Professional Documents
Culture Documents
Chapter 5 Notes
Chapter 5 Notes
Chapter 5 Notes
5.1 Project Scheduling: Basic principle, Work breakdown structure , Activity network
and critical path method, Scheduling techniques (CPM,PERT)
5.2 Project Tracking : Timeline charts, Earned Value Analysis, Gantt Charts
5.3 Software Quality Management Vs Software Quality Assurance. phases of software
quality assurance: Planning, Activites, Audits, and review
5.4 Quality Evaluation standards : Six sigma, ISO for software, CMMI: levels, Process
areas.
5.5 Software Security, Introduction to DevOps, Secure software engineering.
----------------------------------------------------------------------------------------------------------- -
Project Scheduling:
● Scheduling is the culmination of a planning activity that is a primary component of
software project management.
● When combined with estimation methods and Risk analysis, scheduling establishes
a road map for the project manager.
● It is one of the most difficult jobs for a project manager.
● It begins with process decomposition. It involves separating total work involved in
a project into separate activities and judging the time required to complete these
activities.
● Managers estimate time and resources required to complete activities and organize
them into a coherent sequence.
● When estimating schedules, you should NOT assume that every stage of the project
will be problem-free.
○ People may fall ill or may leave
○ Hardware may break down
○ Essential software/hardware may be delivered late
● If the project is new & technically advanced, Then certain parts of it may turn out
to be more difficult and take longer than originally anticipated.
There are many design goals for WBS. Some important goals are as follows:
● Giving visibility to important work efforts.
● Giving visibility to risky work efforts.
● Illustrate the correlation between the activities and deliverables. ● Show clear
ownership by task leaders.
WBS Diagram
● In a WBS diagram, the project scope is graphically expressed. Usually the diagram
starts with a graphic object or a box at the top, which represents the entire project.
Then, there are sub-components under the box.
● These boxes represent the deliverables of the project. Under each deliverable, there
are sub-elements listed. These sub-elements are the activities that should be
performed in order to achieve the deliverables.
● Although most of the WBS diagrams are designed based on the deliveries, some
WBS are created based on the project phases. Usually, information technology
projects are perfectly fit into WBS model.
● Therefore, almost all information technology projects make use of WBS.
● In addition to the general use of WBS, there is specific objective for deriving a WBS
as well. WBS is the input for Gantt charts, a tool that is used for project management
purpose.
● Following is a sample WBS diagram:
● The efficiency of a work breakdown structure can determine the success of a project.
● The WBS provides the foundation for all project management work, including,
planning, cost and effort estimation, resource allocation, and scheduling.
● Therefore, one should take creating WBS as a critical step in the process of project
management.
------------------------------------------------------------------------------------------------------------
Activity network
● It is a graphic representation of the task flow for a project.
● An Activity Network Diagram is a diagram of project activities that shows the
sequential relationships of activities using arrows and nodes.
● It depicts task length, sequence, concurrency, and dependency
● Points out inter-task dependencies to help the manager ensure continuous progress
toward project completion.
● An activity network diagram tool is used extensively in and is necessary for the
identification of a project’s critical path (which is used to determine the expected
completion time of the project).
Example: Suppose the team is tasked with improving the process of building a house. The
team lists the major steps involved – everything from the excavation step through the
landscaping step.
The team creates a chart – Activity Network Diagram – where the nodes (the boxes)
represent the nine major steps involved in building a house. Arrows that connect the nodes
show the flow of the process.
Some of the process steps (nodes A, B, and C) run in series, while other process steps
(nodes D, E, and F) run in parallel. Notice that Step B cannot happen until step A has been
completed. Likewise, step C cannot happen until step B has completed. Step H cannot
happen until steps D, E, and F have completed – and ALL need to be completed before
Step H. So, nodes A, B, and C are running in series. Nodes D, E, and F run in parallel. This
is important to know because those steps that are running in parallel most likely will have
different expected completion times.
Critical Path:
● The team’s job is to take note of which of the nodes D, E, and F, will be taking the
most amount of time, and which of those nodes is expected to take the least amount
of time. This is essential when creating the Critical Path.
● For instance, if node D is expected to take the most amount of time as compared
with nodes E and F, it is not important that nodes D and E start at the exact same
time as node F.
● Those steps can start later, but they have to be finished no later than the most time
consuming of the three steps that run in parallel.
● The team evaluates the nine steps and come to a consensus on how many days each
of the nine steps will take
● The critical path is a line that goes through all of the nodes that have the longest
expected completion times.
