SDLC Basic Phases
Project Initiation and Planning; Functional Requirements Definition; System Design Specification; Developmnet and Implementation; Documentation and common program controls; Testing and evaluation control (C&A); Transistion to production (implementation)
Extends above SDLC - Operations and maintenance support; revisions and system replacement; project initiation and planning
Security activities should be done in parallel
Security requirements should be formalized
System Design Specifications
security features designed, generally based on the overall security architecture for the company
Development and Implementation
code should be analyzed to eliminate common vulnerabilities that might lead to security exploits and other risks
Documentation and Common Program Controls
types of logging the program should be doing
tested to ensure it meets all the functional and security requirements. Testing is to ensure that the application meets its security requirements and specifications and uncover all design flaws that would violate security policy. Run independently in a production simulation environment. First Phase of C&A
Testing and Evaluation Controls
bounds checking and data validation - test data should not be production data. test all changes
Certification and Accreditation - Certification is the process of evaluating security stance of the software and against a set of security standards or policies. Verify conversion. Accreditation - Acceptable level of risk is determined. Provisional accreditation is for a specific period and outlines specific changes. Full means no changes required.
Transition to Production (implementation)
obtain security accreditation, train users, implement, parallel operations if necessary.
Revisions and System Replacement
Changes must follow SDLC and be recorded in change managment system. Reviews should inlcude security planning and procedures - application audits should be conducted periodically including documentatin security incidents and system failures.
Capability Maturity Model for Software - focuses on quality management process and has 5 maturity levels. ISO 9000 includes software development quality standards
Waterfall life-cycle method
oldest method - list of activities that must be completed before the next phase begins
Structured Programming Development
promotes discipline, allows introspection, and provides controlled flexibility - requires defined processes and modular development - each phase is subject to reviews and appraisals
nested version of the Waterfall method. - Plan DO Check Act sub phases
method of controlling defects - focuses defect prevention. more time spent in early phases.
successive refinements of requirements, design, and coding
simplified version, release for review, user feed back build better second version
Modified Prootype model
ideal for Web app development - deployed in quick time frame
Rapid application development
strict time limits on each phase - rapid prototyping
Joint Analysis Development
developers work directly with users to develop a working application
set of requirements built with what is currently available
computer-aided software engineering - use computers and utilities to help with systematic analysis, desing, development, implementation and maintenance of software
Component based development
standardized building blocks to assemble rather than develop
built from existing components.
values of simplicity, communication and feedback - fairly structured
a suite of application programs that typically manage large structured sets of persistant data. 4 elements - database engine, hardware platform, application software and users
state of the database is the same after a transaction has occured and transaction should be durable
Fault Tolerance and recovery
in case of failure data should remain int its original state. Two types of recovery - rollback and shadowing. Rollback - incomplete transactions are backed out. Shadow requires the use of transaction logging to indetify the last good transaction.