Week-5

IntroductiontoSoftwareApplicationDevelopment–Howwas it created?
 Softwaredevelopmentreferstoasetofcomputerscienceactivitiesdedicatedtotheprocessofcreating,
designing,deployingandsupportingsoftware.Softwareitselfisthesetofinstructionsorprogramsthat
tell a computer what to do. It is independent of hardware and makes computers programmable. There are
three basic types.
 Systemsoftwareto providecorefunctionssuchasoperating systems,diskmanagement,
utilities,hardwaremanagement andotheroperational necessities.
 Programming software to give programmers tools such as text editors, compilers, linkers,
debuggers and other tools to create code.
 Application software to help users to perform tasks. Office productivity suites, data
management software, media players and security programs are examples. Applications also
refers to web and mobile applications like those used to shop on Amazon.com, socialize with
Facebook or post pictures to Instagram.
 They use processes and techniques to create working software, including requirements definition, data
flow design, code design, process flow design, flowcharting, code creation, software development testing,
and debugging. The end-to-end process is sometimes referred to as the software development life cycle
(SDLC).

Whyisit important?
1. Softwaredevelopment brings your business to new heights of integration. It allows your companyto
be accessible from almost anywhere via smartphone or computer.
2. Itimprovessalesand service.The wayyourcustomersexperienceyourbusinessisveryimportant.
3. Ithelpstoimplementon-the-gomarketing,promotingyourproductsatanyplaceandanytime
withoutadditionalexpenses andextratimeneeded.It doesn’tmatterwhereyourcustomersare.
4. It increases customers’ engagement. As with any other business, you probably want tohave loyal
customers.
5. Direct communication. Any other strategy can’t bring you an opportunity of direct communication
with the customers at the same level as this one does. Direct communication with your customers is
the fastest way to boost your brand.
Howdoesitwork?
Software development refers to the methods and steps, which are taken while designing the software.
There are many methods proposed and are in work today, but we need to see where in the software
engineering these development steps stand.

HEA POLYTECHNIC CSE DEPT Page 1

 Week-5
Software development is known as software engineering paradigms where allthe engineering concepts
pertaining to the development of software are applied. It includes various researches and requirement
gathering which helps the software product to build. It consists of
1. Requirement gathering
2. Softwaredesign
3. Programming
SoftwareDesignParadigm isapartofSoftware Developmentand includes
1. Design
2. Maintenance
3. Programming
ProgrammingParadigmisrelatedcloselytoprogrammingaspectofsoftwaredevelopment.This includes
1. Coding
2. Testing
3. Integration
TypesofApplicationSoftware:
1. Thick Client: Thick client applications are any that are installed locally on a user's desktop or laptop.
Theseapplications are full-featured and can run independently withoutbeing connected to the Internet,
unlike web applications, which need to be connected to the Internet all the time.
2. Web Applications: A web application is a computer program that utilizes web browsers and web
technology to perform tasks over the Internet. The web application requires a web server to manage
requests from the client, an application server to perform thetasks requested, and, sometimes, adatabase
to store the information.

 Web applications include online forms, shopping carts, word processors, spreadsheets, video and
photo editing, file conversion, file scanning, and email programs such as Gmail, Yahoo and AOL.
Popular applications include Google Apps and Microsoft 365.

3. Web Services: A web service is a set of open protocols and standards that allow data to be exchanged
betweendifferentapplicationsorsystems.Webservicescanbeusedbysoftwareprogramswrittenin
avarietyofprogramminglanguagesandrunningonavariety of platforms to exchange data via computer networks such
as the Internet.

HEA POLYTECHNIC CSE DEPT Page 2

 Week-5

4. RESTFul Services: REpresentational State Transfer (REST) is a software architectural style that
developers apply to web APIs. REST APIs provide simple, uniform interfaces because they can be used
to make data, content, algorithms, media, and other digital resources available through web URLs.
Essentially, REST APIs are the most common APIs used across the web today.

5. Middle Ware: Middleware is software that provides common servicesand capabilities to applications
outside of what’s offered by the operating system. Data management, application services, messaging,
authentication, and API management are all commonly handled by middleware. Middleware helps
developers build applicationsmore efficiently. It acts like the connective tissue between applications,
data, and users.

6. Mobile Applications: A mobile application (also called a mobile app) is a type of application designed
to run on a mobile device, which can be a smartphone or tablet computer. Even if apps are usually small
software units with limited function, they still manage to provide users with quality services and
experiences.

