1 / 20

Software Assurance of Web-based Applications SAWbA

Software Assurance of Web-based Applications SAWbA. Tim Kurtz SAIC/GRC Software Assurance Symposium 2004. Agenda. Problem Solution Pilot Project Pilot Results Future Activities. Problem.

sambrown
Download Presentation

Software Assurance of Web-based Applications SAWbA

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Software Assurance of Web-based ApplicationsSAWbA Tim Kurtz SAIC/GRC Software Assurance Symposium 2004

  2. Agenda • Problem • Solution • Pilot Project • Pilot Results • Future Activities

  3. Problem • NASA is embracing the use of web-based applications (web-apps) to monitor, control and conduct space experiments as well as business type applications. • Internet commercialization has resulted in the development of software assurance practices that ensure proper operation of commercial web-apps. • NASA needs to identify and adopt a set of software assurance practices to ensure the successful operation of web-apps that monitor, control and conduct space experiments.

  4. Solution • Implement the same types of controls on web-app development that are used on other types of software development • Requirements management • Configuration management • Audit and review projects web-app development activities using a set of checklists that address • Management concerns • Development concerns • Internet specific concerns

  5. Checklists • Project Management • Planning • Schedule • Requirements Engineering • Software Design • Page Usability and Accessibility • Form Design • Web Site Navigation • Privacy Policy • Security

  6. Pilot Projects • Micro-gravity Combustion/CMM level 2 pilot projects • GUI Experiment Control Screens • Control and conduct fluids/combustion experiments • Dynamically control experiments and display data • Web-based database access application • Risk Management tool • Interfaces with Oracle database • Uses forms to provide interfaces

  7. Pilot Projects • Micro-gravity Combustion/CMM level 2 pilot projects • GUI Experiment Control Screens • Control and conduct fluids/combustion experiments • Dynamically control experiments and display data • Web-based database access application • Risk Management tool • Interfaces with Oracle database • Uses forms to provide interfaces

  8. Project Management • Generally compliant project management activities for a project of this type • Problems identified • Lack of a process established to monitor the project and detect problems and departures from the baseline.

  9. Planning • Generally compliant planning activities for a project of this type • Problems identified • none

  10. Schedule • Generally compliant scheduling activities for a project of this type • Problems identified • No defined and documented process to develop the project schedule • Risk plan not documented • Historical duration data not available for project activities • Activity durations were not reviewed by people experienced in those activities • Float time not documented for all activities not on the critical path • Schedule did not include a time reserve for contingencies and unforeseen events

  11. Requirements Engineering • Generally compliant requirements engineering activities for a project of this type • Problems identified • Design detail been included in the requirements • Members of the requirements change board have not been identified • Impact analysis not performed for proposed requirements changes • No process in place to maintain and control the different versions of the requirements specification [When requirements change the version # gets updated in the filename of the document]

  12. Software Design • Generally compliant software design activities for a project of this type • Problems identified: • Applicable and efficient design methods (SHDT, WSDM, VHDM, etc.) not implemented on the project • Configuration control process not implemented

  13. Usability and Accessibility • Page usability features were better addressed by the project than accessibility features • Problems identified • Graphs and charts not summarized or explained with the longdesc attribute • Alternate content not provided when scripts, applets and plug-ins are used • Pages were not validated with an HTML validator • Page may not display correctly in all intended browser versions [Did not list browser version, but works in Netscape] • Page size not optimized for 800x600 pixel displays

  14. Form Design • Generally compliant form design activities for a project of this type • Problems identified • Instructions not provided to show how to complete and submit the form • Form not usable by users who use screen readers or are unable to operate a mouse • Users not prompted to enter required information on the form • Form does not check the logic of the responses

  15. Web Site Navigation • In general Web Site Navigation was well implemented although some of the pages suffered from problems navigating within the page • Problems identified • Default colors for links and visited links not used • Some pages did not contain at least one link [charts, reports] • Pages longer than two screens contain did not contain Return to Top links • Not all links link to the page they say they do

  16. Privacy Policy • Due to the type of application being developed, this project did not implement a privacy policy and the majority of the checklist was not applicable. • Problems identified • Web-app does not have a privacy policy

  17. Security • In general, Security planning activities were not performed for this project • Viewed as a part of the release process and not addressed prior to implementation • Problems identified • No security plan had been prepared that describes necessary security mechanisms and security procedures that apply to this web-app [Database is TBD] • Security plan did not identify all of the key services of the web-app including the Domain Name System (DNS), firewall, databases, and Internet link [Database is TBD] • A threat and risk assessment had not been performed on the web-app? • No system in place to capture and report illegal, unusual or unexpected input to the web-app • Disaster recovery plan for the web-app had not been prepared and tested • Changes not reviewed and tested from a security perspective before implementation?

  18. Summary Results • Use of the checklists was effective in identifying problems the project was not aware of • Checklists should be used at appropriate times during development – Not at the end

  19. Future Activities • Roll out Best Practices and Checklists to NASA via the SAWbA website – http://osat-ext.grc.nasa.gov/rmo/sawba • Apply checklist on the other pilot project when it becomes more mature

More Related