CISSP Domain 8 Overview: Software Development Security
The scope of application development has increased considerably over the past couple of years. As the application environment has become more complex and challenging, the result is a more threat-prone environment where security is the key factor in the successful implementation of an application.
Applications can have security vulnerabilities that may have been introduced intentionally or unintentionally by developers. This is why software and hardware controls are required, although they may not necessarily prevent problems arising out of poor programming. As an integral part of the software development process, security is an ongoing process that involves people and practices that collectively ensure the confidentiality, integrity, and reliability of an application.
Let us look at the software development security standards and how we can ensure the development of secure software.
What Systems Development Controls Do I Need to Know for the CISSP exam?
Systems development is a series of steps for creating, modifying, or maintaining an organization’s information system. System development can be used in different ways such as:
- A process or a set of formal activities used for developing a new or modifying an existing information system.
- A document specifying a systems development process, known as the systems development standards manual.
- A life cycle showing the evolution and maintenance of information systems from start till the implementation and its continual usage.
In the context of the third possibility mentioned above, systems development is also referred to as systems development life cycle or software development life cycle (SDLC). From a security perspective, software developers who develop the code for an application need to adopt a wide array of secure coding techniques. At every level of the web application such as user interface, logic, controller, database code, etc., security has to be an integral part. However, most developers do not learn secure coding practices and the frameworks they use often lack critical core controls that are not secure by default. Failing to cater to the software development security checklist, developers often lose in the game of security when developing software applications.
OWASP Top Ten Proactive Controls 2016 gives a list of techniques that must be included for software development security. This software development security checklist enlists the controls in order of priority, starting from the most important control.
- Verify for security early and often.
- Parameterize queries.
- Encode data.
- Validate all inputs.
- Implement identity and authentication controls.
- Implement appropriate access controls.
- Protect data.
- Implement logging and intrusion detection.
- Leverage security frameworks and libraries.
- Error and exception handling.
High-Level Overview (SDLC, Models, PERT, Software Testing)
In the past, organizations were mainly focused on creating, releasing, and maintaining functional software. But now, as security concerns and associated business risks have increased, they are paying more attention to the integration of security right into the software development process.
The Software Development Life Cycle (SDLC) and the CISSP
This is a framework that defines the process of building a software program or application from its prototype to the end product. In general, SDLC can be broken down into the following phases:
- Planning and requirement gathering – business requirements are gathered.
- Architecture and Design – system and software design is prepared according to the requirements gathered in the first phase.
- Test Planning – a test strategy is determined to decide what to test and how to test.
- Coding and Implementation – coding is done by dividing system design into work modules.
- Testing and Deployment – the developed product is tested against the actual requirements to check that it serves the purpose.
- Release and Maintenance – the final product is released and time to time maintenance is done to fix issues that arise.
Software Development Life Cycle Models Covered on the CISSP
Let us look at six basic SDLC models and how they work.
Waterfall Model – This is the oldest and most common model used for SDLC methodology. It works on the principal of finishing one phase and then moving on to the next one. Every stage builds up on information collected from the previous phase and has a separate project plan. Though it is easy to manage, delays in one phase can affect the whole project timeline. Moreover, once a phase is completed, there is little room for amendments until the project reaches the maintenance phase.
V-Shaped Model – This model is also known as the verification and validation model. It is similar to the waterfall model, but with each phase there is a corresponding testing phase as well.
Iterative Model – This model is based on repetition and improvement. Rather than developing software based upon completely known requirements, a set of requirements is applied, tested, and implemented. Based on further requirements and suggested improvements, a new version or iterative version of the software is produced until final product is complete. The advantage of this model is that a basic working version can be produced early but its disadvantage is that it can quickly eat up your resources because of repetition of the process.
Spiral Model – A very flexible model for SDLC, this works on the principle of the iterative model by repeating four phases again and again in a spiral, allowing for improvements with each round. This model can result in a customized product.
Big Bang Model – This model does not work on any specific process. It is only suitable for small projects; few resources are spent on planning while majority are spent on development.
Agile Model – The agile model relies on customer interaction and feedback. It breaks the product into cycles and delivers a working product as an ongoing release with incremental changes from previous cycle. The product is tested with each iteration.
Securing SDLC: Why Is It Important?
Until now, software engineers have adopted a test-after-completion strategy to discover security-related issues in software. This approach has never been productive, as it results in issues that are either discovered too late or are left undiscovered. By integrating security practices across the SDLC, we can identify and reduce vulnerabilities earlier in each phase, thus building a stronger and more secure software application.