HEA POLYTECHNIC CSE DEPT Page 3

 Week-5
SoftwareDevelopmentLifeCycle:

Software Development Life Cycle (SDLC) is a process used by the software industry to design, develop and
test high quality software’s. The SDLC aims to produce high-quality software that meets or exceedscustomer
expectations, reaches completion within time and cost estimated.

Requirement and Analysis: Software Development Life Cycle begins with Requirement Analysis phase,
where the stakeholders discuss the requirements of the software that needs tobe developed to achieve agoal.

Design: During the design phase, developers and technical architects start the high-level design of the
software and system to be able to deliver each requirement.

Coding: In this phase, developers start coding according to the requirements and the design discussed in
previous phases. Database admins create the necessary database, front end developers create the necessary
interfaces and GUI to interact with the back-end based on guidelines and procedures defined by the
company.

Testing: In this phase, testers start to test the system against the requirements. The testers aim to finddefects
within the system as well as verifying whether the application behaves as expected and according to what
was documented in the requirements analysis phase.

Deployment: Once the software has been fully tested and no issues remain in the software, itis time to
deploy to production where customers can use the system. Once a version of the software is released to
production, there is usually a maintenance team that looks after any post-deployment issues.

HEA POLYTECHNIC CSE DEPT Page 4

 Week-5
LifeCycle Models
Waterfall Model: Waterfall model is the simplest model of software development paradigm.It says the all
the phases of SDLC will function one after another in linear manner. That is, when the first phase is finished
then only the second phase will start and so on.

This model assumes that everything is carried out and taken place perfectly as planned in the previous stage
and there is no need to think about the past issues that may arise in the next phase. This model is best suited
when developers already have designed and developed similar software in the past and is aware of all its
domains.
Advantages:
1. Itissimpleandeasytounderstandand use.
2. Itiseasyto manage.
3. Itworkswell forsmallerand lowbudgetprojectswhererequirementsareverywellunderstood.
4. Clearlydefined stagesand well understood.
5. Itiseasytoarrangetasks.
6. Processandresultsarewelldocumented.
Disadvantages:
1. Itis difficulttomeasure progresswithinstages.
2. Poormodel forlongandongoingprojects.
3. No workingsoftwareisproduceduntil late during thelifecycle.
4. Highamountsofriskanduncertainty.
5. Not a good modelfor longand objectoriented projects.
6. Cannotaccommodatechangingrequirements.

Agile Model:
 Agile is a time-bound, iterative approachto softwaredeliverythat builds softwareincrementallyfrom
the start of the project, instead of trying to deliver all at once.
 AgileSDLCmodelisacombinationofiterativeandincrementalprocessmodelswithfocuson process
adaptability and customer satisfaction by rapid delivery of working software product.
 AgileMethodsbreaktheproductintosmallincrementalbuilds.Thesebuildsareprovidedin iterations. Each
iteration typically lasts from about one to three weeks.

HEA POLYTECHNIC CSE DEPT Page 5

 Week-5

Iterative Model:
 IterativeModelisaprocessofsoftwaredevelopmentwhererequirementsarebrokendowninto multiple
standalone modules of software development cycle.
 Incremental development is done in steps from analysis design, implementation, testing/verification,
maintenance.

 Each iteration passes through the requirements, design, coding and testing phases. And each
subsequent release of the system adds function to the previous release until all designed functionality
has been implemented.
RequirementAnalysis:Requirementand specificationofthesoftwarearecollected.
Design:Some high-endfunctionaredesignedduringthisstage
Code:Codingofsoftware isdoneduringthisstage
Test:Oncethesystem is deployed,it goes throughthe testingphase
Advantages:
1. Thesoftwarewillbe generatedquicklyduringthesoftwarelifecycle
2. Itis flexibleandlessexpensivetochangerequirements andscope
3. Throughoutthedevelopmentstages changescanbe done

HEA POLYTECHNIC CSE DEPT Page 6

 Week-5
4. Thismodel isless costlycomparedto others

HEA POLYTECHNIC CSE DEPT Page 7

 Week-5
5. Acustomercanrespond toeach building
6. Errors areeasytobe identified.
Disadvantages:
1. Itrequires a goodplanningdesigning
2. Problems might cause due to system architecture as such not all requirementscollectedupfront for
the entire software lifecycle.
3. Eachiterationphaseisrigidanddoesnot overlapeachother
4. Rectifyingaprobleminoneunitrequirescorrectioninalltheunitsandconsumesalotoftime

