CISSP Domain 8 Refresh: Software Development Security
In our cars, our watches, and even our refrigerators, software seems to be finding its way into everything. Along with its promise of increased productivity and data, however, are the risks that programming and other software development errors can introduce to our world. In 2017, The Atlantic magazine wrote of “The Coming Software Apocalypse” while TechRepublic,
estimates most modern software has one bug per 1000 lines of code. In this CISSP Domain 8 Refresh, we explore what this means for security professionals while also revisiting some of the certifications’ key concepts and terminology.
Software Development Overview
This section of Domain 8 dives deep into the world of software development. While it covers many key programming concepts, security professionals need to understand their role in providing a secure foundation for the design and delivery of software that meets customer needs. This includes terminology such as machine code run directly by the CPU, source code written for computer programs to run, and the compilers, interpreters, and bytecode that interpret, translate, and execute written code.
Standing in stark contrast to the older, structured way of programming, Object-Oriented Design treats software as a collection of objects that communicate with each other and their environment. The concepts go further to include objects, methods, messages between objects, and a range of other qualities like inheritance, delegation, polymorphism, and polyinstantiation (or two instances of an object named the same, but with different data). Object-Oriented Design can also be used as a form of analysis and design including of security systems and rules. For example, segmenting a network can be broken into its component objects, the messages they share, and the functions they serve, resulting in the delivery of services to end users securely.
Application Development Methods
Domain 8 also covers the wide range of application development methodologies and the various ways teams work together to create, manage, test, and deliver software. The sequential, traditional Waterfall model is juxtaposed to the Agile development model, which allows for quick, flexible, and iterative software design. Further, Agile development can include Scrum teams of multidisciplinary professionals or Extreme Programming with pairs of programmers working closely with customers.
The Spiral model to software development is used to control risk by repeating steps of a project as the overall scope and goals expand with each “round” while Prototyping and Rapid Application Development (RAD) use quickly-developed mock-ups to demonstrate functionality and guide further development. Finally, regardless of the methodology used, security professionals need to be involved in each of the phases of the Software Development Life Cycle (SDLC), from development to secure disposal as well as the evaluation of code storage options, the security of Application Programming Interfaces (APIs), and software change management as refinements are introduced.
No discussion of software development and security can be complete without understanding how the data that runs through it is structured and accessed so its integrity can be better maintained. While certainly not a full course on database design, Domain 8 reviews the types of databases (Relational, Hierarchical, and Object-Oriented), key database terminology, and how they can be queried, how read/write access is given, and many other functions. Yet, the focus for security professionals is on how unauthorized modifications to data can be mitigated through rules and controls as well as through database replication and shadowing data in the event of an error or failure.
Assessing Software Security
As was mentioned in the introduction, programming may always be inherently full of mistakes. Just how much so and what organizations want to do to mitigate them is a role of CISSP professionals. The first step comes in categorizing the types of software vulnerabilities, which also links back to Domain 3: Security Engineering. Ranging from buffer overflows to race conditions, security professionals need to be able to test and control for these vulnerabilities and help to institute changes in software requirements and design to mitigate against them.
If software is to be bought off the shelf, however, or will be custom-developed by a third party, security professionals can still play a key role. For example, with commercial off-the-shelf (COTS) software, testing the stated capabilities and controls claimed by the vendor as well as identifying its impact on existing systems needs to occur in a structured fashion. LIkewise, with custom software, security requirements can be baked into the contract, acceptance criteria, and on-going expectations for post-implementation support.
While Domain 8 is a wide-ranging and often meandering chapter for CISSP professionals, it mirrors the fluidity of the computing environment in which we are operating in today and will be for decades to come. Software design, our expectations for what it can do for us, and its integration into our lives as well as how data is stored and shared are introducing new security challenges that must be understood and faced head-on. Especially with the rise of the Internet of Things (IoT) and Artificial Intelligence (AI), it pays to sharpen the axe with CISSP Domain refreshes continually.