Professional Documents
Culture Documents
8 SDLC - Class
8 SDLC - Class
• 1. Install/Turn-On Controls:
• Turn on, configure and enable all security features.
• 2. Security Assessment:
• Certify/assess the system;
• testing security management, physical facilities, personnel,
procedures, the use of commercial or in-house services
(such as networking services), and contingency planning.
• 3. Authorization:
• The formal approval to operate by authorization
official (management)
• Explicit acceptance of risk.
Operation/Maintenance:
(System is modified/updated/audited as necessary)
• 1. Security Operations and Administration:
• Include backups, training, managing cryptographic keys, user
administration, and patching.
• 2. Operational Assurance:
• Check whether system is operated to its current security
requirements.
• 3, Audits and Monitoring:
• Audit to evaluate five Trust service Principles (CIA + Security and
Privacy)
• Time or Event based
• 4. Monitoring – NIST 800-137
• ongoing system/software/user assessments per step 3 above
Disposal
(The secure decommission of a system)
• Data location considerations:
• Data may be moved to another system, archived,
discarded, or destroyed.
• Media Sanitization:
• Delete/Erase/ High level format
• Overwrite seven times
• Degauss
• Physical Destruction
• Cloud Computing
• Crypto-Erase or Crypto-Shredding
Web Vulnerabilities OWASP
Software Testing Methods
• Static –
• tests/review the code passively: the code is not running.
• Dynamic –
• tests the code while executing it.
• White box
• access to program source code, data structures, variables, etc
• Black box -
• no internal details: the software is treated as a black box that receives inputs.
• A Traceability Matrix –
• map customer’s requirements to the software testing plan: it “traces” the
“requirements,” and ensures that they are being met.
Software Testing Levels
• Unit Testing:
• Low-level tests of software components, such as functions, procedures or objects
• Installation Testing:
• Testing software as it is installed and first operated
• Integration Testing:
• Testing multiple software components as they are combined into a working system.
• Regression Testing:
• Testing software after updates, modifications, or patches
• Acceptance Testing:
• testing to ensure the software meets the customer’s operational requirements. When done
directly by the customer, it is called User Acceptance Testing
• Fuzzing (also called fuzz testing)
• black box testing that enters random, malformed data as inputs into software programs to
determine if they will crash.
Disclosure of Software Vulnerabilities
• Disclosure –
• actions taken by a security researcher after discovering a software
vulnerability
• Full Disclosure –
• Releasing vulnerability details publicly
• Considered unethical because many black may benefit from this
practice; i.e. zero-day exploits (exploits for vulnerabilities with no patch
• Responsible disclosure –
• Privately sharing vulnerability information with vendor, and
• withholding public release until a patch is available.
• Generally considered to be the ethical disclosure option
Software Capability Maturity Model
(CMM)
• (1) Initial: Characterized as ad hoc or chaotic. Few
processes are defined, and success depends on individual
effort.
(2) Repeatable: Basic project management
(3) Defined: Management and engineering activities is
documented, standardized, and integrated into a standard
software process for the organization.
(4) Managed: Detailed measures of the software process
and product quality are collected, analyzed, and used to
control the process. Both the software process
and products are quantitatively understood and controlled.
(5) Optimizing: Continual process improvement is enabled