Optimistic Time:
● The team might want to know what the best case (Optimistic Time), in terms of
time, would be.
● To come up with that number, the team would decide upon the shortest possible time
for each of the nodes, and then add those up.
● The numbers in parenthesis are the most optimistic times.
(4+2+10+8+8+7+4 = 43)
Pessimistic Time:
● The team also might want to know what the worst case (Pessimistic Time), in terms
of time, would be.
● To come up with that number, the team would decide upon the longest possible time
for each of the nodes, and then add those up.
● Note: To determine the best case or the worst case, the critical path line must be
followed. The numbers in parentheses are the most pessimistic times.
(7+3+14+10+11+8+6 = 59)
● Remember, you are only calculating the numbers along the critical path when
calculating the most optimistic and pessimistic times.
Expected Time:
So what does all of this mean? It means the project most likely will take 50 days, but it
could take 59 days, or it can be done as soon as 43 days.
Control Bands:
We could calculate control bands around the average. Here’s how we do that:
For the critical path, we can expect the project to take from 47.6 days to 53.0 days
50.3 + 2.7 = 53 on the high side 50.3
– 2.7 = 47.6 on the low side.
------------------------------------------------------------------------------------------------------------
Project Tracking:
● Project Tracking is a method of project management for following the progress (or
lack thereof) of activities involved in projects.
● Potential issues can be spotted and solved by team members and leaders.
● Tracking projects from the beginning, dealing with problems quickly and
proactively making decisions is what successful project managers do.
● Managing all tasks and activities involved, handling multiple files involved and
most importantly, the people who make up the team make this incredibly
challenging.
Timeline charts:
● A timeline chart is an effective way to visualize a process using chronological order.
Since details are displayed graphically, important points in time can be easily seen
and understood.
● Often used for managing a project’s schedule, timeline charts function as a sort of
calendar of events within a specific period of time.
Need of Timeline Charts:
● Staying on track can be a struggle.
● By incorporating a timeline chart into your project, it becomes much easier to see
what needs to be done, how long it will take, and what the next steps are. ● Since
each steps is documented along an easy to follow timescale, there’s no
misunderstanding of when goals should be met and how many hours a project should
take.
How to make a timeline chart
1. Begin by listing each milestone throughout your project.
2. Place these milestones along a horizontal line, from start to finish.
3. Associate each step with a specific date to represent a deadline.
4. Include titles to clarify key points along the process (phases, testing, planning, etc.).
Gantt Chart:
● Gantt charts was devised by Henry Gantt (1917). It represents project schedule with
respect to time periods. It is a horizontal bar chart with bars representing activities
and time scheduled for the project activities.
● A Gantt Chart is a timeline that is used as a project management tool to illustrate
how the project will run.
○ You can view individual tasks, their durations and the sequencing of these
tasks.
○ View the overall timeline of the project and the expected completion date.
○ As the project moves forward with actual performance updated, the Gantt
Chart will adjust simultaneously displaying an up-to-date project schedule
with new start and finish dates for incomplete tasks and record the original
baseline of your plan.
Benefits using a Gantt Chart
1. The Gantt Chart could be used to communicate with your clients. You could show
them your project plan and the expected completion date. Your clients can visually
see each stage of the project and have a better understanding of the project and key
milestone.
2. You could provide this Gantt Chart in a tender proposal. Your tender response will
look appealing when complimented with a professional Gantt Chart program. It can
be used to show your understanding of the requirements of the project, and can
demonstrate your ability to plan and manage in the eyes of the tender evaluation
panel.
3. Assist in Communication with Staff and Contractors. You could supply this Gantt
Chart to staff and contractors to communicate when their services are required.
4. Run your project with greater efficiency with improved cost and time outcomes.
● Schedulemaker
● Planisware OPX2
● RiskTrak
● Winsight
● Primavera
------------------------------------------------------------------------------------------------------------
● Disadvantage of SQA:
1. Adding more resources,
2. Employing more workers to help maintain quality.
SQA Activities:
The SEI (Software Engineering Institute) recommends a set of SQA activities that address
quality assurance planning, record keeping, analysis, and reporting.
Following activities are performed by an independent SQA group:
1. Prepares an SQA plan for a project: The program is developed during project
planning and is reviewed by all stakeholders. The plan governs quality assurance
activities performed by the software engineering team and the SQA group. The plan
identifies calculations to be performed, audits and reviews to be performed,
standards that apply to the project, techniques for error reporting and tracking,
documents to be produced by the SQA team, and amount of feedback provided to
the software project team.