SDLCBestPractices
1. Maintain Data: Hygiene Software centers around data. Whether it’s your customer’s data, training
data used to create models, or usage data on your application, you need to keep it secure and clean.
2. Standardize Your Code Review Process: Code reviews are a fantastic way to adhereto coding
guidelines, follow the best practices of particular programminglanguages, preventbugs, and raise the
quality of code.
3. Manage Code Quality: Maintaining high quality code is an investment in long-term success. High
quality code not only increases the chances you meet customer expectations, but because it is also
easier to build upon, it allows the team tostay agile.
4. Optimize Developer Workflow: Software developers are always striving to be more productive.
DevOps has helpedto make the process of developingand deployingcodemuchless time-consuming,
but there is still a lot room to optimize the developer experience.
5. Increase Planning Accuracy: Planning Accuracy is one of the best indicators of the value an
engineering team to the business. If you can consistently deliver whatyou say you will, other teams
can align to you and customers get new products and features when they expect them, which leads to
better experiences, less churn, and more renewals.

IntroductiontoApplicationSecurity
Application Security aims to protect software application code and data against cyber threats. You should
applyapplicationsecurityduringallphases ofdevelopment,includingdesign,development, anddeployment. Here
are several ways to promote application security throughout the software development lifecycle (SDLC):
1. Introducesecuritystandardsandtoolsduringdesignandapplicationdevelopmentphases. For example,
include vulnerability scanning during early development.
2. Implement securityprocedures andsystemsto protect applicationsin productionenvironments.For
example, perform continuous security testing.
3. Implementstrongauthenticationforapplicationsthatcontainsensitivedataoraremission critical.
4. Use security systems such as firewalls, web application firewalls (WAF),
andintrusionpreventionsystems (IPS).

HEA POLYTECHNIC CSE DEPT Page 8

 Week-5
SecureSDLC:10M
 Thesoftwaredevelopmentlifecycle(SDLC)frameworkmapstheentiredevelopment process. Itincludes all
stages planning, design, build, release, maintenance, and updates, as well as the replacement and
retirement of the application when the need arises.
 The Secure SDLC (SSDLC) builds on this process by incorporating security in all stages of the lifecycle.
Teams often implement an SSDLC when transitioning to DevSecOps.

MicrosoftSecureSDLCPracticeand Securitycontrolscoveredineachstageatahigherlevel.
 Microsoft SDLC consists of seven components including five core phases and two supporting security
activities. The five core phases are requirements, design, implementation, verification, and release.
 Each of these phases contains mandatory checks and approvals to ensure all security and privacy
requirements and best practices are properly addressed.
 The two supporting security activities, training and response are conducted before and after the core
phases respectively to ensure they're properly implemented, and software remains secure after
deployment.
 Education
 Continuousprocessimprovement
 Accountability

HEA POLYTECHNIC CSE DEPT Page 9

 Week-5
1. Training
 All Microsoft employees are required to complete general security awareness training and specific
training appropriate to their role.

2. Requirements
 Every product, service, and feature Microsoft develops starts with clearly defined security and privacy
requirements; they're the foundation of secure applications and inform their design.
 Development teams define these requirements based on factors such asthetype of data the product will
handle, known threats, best practices, regulations and industry requirements, and lessons learned from
previous incidents. Once defined, the requirements are clearly defined, documented, and tracked.

3. Design
 Once the security, privacy, and functional requirements have been defined, the design of the software
can begin. As a part of the design process, threat models are created to help identify, categorize, and
rate potential threats according to risk.
 Threat models must be maintained and updated throughout the lifecycle of each product as changes are
made to the software.

4. Implementation
 Implementation begins with developers writing code according to the plan they created in the previous
two phases. Microsoft provides developers with a suite of secure development tools to effectively
implement all the security, privacy, and function requirements of the software they design.
 Thesetoolsincludecompilers,securedevelopment environments,andbuilt-insecuritychecks.

5. VerificationTesting
 Beforeany writtencodecanbereleased,severalchecksandapprovalsarerequiredtoverify thatthe code
conforms to SDL, meets design requirements, and is free of coding errors.
 Variousautomatedchecksarealsorequiredandarebuiltintothecommitpipelinetoanalysecode during check-
in and when builds are compiled.

6. Release
 After passing all required security tests and reviews, builds aren't immediately released to allcustomers.
Builds are systematically and gradually released to larger and larger groups, referred to as rings, in
what is called a safe deployment process (SDP).

