1 / 28

Applications & Systems Development

Learn about the Software Development Life Cycle (SDLC) and the security issues involved. Discover the different stages, from requirements analysis to testing and maintenance. Explore security considerations and best practices for each stage.

angeliqued
Download Presentation

Applications & Systems Development

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Applications & SystemsDevelopment A very brief overview of the SDLC and the security issues involved.

  2. Generic Systems Engineering Process • Discover Needs • Define System Requirements • Design System Architecture • Develop Detailed Design • Implement System • Assess Effectiveness of System

  3. System Requirements Software Requirements Analysis Program Design Coding Testing A simplistic software development model Operations & Maintenance

  4. System Requirements Analysis Design Coding Testing System Requirements The Waterfall development model Going back only one stage limits rework and enhances control Operations & Maintenance

  5. Software Requirements Product Design Coding Integration Product Implementa- tion System Requirements A modified Waterfall development model that enforces comparison against specific baselines Validation Validation Verification Unit Testing Verification Verification: doing the job right Validation: doing the right job System Test Operations & Maintenance Revalidation

  6. The Spiral Model

  7. Cost Estimation Models :-) • Basic COnstructive COst Model COCOMO • Cost as a function of lines of codeMan Months (MM) = 2.4 * 1000s of delivered source instructionsDevelopment Schedule = 2.5(MM).38 • Function Point Measurement Model • I/O types, internal file types, interfaces, etc • Software Life Cycle Model (SLIM) • Manpower buildup index • Productivity factor

  8. Info sec policy, standards, legal issues, early validation of concepts Software Requirements Product Design Coding Integration Product Implementa- tion System Requirements Security life cycle components Validation Validation Verification Unit Testing Verification System Test Operations & Maintenance Revalidation

  9. Threats, vulnerabilities, sec requirements., reasonable care, due diligence, legal liabilities, cost/benefit, level of protection desired, test plans, validation Software Requirements Product Design Coding Integration Product Implementa- tion System Requirements Security life cycle components Validation Validation Verification Unit Testing Verification System Test Operations & Maintenance Revalidation

  10. Incorporating security specs, adjust system & security test plans & data, determine access controls, design docs, evaluate encryption options, verification, business continuity plans Software Requirements Product Design Coding Integration Product Implementa- tion System Requirements Security life cycle components Validation Validation Verification Unit Testing Verification System Test Operations & Maintenance Revalidation

  11. Develop security related code, unit testing, reuse other modules if possible, support business continuity plans, docs Software Requirements Product Design Coding Integration Product Implementa- tion System Requirements Security life cycle components Validation Validation Verification Unit Testing Verification System Test Operations & Maintenance Revalidation

  12. Integrate security components, test integrated modules per plans, refine docs, conduct security related product verification Software Requirements Product Design Coding Integration Product Implementa- tion System Requirements Security life cycle components Validation Validation Verification Unit Testing Verification System Test Operations & Maintenance Revalidation

  13. Install security software, run system conduct acceptance testing, test security software, certify docs & accreditation (if necessary) Software Requirements Product Design Coding Integration Product Implementa- tion System Requirements Security life cycle components Validation Validation Verification Unit Testing Verification System Test Operations & Maintenance Revalidation

  14. Software Requirements Product Design Coding Integration Product Implementa- tion System Requirements Security life cycle components Validation Validation Verification Unit Testing Verification Revalidate security controls, penetration testing, vulnerability analyses, manage change requests, implement change control, make changes, evaluate performance, update docs, recertify System Test Operations & Maintenance Revalidation

  15. Testing • Unit testing • Done by separate personnel • Check all I/O, modules, files, security, etc

  16. Extreme Programming (XP)Principles • Feedback: most useful if it is done rapidly. • Assuming simplicity: treating every problem as if it can be solved "extremely simply". • Incremental changes: small releases • Embracing change: not working against changes but embracing them.

  17. Manifesto for Agile Software Development • We are uncovering better ways of developing software by doing it and helping others do it. Through this work we have come to value: • Individuals and interactions over processes and tools • Working software over comprehensive documentation • Customer collaboration over contract negotiation • Responding to change over following a plan • That is, while there is value in the items on the right, we value the items on the left more.

  18. Maintenance Phase • Request Control • Establish request priorities, do • Cost estimates • User Interface • Determine tools to use, determine change effects on other code • Change Control • Recreate & Analyze the problem • Develop changes & tests • Quality Control • Document changes, & recertify • Release Control

  19. Software Capability Maturity Model (CMM) • Phase 1: Initiate • Format improvement initiative • Management approval • Phase 2: Diagnose • Assess current systems • Phase 3: Establish Action Plan • Phase 4: Action • Phase 5: Leverage • Review changes and process looking for improvements

  20. Object Oriented Systems • OO Requirements Analysis • OO Aanalysis • Domain Analysis • OO Design • OO Programming • Object Request Brokers: CORBA, SOAP

  21. Artificial Intelligence Systems • Expert Systems (ES) • algorithm + data structures = Normal Program • Inference engine + knowledge base = ES • Blackboards • Bayesian Networks • Fuzzy logic • Neural Networks: weighted inputs to “neurons” yield outputs, “training period” • Genetic Algorithms: evolutionary computing, fitness values, cross breeding, mutation

  22. Database Systems • Hierarchical • Mesh • Object Oriented • Relational

  23. DB Security Issues • Views • Granularity • Aggregation: • combining higher sensitivity with lower • Inference • Users “guessing” higher level values • Multiple connections, backups, etc • Data warehousing & Mining

  24. Application Controls • Service Level Agreements • Turn around time, avg response time, number of users, system utilization rates, up times, transaction volumes, problem resolution • Control Types • Preventative • Detective • Corrective

  25. Preventative Controls • Accuracy • Data checks, forms, custom screens, validity checks, contingency planning, & backups • Security • Firewalls, reference monitors, sensitivity labels, traffic padding, encryption, data classification, one-time passwords, separation of development & testing • Consistency • Data dictionary, programming standards & database

  26. Detective Controls • Accuracy • Cyclic redundancy checks, structured walk-throughs, hash totals, reasonableness checks • Security • Intrusion detection systems, audit trails • Consistency • Comparison controls, relationship tests, reconciliation controls

  27. Corrective Controls • Accuracy • Backups, control reports, before/after imaging, checkpoint restarts • Security • Emergency response & reference monitor • Consistency • Program comments & database controls

  28. System Architecture Issues • Distributed Systems • Agents, applets, “sandbox,” virtual machines • P2P • Centralized • Easier to protect • Real Time

More Related