2. Participates in the development of the project's software process description:
The software team selects a process for the work to be performed. The SQA group
reviews the process description for compliance with organizational policy, internal
software standards, externally imposed standards (e.g. ISO-9001), and other parts
of the software project plan.
3. Reviews software engineering activities to verify compliance with the defined
software process: The SQA group identifies, reports, and tracks deviations from
the process and verifies that corrections have been made.
4. Audits designated software work products to verify compliance with those
defined as a part of the software process: The SQA group reviews selected work
products, identifies, documents and tracks deviations, verify that corrections have
been made, and periodically reports the results of its work to the project manager.
5. Ensures that deviations in software work and work products are documented
and handled according to a documented procedure: Deviations may be
encountered in the project method, process description, applicable standards, or
technical work products.
6. Records any noncompliance and reports to senior management: Non-
compliance items are tracked until they are resolved.
Audit:
● Audit is an independent examination of a work product or set of work products, to
verify whether or not the product is in compliance with policies, specifications,
standard contractual agreements, or other criteria.
● Audits should be planned on a regular basis. High-risk areas should be audited more
often to ensure conformance. Audits are also used to check any previously Identified
non-conformances.
● It is always best to choose a team of auditors from within the organization; your
audit team should comprise people from all areas and levels of the company. Audits
need to be documented.
● During an audit, evidences are used to verify that the processes are being done in
accordance to the procedures and policies. Evidence.should be recorded against each
section being audited.
● Recording of evidence needs to have description of the documentation sighted,
number, date and any other information that will assist in identifying that document.
● Non-conformances found should be reported for further action. A date should be
established for the correction, a follow-up audit should be carried out to ensure that
the non-conformance has been fixed.
● Quality Audit Documentation:
Audit documentation does not need to be complicated, normally there are
three documents namely, the audit plan, audit notes and audit report.
1. The Audit Plan: The audit plan is sent to the department being audited a few
days prior, it should include the date of the audit, the planned time, duration,
auditor's names, location and the policies and procedures that will be used during
the audit. It should also mention any non-conformances that were found during
the last audit.
2. Audit Notes: The notes are the Auditor's questions that will be asked during the
audit. It should include references to particular policies and procedures and what
will be asked during the audit. The same document should be used to record the
findings and any comments during the audit.
3. Audit Report: The audit report should include details of the audit, date,
Auditor's name, policies and procedures and findings against them.
Review:
● Software reviews are a filter for the software engineering process. Reviews are
applied at various points to find the errors before they are passed on to another
software engineering activity or released to the customer.
● Reviews provide a powerful way to improve quality by providing a means by which
defects can be detected (and corrected) early in development.
● A review is away to:
1. Point out needed improvements in the product. .
2. Confirm those parts of a product in which improvement is either not desired or
not needed.
● Objectives of Review:
1. To uncover errors in function, logic, or implementation for any representation of
the software.
2. To verify that the software under review meets its requirements.
3. To ensure that the software has been represented according to predefined
standards.
4. To achieve software that is developed in a uniform manner.
5. To Make Projects More Manageable.
● Classes of Review:
Reviews are divided into following classes:
1. Informal Reviews:
● An informal meeting is a form of review if technical problems are discussed.
● It is also called peer-review i.e. simply giving a document to a colleague and
asking them to look at it closely which will identify defects we might never
find on our own.
● It is generally a one-on-one meeting between the author of a work product
and a peer. No agenda is required and results are also not formally reported:
2. Formal reviews:
● A formal review can range from a simple meeting between two programmers to a
detailed inspection of the code.
------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------
Quality Evaluation standards:
Six sigma:
● Six Sigma is the process of improving the quality of the output by identifying and
eliminating the cause of defects and reducing variability in manufacturing and
business processes.
● The maturity of a manufacturing process can be defined by a sigma rating indicating
its percentage of defect-free products it creates.
● A six sigma method is one in which 99.99966% of all the opportunities to produce
some features of a component are statistically expected to be free of defects (3.4
defective features per million opportunities).
DMAIC:
● It specifies a data-driven quality strategy for improving processes. This
methodology is used to enhance an existing business process. ● The DMAIC project
methodology has five phases:
DMADV:
● It specifies a data-driven quality strategy for designing products and processes.
● This method is used to create new product designs or process designs in such a way
that it results in a more predictable, mature, and defect free performance. ● The
DMADV project methodology has five phases:
The ISO 9000 series of standards is based on the assumption that if a proper stage is
followed for production, then good quality products are bound to follow automatically. The
types of industries to which the various ISO standards apply are as follows.
