https://www.isc2.org/uploadedfiles/(isc)
2_public_content/certification_programs/csslp/software%20security%20through%20testing.pdf
[13] Operation/Maintenance Phase: http://www.fedramp.net/operation-maintenance-phase
References

36. Thanks for listening!
Any questions, comments, or
concerns?