Secure Software - personal.utulsa.edu

Secure Software

Software Development Life
Cycle

Firoozeh Rahimian
University of Tulsa
Tulsa, Oklahoma

Objective

• Secure Software development
• Project Management (PM)
• Software Development Life Cycle (SDLC)
• Challenges
• Changes to PM and SDLC processes

Software Usage

• Part of everyday life
• Computers
• Embedded devices
• ATM
• Shopping
• Vehicles

Secure Software

• Current State

– Security not a priority
– Updates and patches are part are the norm
– Pass the issue down to the consumer

• Challenges

– Companies cannot track cost due to security vulnerabilities
– Introduces additional cost to Software development

Secure Software

• Business strategy plans

– Cutting cost
– Streamlining processes
– Maintaining client base
– Improve market advantage
– Maintain regulatory compliances

• Security requirements not part of the strategy
plan

PM/SDLC

• Companies utilize project management and
SDLC processes for more efficient/faster
Software development

• PM Methodology Goals

– Manage cost, resources, and scope
– Manage risks and flaws
– Typically track functionality and related vulnerabilities/flaws
– Contingency plans to handle vulnerabilities/flaws that are not

fixed

PM/SDLC

• SDLC Goals

– Ensure the delivery of high quality systems

• return on investment
• primary measure of success

– Provide strong management controls

• Accurately estimate how long a project will take
• Accurately estimate how many resources it will require
• Accurately estimate how much it will cost

– Maximize productivity

• scrap and rework is minimized
• start-up time is minimized
• use of off-the-shelf components

SDLC Phases

• Phase 0 – developer training

– Need to be educated and be aware of security
– Establish expectations, best practices, roles/responsibilities

• Phase 1 – Requirements gathering

– Include security requirements as part of the scope
– Identify all security requirements (policies, standards, regulatory)

• Phase 2 – System Design

– Technical/non-technical security control requirements determined
– Implement threat modeling and design reviews
– Ensure soundness of design and architecture

SDLC Phases

• Phase 3 – Development and unit testing

– Static analysis, peer reviews, automated tools, security reviews
– Developers do not test their own code

• Phase 4 – System Testing

– Include security testing based on the requirements
– Use security test cases
– Developers do not perform security tests

• Phase 5 – Deployment

– Change management process
– require approval from security experts
– Review all test cases and test results

SDLC Phases

• Phase 6 – Documentation and training

– Documentation on proper use of Software
– Training for maintenance/support staff
– Post measurement and tracking

Conclusion

• Software is never static
• Flaws are inevitable
• Utilize SDLC to

– Catch flaws before and after coding and during unit/system
testing

– Better identify and track security requirements related to
software vulnerabilities

– Mechanism to track vulnerabilities after implementation

Resources

• http://en.wikipedia.org/wiki/Software_development_process
• http://en.wikipedia.org/wiki/Data_modeling
• http://www.scribd.com/doc/10175233/A-Data-Centric-Security-Model
• http://www.scribd.com/doc/10175233/A-Data-Centric-Security-Model
• “Elevating the Discussion on Security Management - The Data Centric

Paradigm”, Tyrone Grandison*, Michael Bilger#, Luke O’Connor-, Marcel
Graf +, Morton Swimmer+, MatthiasSchunter+, Andreas Wespi+, Nev
Zunic#
• http://www.csoonline.com/article/618463/software-security-for-
developers?page=1
• http://www.csoonline.com/article/596686/code-security-safecode-report-
highlights-best-practices
• http://www.benderrbt.com/Bender-SDLC.pdf