1. ISO 9001: This standard applies to the organizations engaged in design,
development, production, and servicing of goods. This is the standard that applies
to most software development organizations.
2. ISO 9002: This standard applies to those organizations which do not design
products but are only involved in the production. Examples of these category
industries contain steel and car manufacturing industries that buy the product and
plants designs from external sources and are engaged in only manufacturing those
products. Therefore, ISO 9002 does not apply to software development
organizations.
3. ISO 9003: This standard applies to organizations that are involved only in the
installation and testing of the products. For example, Gas companies.
How to get ISO 9000 Certification?
An organization determines to obtain ISO 9000 certification applies to ISO registrar office
for registration. The process consists of the following stages:
1. Initial Level:
At this level of CMMI, the processes are rather unpredictable and reactive. These are the
levels that consume extra time to complete the work. At this level, the organization is at its
worst with an unpredictable environment and increased chances of risks and incompetence.
2. Managed:
The processes have already passed level one and are now better planned, performed,
measured and controlled but still is not free from issues and there are lot many issues to
address.
CMMI Maturity Level 2 – Managed
REQM – Requirements Management
PP – Project Planning
CM – Configuration Management
MA – Measurement and Analysis
PPQA – Process and Product Quality Assurance
PMC – Project Monitoring and Control
SAM – Supplier Agreement Management 3.
Defined:
By now the organizations are more pre-emptive than responsive. There’s a set of
“organization-wide standards” to “provide guidance across projects, programs and
portfolios.” By now organizations understand their shortcomings and way to deal with
them to improve their processes
CMMI Maturity Level 3 – Defined
RD – Requirements Development
DAR – Decision Analysis and Resolution
OPF – Organizational Process Focus
IPM – Integrated Project Management +IPPD
OT – Organizational Training
OPD – Organizational Process Definition +IPPD
PI – Product Integration
RSKM – Risk Management
VAL – Validation
TS – Technical Solution
VER – Verification
4. Quantitatively Managed:
The organization at this level reaches a high maturity level where it is in a stage to
determine predictable processes based on stakeholders requirements. The processes are
more managed, dignified and precise. The organization is now ahead of threats and follows
the data-driven approach for process deficiencies.
CMMI Maturity Level 4 – Quantitatively Managed
OPP – Organizational Process Performance
QPM – Quantitative Project Management 5.
Optimizing:
Now the organization is at a stage of stability and flexibility. Now the organization is
constantly heading towards improvement and retorting opportunities. At level 5 or
optimizing level of CMMI, the organization follows “agility and innovation,” in an
anticipated environment.
CMMI Maturity Level 5 – Optimizing
OID – Organizational Innovation and Deployment
CAR – Causal Analysis and Resolution
When organizations enter Levels 4 and 5, they enter a high maturity level, constantly
growing, acclimatizing and developing to meet the needs of investors and clients.” Finally,
they are on the verge of attaining the goals of CMMI.
CMMI tools
There are various CMMI tools available in the market. Choice of these tools depends on
the business’s needs. During the Maturity level 2 or 3, you can take the help of your CMMI
consultant to design customized tools. You might have to consider the following tools:
● Bug tracker
● Project and document management
● Metrics tools
● Estimation
● Integration application
Process Areas:
● Key Process Areas (KPA) of a software organization:
● Except for CMMI level 1, each maturity level is featured by several Key Process
Areas (KPAs) that contains the areas an organization should focus on improving its
software process to the next level.
● The focus of each level and the corresponding key process areas are shown in the
fig.
● SEI CMM provides a series of key areas on which to focus to take an organization
from one level of maturity to the next.
● Thus, it provides a method for gradual quality improvement over various stages.
● Each step has been carefully designed such that one step enhances the capability
already built up.
------------------------------------------------------------------------------------------------------------
Software Security:
Software security is an idea implemented to protect software against malicious attack and
other hacker risks so that the software continues to function correctly under such potential
risks.
Security is necessary to provide integrity, authentication and availability.
Need of security:
● Due to heavy dependence of computer network-based applications on various
software and software controlled systems, software security has become an essential
issue.
● Almost every software controlled system faces potential threats from system user,
both insiders and outsiders. It is well accepted that "the root of most security
problems is software that fails in unexpected ways when under attack". Therefore,
software must be engineered with protection mechanisms against attacks.
● Software should be designed with the objective not only of implementing the quality
functionalities required for their users, but also of combating potential and
unexpected threats.