7. Response
 All Microsoft services areextensivelylogged and monitored afterrelease, identifyingpotential security
incidents using a centralized proprietary near-real-time monitoring system

HEA POLYTECHNIC CSE DEPT Page 10

 CyberSecurityWeek-5

ApplicationSecurity
1. Requirements: The software requirements are description of features and functionalities of the target
system.Requirementsconveytheexpectationsofusersfromthesoftwareproduct.Therequirementscanbe
obvious or hidden, known or unknown, expected or unexpected from client’s point of view.
Functional
Requirements, which are related to functional aspect of software fall into this category. Theydefine
functions and functionality within and from the software system.
Examples:
 Searchoption givento usertosearchfrom variousinvoices.
 Usershould beableto mailanyreport tomanagement.
 Userscanbedividedintogroupsand groupscanbegivenseparaterights.
 Shouldcomplybusinessrulesandadministrative functions.
 Softwareisdeveloped keepingdownward compatibilityintact.
NonFunctional
Requirements, which are not related to functional aspect ofsoftware, fall into this category. Theyare implicit
or expected characteristics of software, which users make assumption of Non-functional requirements
include.
 Security&Logging
 Storage&Configuration
 Performance &Cost
 Interoperability&Flexibility
 Disasterrecovery&Accessibility
2. SecurityRequirementsforan application
 The Open Web Application Security Project (OWASP) is a 501c3 non-profit educational charity
dedicated to enabling organizations to design, develop, acquire, operate, and maintain secure software.
All OWASP tools, documents, forums, and chapters are free and open to anyone interested in
improving application security. This can be found at www.owasp.org.
 OWASP is a new kind of organization. Our freedom from commercial pressures allows us to provide
unbiased,practical, cost effectiveinformationaboutapplicationsecurity.OWASP is notaffiliatedwith any
technology company. Similar to many open source software projects, OWASP produces many types of
materials in a collaborative and open way.
3. DeterminingApplicationRiskProfileBasedonthesecurityrequirements.
 The OWASP Application Security Verification Standard (ASVS) is a catalog of available security
requirements and verification criteria. OWASP ASVS can be a source of detailed security
requirements for development teams. Security requirements are categorized into different buckets
based on a shared higher order security function.
 For example, the ASVS contains categories such as authentication, access control, error handling /
logging, and web services. Each category contains a collection of requirements that represent the best
practices for that category drafted as verifiable statements. Requirements are organized by standard.
 The Security Requirements (SR) practice focuses on security requirements that are important in the
context of secure software. A first type deals with typicalsoftware-related requirements, to specify
objectives and expectations to protect the service and data at the coreof the application. A second type
deals with requirements relative to supplier organizations that are part of the development context of
the application, in particular for outsourced development.
Page 10
 CyberSecurityWeek-5

 It is important to streamline the expectations in terms of secure development because outsourced

development can have significant impact on the security of the application. The security of 3rd party
libraries is part of the software supply chains stream.
4. DeterminingControlRequirementsBasedonApplicationRiskProfileandEligibilityCriteria for
an application to undergo a certain security control.
Maturity level 1: Use a simple method to evaluate the application risk per application, estimating the
potential business impact that it poses for the organization in case of an attack. To achieve this, evaluate the
impact of a breach in the confidentiality, integrity and availabilityof the data or service. Consider using a set
of 5-10 questions to understand important application characteristics, such as whether the application
processes financial data, whether it is internet facing, or whether privacy-related data is involved. The
application risk profile tells you whether these factors are applicable and if they could significantly impact
theorganization. Ability to classify applications according to risk.
Maturitylevel2:The goalofthisactivityistothoroughlyunderstand therisklevelof all applicationswithin the
organization, to focus the effort of your software assurance activities where it really matters. From a risk
evaluation perspective, the basic set of questions is not enough to thoroughly evaluate the risk of all
applications. Create an extensive and standardized way to evaluate the risk of the application, among others
via their impact on information security (confidentiality, integrity and availability of data). Next to security,
you also want to evaluate the privacyrisk of the application.
Maturity level 3: The application portfolio of an organization changes, as well as the conditions and
constraints in which an application lives (e.g., driven by the company strategy). Periodically review the risk
inventory to ensure correctness of the risk evaluations of the different applications.
Have a periodic review at an enterprise-wide level. Also, as yourenterprise matures in software assurance,
stimulate teams to continuously question which changes in conditions might impact the risk profile. For
instance, aninternal application might become exposed to the internet by a business decision.
This should trigger the teams to rerun the risk evaluation and update the application risk profile accordingly.
Timely update ofthe application classification in case of changes.

