Key Concepts 8.1 Understand and integrate security in the SDLC Flashcards
Domain 8 (34 cards)
Consists of two main components: knowledge base and an inference engine that uses that information to draw conclusions about other data
Expert Systems
Subset of AI that focuses on creating algorithms and statistical models that allow computer systems to improve their performance on a task through experience without being explicitly programmed.
Machine Learning
A type of machine learning algorithm inspired by the structure and function of the human brain. Composed of interconnected nodes or “neurons” organized in layers (input, hidden, simpler), each neuron processes information and passes it to the next layer.
Neural Networks
A linear, sequential approach to software development. It consists of distinct phases, including requirements, gathering, design, implementation, testing and maintenance. Each phase must be completed before the next one begins. Emphasises documentation and planning
Waterfall
An interative, risk driven approach that combines elements of both waterfall and prototyping. Allows for multiple iterations of a waterfall style process, known as a metamodel or “model of models”
Spiral
Interactive and incremental approach to software development that emphasizes flexibility, collaboration, and rapid delivery. Has 4 principles: Individuals and interactions, Working software, Customer collaboration, and responding to change. Utilizes short development cycles which typically last 1-2 weeks.
Agile
An agile methodology that helps agile teams to work together and deliver complex products. Provides a specific set of rules, practices, and roles to put those Agile principles into action.
Scrum
A set of organizational and workflow patterns for implementing agile practices at an enterprise scale. It includes structured guidance on roles and responsibilities, how to plan and manage the work, and values to uphold. 3 primary bodies of knowledge: Agile software development, Lean product development, and systems thinking
Scaled Agile Framework(SAFe)
A methodology that integrates Development and Operations to enhance collaboration, automate processes, and speed up software delivery through practices like continuous integration/continuous deployment (CI/CD)
DevOps
Embedding security practices throughout the development lifecycle. Security is considered from the start, using automation for security testing, compliance, and monitoring, ensuring that speed doesn’t compromise security
DevSecOps
Developed at the Software Engineering Institute(SEI). Is a 5 step model for measuring software development organizations. Its creators believe that all organizations developing software move through a sequential series of phases of maturity over time. Improve the quality of their software as well as the maturity of their software development process
Capability Maturity Model
Level 1: Initial. No plan.
Level 2: Repeatable. Basic lifecycle management.
Level 3: Defined. Formal, documented software development processes.
Level 4: Managed. Quantitative measures to gain detailed understanding.
Level 5: Optimized. Continuous development process, w/ feedback loops.
5 levels of Capability Maturity Model (CMM)
Software Development which implements many of the Software Capability Maturity Model (SW-CMM) attributes.
IDEAL Model
an open source project maintained by OWASP to provide a framework for integrating security activities into software development and maintenance processes.
Software Assurance Maturity Model
-Initiating. Business reasons outlined, support & infrastructure for initiative put in place.
-Diagnosing. Engineers analyze current state of org & make recommendations for change. - Establishing. Org takes recommendations & develops plan to achieve those changes.
-Acting. Plan put into action. Org develops solutions, tests, refines, and implements. - Learning. Org continuously analyzes efforts and results, proposes new actions to drive
better results.
IDEAL Model Stages
-Governance. Activities to manage the software development process.
-Design. Used to define software requirements to and create software.
-Implementation. Building and deploying software components and managing flaws in
those components.
- Verification. Process that confirms new code meets business and security requirements.
-Operations. Activities to maintain security throughout the software lifecycle after code is
released.
Good Developers Innovate Vigilantly Online
Stages of SAMM Model
- Confidentiality: By controlling and documenting changes, organizations can ensure that
modifications don’t inadvertently expose sensitive data or create security vulnerabilities. - Integrity: A structured change process helps maintain data and system integrity by
preventing unauthorized or improper changes that could corrupt or alter information. - Availability: Proper change management minimizes system downtime and disruptions,
ensuring that resources remain available to authorized users.
Benefits to the CIA of Change Management
Request the change
* Identify the need for a change
* Document the proposed change, including its purpose and potential impact
* Submit the change request through the appropriate channels
The group to whom requests are sent is known as the Change Advisory Board (CAB), who are
tasked with ensuring requested changes are beneficial to the company.
Step 1 in the Change Management Process
Review the change
* Assess the technical feasibility of the proposed change
* Evaluate potential risks and impacts on systems, processes, and security
* Consider resource requirements and cost implications
* Consult with relevant stakeholders and subject matter experts
Step 2 in the Change Management Process
Approve/reject the change
* Present the change proposal to the appropriate authority (e.g., change advisory board)
* Discuss the merits and potential drawbacks of the change
* Make a decision to approve, reject, or request modifications to the change
* Communicate the decision to relevant parties
Step 3 in the Change Management Process
Test the change
* Develop a test plan to verify the change’s functionality and impact
* Create a test environment that mimics the production environment
* Execute tests to ensure the change works as intended
* Validate that the change doesn’t introduce new vulnerabilities or issues
* Document test results and any necessary adjustments
Step 4 in Change Management Process
Schedule and implement the change
* Plan the timing of the change to minimize disruption to business operations
* Communicate the change schedule to affected users and stakeholders
* Create a detailed implementation plan, including rollback procedures
* Execute the change according to the plan
* Monitor the implementation process and address any issues that arise
Step 5 in the Change Management Process
Document the change
* Record all details of the implemented change
* Update relevant documentation, including system configurations and user manuals
* Log the change in the configuration management database (CMDB)
* Create or update knowledge base articles related to the change
* Review and archive all change-related documentation for future reference
Step 6 in the Change Management Process
Users request changes which are then analyzed for
cost/benefit by managers and prioritized by developers for implementation.
Request Control