● The principal objectives of software security engineering need to be reinvestigated,
and a methodology is required that can be employed for building secure software
systems.
● Software security engineering is a practice to address software security issues in a
systematic manner.
Core Security Properties of Secure Software:
Following are the consequences based on security basics:
1. Integrity: Verification that the information contained in the message is not
tampered accidentally or deliberately, during transmission.
2. Non-repudiation: There can be no denial on the part of the sender of having sent a
message that is digitally signed.
3. Confidentiality: Means that the information contained in the message is kept
private and only the sender and the intended recipient will be able to read it.
4. Authentication: Verification that the people with whom we are corresponding
actually are who they claim to be.
5. Availability: Availability is defined as the requirements should focus on how
available resource should be for authorized users.
Fig below depicts the stages of Software Security Life Cycle (SSLC). Recently, the most
of the researchers have shifted from a project-oriented view to a product life cycle oriented
view of software security and trying to understand the characteristics of security demands.
Jenkins is a popular tool used in this phase. Whenever there is a change in the Git
repository, then Jenkins fetches the updated code and prepares a build of that code, which
is an executable file in the form of war or jar. Then this build is forwarded to the test server
or the production server.
3) Continuous Testing:
This phase, where the developed software is continuously testing for bugs. For constant
testing, automation testing tools such as TestNG, JUnit, Selenium, etc are used. These
tools allow QAs to test multiple code-bases thoroughly in parallel to ensure that there is no
flaw in the functionality. In this phase, Docker Containers can be used for simulating the
test environment.
Selenium does the automation testing, and TestNG generates the reports. This entire testing
phase can automate with the help of a Continuous Integration tool called Jenkins.
Automation testing saves a lot of time and effort for executing the tests instead of doing
this manually. Apart from that, report generation is a big plus. The task of evaluating the
test cases that failed in a test suite gets simpler. Also, we can schedule the execution of the
test cases at predefined times. After testing, the code is continuously integrated with the
existing code.
4) Continuous Monitoring:
Monitoring is a phase that involves all the operational factors of the entire DevOps process,
where important information about the use of the software is recorded and carefully
processed to find out trends and identify problem areas. Usually, the monitoring is
integrated within the operational capabilities of the software application.
It may occur in the form of documentation files or maybe produce large-scale data about
the application parameters when it is in a continuous use position. The system errors such
as server not reachable, low memory, etc are resolved in this phase. It maintains the security
and availability of the service.
5) Continuous Feedback:
The application development is consistently improved by analyzing the results from the
operations of the software. This is carried out by placing the critical phase of constant
feedback between the operations and the development of the next version of the current
software application.
The continuity is the essential factor in the DevOps as it removes the unnecessary steps
which are required to take a software application from development, using it to find out its
issues and then producing a better version. It kills the efficiency that may be possible with
the app and reduce the number of interested customers.
6) Continuous Deployment:
In this phase, the code is deployed to the production servers. Also, it is essential to ensure
that the code is correctly used on all the servers.
The new code is deployed continuously, and configuration management tools play an
essential role in executing tasks frequently and quickly. Here are some popular tools which
are used in this phase, such as Chef, Puppet, Ansible, and SaltStack.
Containerization tools are also playing an essential role in the deployment phase. Vagrant
and Docker are popular tools that are used for this purpose. These tools help to produce
consistency across development, staging, testing, and production environment. They also
help in scaling up and scaling down instances softly.
Containerization tools help to maintain consistency across the environments where the
application is tested, developed, and deployed. There is no chance of errors or failure in
the production environment as they package and replicate the same dependencies and
packages used in the testing, development, and staging environment. It makes the
application easy to run on different computers.
7) Continuous Operations:
All DevOps operations are based on the continuity with complete automation of the release
process and allow the organization to accelerate the overall time to market continuingly. It
is clear from the discussion that continuity is the critical factor in the DevOps in removing
steps that often distract the development, take it longer to detect issues and produce a better
version of the product after several months. With DevOps, we can make any software
product more efficient and increase the overall count of interested customers in your
product.
------------------------------------------------------------------------------------------------------------
Secure software engineering.
● Security is considered as a very critical issue for software engineering. Software is
itself a resource and thus must be afforded appropriate security.
● The engineering of secure software software / systems emphasizes security
from a software engineering perspective and deals with technical, as well as
managerial aspects of software security.