EstablishSecurityTollGates
Quality Gates enforce a quality policy in your organization by answering one question: is my project ready
for release? To answer this question, you define a set of conditions against which projects are measured. For
example:
 Nonewblocker issues
 Codecoverageon newcode greaterthan80%
Ideally, all projects will use the same qualitygate, but that's not always practical.For instance, you mayfind that:
 Technologicalimplementationdiffersfromoneapplicationtoanother
 Youwantto ensurestrongerrequirementsonsome of yourapplicationswhichiswhyyou can define
as many quality gates as you need.

Page 11
 CyberSecurityWeek-5

ApplicationSecurityDesign
 Once the security, privacy, and functional requirements have been defined, the design of the software
can begin. As a part of the design process, threat models are created to help identify,categorize, and rate
potential threats according to risk. Threat models must be maintained and updated throughout the
lifecycle of each product as changes are made to the software.

 The threat modeling process begins by defining the different components of a product and how they
interact with eachotherinkeyfunctionalscenarios, suchas authentication.Data FlowDiagrams (DFDs) are
created to visually represent key data flow interactions, data types, ports, and protocols used. DFDs are
used to identify and prioritize threatsfor mitigation that are added to the product's security requirements.
Developers are required to use Microsoft's Threat Modeling Tool for all threat models, which enables
the team to.
 Communicateaboutthesecuritydesignoftheir systems
 Analyzesecuritydesignsforpotentialsecurityissuesusingaprovenmethodology
 Suggestand managemitigation forsecurityissues
 Beforeanyproductis released, all threatmodels arereviewed foraccuracyandcompleteness,including
mitigation for unacceptable risks.
SecureArchitectureReview
The Security Architecture (SA) practice focuses on the security linked to components and technology you
deal with during the architectural design of your software. Secure Architecture Design looks at the selection
and composition of components thatform the foundation of your solution, focusingon its securityproperties.
Technology management looks at the security of supporting technologies used during development,
deployment and operations, such as development stacks and tooling, deployment tooling, and operating
systems and tooling.

 Application architecture review can be defined as reviewing the current security controls in the
application architecture. This helps a user to identify potential security flaws at an early stage and
mitigate them before starting the development stage.
 Poor design of architecture may expose the application to many security loopholes. It is preferable to
perform the architecture review at the design stage, as the cost and effort required for implementing
security after development is high.

Whiledoingthearchitecturereview wecan primarilyfocus onthefollowingareas.

 ApplicationArchitectureDocuments
 DeploymentandInfrastructureConsiderations
 InputValidation
 Authentication
 Authorization
 ConfigurationManagement

Page 12
 CyberSecurityWeek-5

 SessionManagement
 Cryptography
 ParameterManipulation
 ExceptionManagement
 Auditing&Logging
 ApplicationFrameworkandLibraries

ConductsecurityarchitecturereviewusingtheOWASPstandard:ExampleoftheSecurity
Server of Check Point Firewall-1 NG AI “Protecting” a Web Server
 Theapplicationarchitectureneedstobemappedthroughsometestto determinewhatdifferent
componentsareusedtobuildthewebapplication.Insmallsetups,suchasasimpleCGI-based
application, a single server might be used that runs the web server which executes the C, Perl, or Shell
CGIs application, and perhaps also the authentication mechanism.
 On more complex setups, such as an online bank system, multiple servers might be involved. These may
include a reverse proxy, a front-end web server, an application server and a database server or LDAP
server. Each of these servers will be used for different purposes andmight be even being divided in
different networks with firewalls between them.
 Gettingknowledge ofthe application architecture can beeasyif this information is provided to the testing
team by the application developers in document form or through interviews, butcan also prove to be very
difficult if doing a blind penetration test.
 Detecting a reverse proxy in front of the web server needs to be done by the analysis of the web server
banner, which might directly disclose the existence of a reverse proxy (for example, if ‘WebSEAL’ is
returned). Itcan also be determined by obtaining the answers given by the web server to requests and
comparing them to the expected answers.
 Forexample, some reverse proxies act as “intrusion prevention systems” (or web-shields) by blocking
known attacks targeted at the web server. If the web server is known to answer with a 404 message to a
request that targets an unavailable page and returns a different error message for somecommonweb
attackslikethosedoneby CGIscanners.