A secure SDLC process incorporates essential security modules such as code review, penetration testing, and architecture analysis into the entire process from beginning to end. It not only results in a more secure product but it also enables early detection of vulnerabilities in the software. This in turn helps reduce costs by resolving issues as they arise, and it also mitigates potential organizational risks that could arise out of an insecure application.
A secure SDLC is generally set up by introducing security activities to an already existing SDLC process, e.g., conducting architecture risk analysis during the design phase of SDLC
Below, some of the proposed Secure SDLC models are explained briefly.
- Microsoft Security Development Life Cycle (MS SDL) – This model was proposed by Microsoft and works on the principle of securing the classic phases of SDLC
- NIST 800-64 – This provides security considerations in the information systems development life cycle. It helps companies to build security into their IT development processes.
- Comprehensive Lightweight Application Security Process (CLASP) – this consists of a set of processes mapped to job roles and allows software developers to build security into the early stages of SDLC.
Program Evaluation Review Technique (PERT)
A PERT chart is a tool used by project managers for scheduling, organizing, and coordinating project tasks. It potentially reduces time and costs of a project. It is a tool for planning and controlling by management and can be considered a roadmap of a project where all major events have already been identified, along with their corresponding elements.
One of the basic elements of PERT is the identification of critical activities on which other activities rely, also known as critical path method or CPM.
PERT analysis is represented with the help of a network diagram that indicates all project activities, their interrelation, and the sequence in which they need to be carried out.
With regard to software development security, PERT can be used to review the size of a software product being developed and perform risk assessment by calculating the standard deviation. By estimating highest possible size, most likely size and lowest possible size, PERT can provide recommendations for improvement to software developers to produce more efficient software. With improvement made with the help of PERT, actual size of the software produced should be smaller.
Software Testing and the CISSP
Software testing is a process used to discover bugs in software by executing an application or a program. It also aims to verify that the software works as expected and meets the technical and business requirements, as planned in the design and development phase.
Software testing can be conducted statically or dynamically. In a static test, defects are discovered without executing the code; i.e., through documents review, source code inspection, etc.
In a dynamic test, the code is executed to inspect the result of the test. This is carried out during the validation process, e.g., integration testing, unit testing, etc.
Testing software for security is integral to building application reliability and reputation. It helps identify any vulnerabilities or bugs and sees if the application can be hacked without authorization. It tests the ability and behavior of software in times of malicious attack and determines if an information system can protect data or maintain the intended functionality. Software security testing needs to test the six basic concepts of confidentiality, integrity, availability, authentication, authorization, and non-repudiation.
Storing Data and Information
Storing data and information securely prevents unauthorized individuals or parties from accessing it and also averts intentional or accidental destruction of the information. When developing software, it is important to consider where the information accessed by the application will be written, read, monitored, or shared. The processes that will be used for storing, modifying, transmitting, or displaying data and information are assets that need to be properly secured.
What Are Knowledge-Based Systems?
A knowledge-based system is a computer system that produces and makes use of knowledge derived from various sources of data and information. It uses artificial intelligence to solve complex problems and helps to support humans in decision making and in taking various actions. Decisions made by knowledge-based systems are based on the information retained in them, which allows them to understand complex situations and process the data accordingly.
Knowledge-based systems are broadly classified into intelligent tutoring systems, CASE-based systems, expert systems, hypertext manipulation, and intelligent user interfaces. The system normally consists of a knowledge base and an interface engine. The interface engine is just like a search engine, while the knowledge base is a repository of knowledge.
If we compare knowledge-based systems to computer-based information systems, there are many advantages. They are able to handle good amount of unstructured data and deliver efficient information. They can also analyze stored information and efficiently create new knowledge from it.
Knowledge-based systems in secure software development can allow developers to categorize, cluster, monitor, alert, control, and provide appropriate solutions to various security issues that arise during the software development process.
In conclusion, today’s technological environment requires application software security testing as a best practice to discover vulnerabilities in the software’s code, regardless of the organization’s size or the industry in which it operates. What is shocking, however, is that software development security is still lagging behind and is considered an afterthought in many organizations. Whether you want to prevent your data and critical processes from being hacked or stop an online intruder form entering your online software system, solutions to both situations rely on a secure developed software. This is why your software developers, whether in-house or outsourced, are the first line of defense against threats. It is very important that they maintain security mindset, ensuring quality assurance, testing, and code review.