● Secure software engineering approach is actually the most structured way of
developing secure software by taking the security right from requirement to the
design, implementation and testing stages of software development ● Defining
Properties of Secure Software:
1. A set of core properties whose presence (or absence) are the ground truth that
makes software secure (or not), and
2. A set of influential properties that do not directly make software secure but
do make it possible to characterize how secure software is.
● There is a difference between software security and application security. Software
security is concerned with addressing the security in the development phases of
the software whereas application security is concerned with protecting the
software after the development phase by means of various protection mechanisms
like intrusion detection, firewalls etc.
● Secure software development focuses on the security issues right from the
beginning from requirement, design and implementation phases of SDLC. Many
ideas of Secure Software Development (SSD) methods have been proposed.
● However, the process of software development still follows the conventional
SDLC models and process. The secure software development lifecycle is
comprised of phases such as Software Security Requirements,Secure Software
architecture and Design,Secure Software Implementation and Coding and Security
Assurance.
● Fig. above shows the stages for secure software development process with the core
activities to be carried out at each of the stage. These stages only tell what is to be
achieved not the how it can be achieved .
● The lifecycle in order to develope the secure software is due to multifaceted nature
of the software security.
● It is a complex problem to identify which factors constitute to the security of the
system, also the software system have different environment factors under which
they operate.
● The difficulty behind the specification of operations that can be performed in each
of the stages of.
● There are various security specification languages such as UMLsec, secureUM,
SecureTropos, MisuseCase, AbuseCase,UMlintr and AsmlSec.
● Design is the blueprint of the overall structure of the software, it address the
definition of the overall structure of the software. The incorporation of security
into the software design process is influenced by both the software design concepts
and security methods.
● Defining the overall structure of the software from the security perspective entails
identifying those components whose correct functioning is essential to security and
identifying design techniques that will assure its security.
● For the secure software development process the security needs to be taken into
consideration from the requirement taken to design followed by the
implementation (coding). Secure software implementation (coding) involves the
process and application of secure coding standards and guidelines, application of
security testing tools including “fuzzing”, static-analysis code scanning tools, and
conducting code reviews in order to eliminate the vulnerabilities in the code.
● Fig. above shows the various security measures to be taken at each phase of SDLC
in software engineering.
1. Security in Requirements Phase:
● Building a 100% secure system is hardly possible. In SDLC a lot of
problems arise because of inadequate Requirements Analysis. It is one of
the main causes of over budgeted and delayed projects.
● Also problems at this phase cause poor quality applications and have
reduced scope. So, this phase should be given the utmost importance. From
this layer itself, security features should be planned. Detailed requirements
of specific systems with respect to security police should be specified.
● Recommendations for this phase includes policy on disclosure of
information, Authentication and password management, Authorization and
role management, Network and data security, Cryptography and key
management and so on.
2. Security in design phase:
● At the design and architecture level, a system must be coherent and present
a unified security architecture that takes into account security. Designers,
architects, and analysts must clearly document assumptions and identify
possible attacks.
● Recommendations for this phase includes:
(i) Risk should be covered using multiple defensive strategies. In case one
layer of protection turns out to inadequate, the next level of defensive
strategy will prevent full breach.
(ii) Secure design guidelines and principles should be followed while
developing the initial design. Secure design patterns should either be
followed or used for guidance. Secure design decisions should be
specified using a secure design specification language.
(iii) To identify security errors.
(iv) Threat Analysis (risk analysis) should be undertaken that helps
identifying issues before code is committed so that they can be
mitigated in early SDLC. It involves identifying the conditions that
cause incidents and analyzing them.
(v) Standard proven security toolkits (cryptographic and protocol
libraries) should be selected.
3. Security in Implementation Phase:
● For the implementation phase, a secure programming languages should be
selected to minimize security errors, Moreover, secure coding standards
and guidelines should be followed.
● This phase also requires full consideration as per security is concerned.
Here, the focus must be on implementation flaws. One may make use of
tools that scan source code and detect common vulnerabilities. A security
team should perform a code walkthrough with the developers and,in some
cases, the system architects.
● Recommendations for this phase includes:
(i) Use of unsafe functions should be avoided or minimized. Look for
potential buffer overflows, array out of bound errors, integer underflow
and overflow, as well as data truncation errors.
(ii) Latest compiler toolset should be used.
(iii) Manual code review must be done. Identify malicious behavior.
Know what good traffic looks like.
(iv) All inputs and outputs must be validated.
(v) Static and dynamic code analysis tools can be used to aid code review
process to find vulnerabilities. Static analysis tool, also called source
code analyzer examine a program's text without attempting to execute
it.
Dynamic analysis requires actually running the code.