Page 13
 CyberSecurityWeek-5

ThreatModelling:10M
Whatisthreatmodelinginapplicationsecurity?
Definition: Threat modeling is a method of optimizing network security by locating vulnerabilities, identifying
objectives, and developing counter measures to either prevent or mitigate the effects of cyber-attacks against
the system.
Advantagesof threatmodeling
 Helps prioritize threats
 Ensuresdefensesare inline with evolving threats.
 Helpsteamsadopt ordevelop newtools orcreate software.
 Detect problemsearlyinthesoftwaredevelopment life cycle(SDLC)—even beforecodingbegins.
 Spot design flaws that traditionaltestingmethods and code reviewsmayoverlook.
 Evaluatenewformsofattackthatyoumightnototherwiseconsider.
 Maximizetestingbudgetsbyhelpingtargettestingandcodereview.
 Identifysecurityrequirements.
Why threatModellingisnecessary?
 Threatmodelingcanreduce attack surface
 Threatmodelinghelps prioritizethreats,mitigation effortsand budgeting
 Threatmodelingidentifiesand eliminatessinglepointsof failure
 Threatmodelinghelpsyoutounderstandthecompletecyber-attackkillchain
 Threatmodelingcanimproveyourorganization’ssecurityposture
 Threatmodelinghelpsimproveyourapplication securityposture

Threatmodeling methodologies:
1. STRIDEThreat Modeling:
A methodology developed by Microsoft for threat modeling, it offers a mnemonic for identifying security
threats in six categories:
 Spoofing:Anintruderposingasanotheruser,component,orothersystemfeaturethatcontainsan identity in the
modeled system.
 Tampering:The altering of datawithin asystemtoachievea maliciousgoal.
 Repudiation: The abilityof an intruder to denythat theyperformed some malicious activity, due to the
absence of enough proof.
 InformationDisclosure: Exposingprotecteddatato a userthatisn'tauthorized to see it.
 Denial of Service:An adversary uses illegitimate means to exhaust services needed to provide service
to users.
 ElevationofPrivilege:Allowinganintrudertoexecutecommandsandfunctionsthattheyaren't allowed to. 
2. PASTA-ProcessforAttackSimulationandThreatAnalysis
 PASTAisanattacker-centricmethodologywithseven steps.
 Itis designedtocorrelatebusinessobjectiveswithtechnicalrequirements.
 PASTA’sstepsguideteamstodynamicallyidentify,count,andprioritizethreats. The
steps of a PASTA threat model are:
 Definebusinessobjectives
 Definethe technicalscope of assets andcomponents
 Applicationdecompositionandidentifyapplication controls

Page 14
 CyberSecurityWeek-5

 Threatanalysisbasedonthreatintelligence
 Vulnerabilitydetection
 Attackenumeration andmodeling
 Riskanalysis anddevelopment of countermeasures
3. VAST-Visual,Agile,andSimpleThreat:
 Visual,Agile, andSimpleThreat(VAST)is anautomatedthreatmodelingmethodbuiltontheThreat
Modeler platform.
 Large enterprises implement VAST across their entire infrastructure to generate reliable,
actionableresults and maintain scalability.
 VASTcanintegrateintotheDevOpslifecycleandhelpteamsidentifyvariousinfrastructuraland operational
concerns.
 ImplementingVAST requiresthecreationoftwotypes ofthreatmodels:
 Applicationthreatmodel—usesa process-flowdiagramtorepresentthearchitecturalaspectof the threat.
 Operationalthreatmodel—usesadata-flowdiagramtorepresentthethreatfromtheattacker’s perspective.
4. OCTAVE-OperationallyCriticalThreat,Asset,andVulnerabilityEvaluation:
 The Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) process is a risk-
based strategic assessment and planning method. OCTAVE focuses on assessing organizational risks
only and does not address technological risks.
 OCTAVEhas threephases:
 Buildingasset-basedthreatprofiles.(Organizational evaluation)
 Identifyinginfrastructurevulnerabilities.(Informationinfrastructure evaluation)
 Developing and planning a security strategy. (Evaluation of risks to the company's critical assets
and decision making.)
5. TRIKEThreatModel:
 Trike focuses on using threat models as a risk management tool. Threat models, based on requirement
models, establish the stakeholder-defined "acceptable" level of risk assigned to each asset class.
 Requirements model analysis yields a threat model where threats are identified and given risk values.
The completed threat model is then used to build a risk model, factoring in actions, assets, roles, and
calculated risk exposure.

ThreatModel Ranking:
 Threat modeling ranks threats during software design & identifying which assets or components are
most critical to the business and rank them according to damage a threat would cause to the business.
i) DREAD method:
Thecategoriesare:
 Damage– how badwould an attackbe?
 Reproducibility– howeasyisit toreproduce theattack?
 Exploitability– howmuch workis ittolaunchtheattack?
 Affected users– howmanypeople willbe impacted?
 Discoverability–howeasyisittodiscoverthethreat?

Page 15
 CyberSecurityWeek-5

ii) CVSS method:

 Common VulnerabilityScoringSystem (CVSS)
 Thissystemisdesignedtohelpsecurity teamsassessthreats,identify impacts,andidentify existing
countermeasures.
 Italsohelpssecurityprofessionalsassessandapplythreatintelligencedevelopedbyothersina reliable way.
iii) CWSS method:
 TheCommonWeaknessScoringSystem(CWSS)providesamechanismforprioritizingsoftware weaknesses
in a consistent, flexible, open manner.
 Itisacollaborative,community-basedeffortthatisaddressingtheneedsofitsstakeholdersacross government,
academia, and industry.
ThreatModelExecutionPhases
Whatisthreatmodelingdiagram?
 Threat models constructed from process flow diagrams, view the applications from the perspective of
user interactions.
 Thisallowseasyidentification ofpotentialthreatsandtheirmitigatingcontrols.
Howdo youcreateathreat modeldiagram?
Thesestepsare:
1. Identifysecurityobjectives: Clearobjectiveshelp youtofocusthethreat modelingactivityand
determine how much effort to spend on subsequent steps.
2. Createanapplicationoverview.
3. Decomposeyourapplication.
4. Identifythreats.
5. Identifyvulnerabilities.
Therearefivemajorthreatmodelingsteps:
 Definingsecurityrequirements.
 Creatingan application diagram.
 Identifyingthreats.
 Mitigatingthreats.
 Validatingthatthreat hasbeen mitigated.

Page 16
 CyberSecurityWeek-5

 Thereare a numberof symbolsthatareused in DFDs forthreat modeling.

Page 17
 CyberSecurityWeek-5

ThreatTraceabilityMatrix:
 A traceabilitymatrixexamines athreat agent.
 Thisagent mayattempttocompromiseanassetbyconductinganattacksomewhere alongtheattack
surface.
 Considerwhattheattackgoalcouldbe andhowitcouldimpactthetarget.
 Tomitigateanattack,acontrolisputinplacetoestablishanacceptablelevelofrisk.Repeatthis process
for all threat agent/asset combinations.
 Tocreatea traceabilitymatrix, considerthethreatagentsandfollow thecontrolpath.

Page 18
 CyberSecurityWeek-5

ApplicationSecurity–Implementation:
Explainuseof Security ToolswithinIDE:
 AnIntegratedDevelopment Environment(IDE)is anapplication(s)that isusedto developotherapps.
 An IDEsimplifiesandmanagesthedevelopment/creationprocess, helpslinksourceandothercode, and
enables the automation of repetitive tasks.
 Typically,the IDE’ssingle,centralinterfacecontainsallthetoolsthatadeveloperneedstocode,
create/compile, test, and deliver apps.
 Initssimplestform anIDE facilitates:
 Writingcode in the specified computerlanguage (orlanguages).
 Compilingcodein aformthatcanthenbe executedonanysuitablemachine(normallythe
developer’s machine)
 Debugging code.

StaticCodeAnalysisTools:
 AlsoknownasStaticApplicationSecurityTesting(SAST)Tools,canhelpanalyzesourcecodeor
compiled versions of code to help find security flaws.
 SAST toolscanbeaddedinto yourIDE.Suchtools canhelp youdetectissuesduringsoftware
development.
 SAST toolfeedbackcansavetimeandeffort,especiallywhencomparedtofindingvulnerabilitieslater in the
development cycle.
Strengths
 Scaleswell – can berunon lots of software,and canbe run repeatedly.
 Identifiescertainwell-knownvulnerabilities,suchas:
 Bufferoverflows
 SQLinjectionflaws
 Outputhelpsdevelopers, asSASTtools highlighttheproblematiccode,byfilename,location,line
number, and even the affected code snippet.
Weaknesses
 Difficulttoautomatesearches formanytypes ofsecurityvulnerabilities,including:
 Authentication problems
 Accesscontrolissues
 Insecureuseofcryptography
 Current SASTtools arelimited.Theycanautomaticallyidentifyonlyarelativelysmallpercentageof
application security flaws.
 Highnumbers of falsepositives.
 Frequentlyunable to findconfiguration issues, sincetheyare not represented in thecode.
 Difficultto‘prove’thatan identifiedsecurityissueis an actualvulnerability.
TheBestStaticCode AnalysisTools
 SonarQube.
 Synopsis Coverity.

Page 19
 CyberSecurityWeek-5

SonarQube— StaticCodeAnalysis
 Code qualityis importantfor overall softwarequality.
 Andqualityimpacts howsafe,secure,and reliableyour codeis.
 Highqualityiscritical formanydevelopmentteamstoday.
 Andit’s especiallyimportant for those developing safety-critical systems.
 Therearemanytoolsin themarketfortheStaticcodeanalysisbutthe most populartool isSonarQube.
 SonarQube is an open source platform to perform automatic reviews with static analysis of code to
detect bugs,codesmellsandsecurityvulnerabilitieson25+programminglanguagesincludingJava, C#,
JavaScript, TypeScript, C/C++, COBOL and more.
SynopsisCoveritytool:
 Coverityisafast, accurate,andhighlyscalablestaticanalysis(SAST)solutionthathelps development and
security teams address security and quality defects early in the software development life cycle
(SDLC), track and manage risks across the application portfolio, and ensure compliance with security
and coding standards.
 Coverityworkswith theCodeSight IDEplugin,enablingdeveloperstofindandfix securityand
quality defects as they write code.
 Fast and accurate incremental analysis runs in the background to minimize disruption, giving
developersreal-timeresults,remediationguidance,andrelevantsecuritytraining,directlywithin the IDE.

SoftwareCompositionAnalysis:
What IsSoftwareCompositionAnalysis?
 SoftwareCompositionAnalysis(SCA)is asegmentoftheapplicationsecuritytesting(AST)tool market
that deals with managing open source component use.
 SCAtoolsperformautomatedscansofanapplication’scodebase,includingrelatedartifactssuchas
containers and registries, to identifyall open source components, their license compliance data, and
any security vulnerabilities.
 In additiontoprovidingvisibilityintoopensourceuse,someSCAtools alsohelpfix opensource
vulnerabilities through prioritization and auto remediation.
 Opensourcecodeiseverywhere,anditneedstobemanagedtomitigatesecurityrisks.
 Developersaretaskedwithcreatingengaging andreliableapplicationsfasterthanever.
 Toachievethis,theyrelyheavilyonopensourcecodetoquicklyaddfunctionalitytotheirproprietary software.
 Withopensourcecodemakingup anestimated60-80%ofproprietaryapplications’codebases,
managing it has become critical to reducing an organization’s security risk.
 SoftwareComposition Analysis toolshelp manageopen sourceuse.
Identifying SoftwareDependencies
 Softwaredependencyiswhen yourelyonexternallibrariestoimplementcertainfunctionalities,
instead of developing them from scratch.
 Dependencytakesplace regardlessoftheexternal librarysize–it canbeas small asasingle
document, or as large as a set of packages.

Page 20
 CyberSecurity Week-5

How doyouidentify dependencies?

 Inordertoidentifyprojectdependencies,youmustfirst createamap ofprojecttasks.
 Next, lookfortasksthattheteamcannot performuntiltheyreceiveinformationordeliverablesfroma
previous task.
Whatis aCVE andhow is itused?
 Common Vulnerabilities and Exposures (CVE) is a list of publicly disclosed information security
vulnerabilitiesandexposures.CVEwaslaunched in1999bytheMITREcorporationtoidentifyand
categorize vulnerabilities in software and firmware.
TheDifference:Vulnerabilitiesvs.Exposures
 Vulnerabilityisaweaknessthatcanbeexploitedinacyberattacktogainunauthorizedaccesstoor perform
unauthorized actions on a computer system.
 Vulnerabilitiescanallowattackerstoruncode,accesssystemmemory,installdifferenttypesof
malware and steal, destroy or modify sensitive data.
 AnExposureis amistakethatgivesan attackeraccesstoasystemornetwork.Exposurescanleadto data
breaches, data leaks, and personally identifiable information (PII) being sold on the dark web.
OWASPDependency-Check
 Dependency-CheckisaSoftwareCompositionAnalysis(SCA)toolthatattemptstodetectpublicly
disclosed vulnerabilities contained within a project’s dependencies.
 Itdoesthisbydeterminingifthereis aCommonPlatformEnumeration(CPE)identifierfora given
dependency.
 Iffound,it willgenerateareport linkingto theassociatedCVE entries.

Page 21