1.

Planning:

• Security Requirements: Define security requirements alongside

functional requirements. Include compliance with standards and
regulations.

• Risk Assessment: Perform an initial risk assessment to identify

potential security threats and vulnerabilities.

2. Development:

• Secure Coding Practices: Implement coding standards that

emphasize security, such as input validation and error handling.

• Static Code Analysis: Use tools to automatically check code for

security vulnerabilities during development.

3. Testing:

• Penetration Testing: Simulate attacks to identify vulnerabilities that

may not be evident through automated tools.

• Dynamic Analysis: Test running applications to find security issues in

real-time.

4. Deployment:

• Security Configuration: Ensure that security configurations are set

correctly before deploying the software.

• Monitoring: Set up monitoring to detect and respond to security

incidents promptly.

5. Maintenance:

• Patch Management: Regularly update software to fix known

vulnerabilities.

• Incident Response: Have a plan in place to respond to security

incidents effectively.
Introduction to SSDLC

Securing the Software Development Lifecycle (SSDLC) integrates security

practices into each phase of the development process, ensuring that security
is considered from the very beginning rather than being an afterthought.

Key Points:

Integration: Security activities such as threat modeling, security

requirements, and code reviews are integrated into the development
process.

Proactive Measures: Identifying and addressing security risks early

reduces vulnerabilities and the cost associated with fixing them later.

Continuous Improvement: Regular updates and reviews of security

practices ensure they remain effective against emerging threats.

Take a minute and review your resources below to get a better

understanding of Phases in SSDLC as well as how they are approached at
Accenture
Best Practices for Securing Agile Projects

1. Shift-Left Security: Incorporate security measures early in the

development process to detect and fix issues sooner.

2. Continuous Integration/Continuous Deployment (CI/CD): Integrate

security checks into the CI/CD pipeline to ensure that security tests are run
automatically.

3. Training and Awareness: Regularly train team members on secure

coding practices and emerging threats to keep security knowledge up to
date.

4. Automation: Use automated tools for static and dynamic analysis to

quickly identify security issues without manual intervention.

Conclusion

Integrating security into the agile software development lifecycle requires a

proactive and continuous approach. By understanding the key concepts and
best practices outlined above, you'll be equipped to build secure software in
an agile environment. Go on to the next step to check your new knowledge
on SSDLC in an agile environment!
Agile methodology
Erik has started to tell you about Agile. This is the other approach that
Accenture Nordics takes to projects.

Here’s what you understand so far:

Agile: An iterative and flexible approach, it emphasizes collaboration,

adaptability, and customer feedback. Instead of working in a rigid or
sequential plan like the Waterfall approach, teams work in short cycles called
iterations or “sprints”. You may have heard of this term before. In a sprint,
the team continually delivers small incremental bits of the working software.

•Planning: Identify and prioritize features with stakeholders, breaking them

into smaller tasks (user stories) based on business value. Teams maintain a
prioritized list of work items known as a backlog, which includes user stories
that often originate from strategic planning sessions such as quarterly
planning events (though not mentioned here specifically as QPE).

•Iteration/Sprint: Divide development work into short iterations (1-4

weeks), selecting and delivering prioritized user stories from the backlog
within each sprint.

•Daily Stand-up: Hold daily stand-up meetings (daily scrums) for team
members to share progress, plans, and blockers, fostering communication
and collaboration.

•Continuous Integration and Testing: Integrate code changes frequently

using continuous integration, complemented by automated testing to
maintain functional integrity.

•Customer Feedback: Solicit and incorporate feedback from customers or

product owners on delivered features, guiding future work and ensuring
alignment with customer needs.

•Retrospective: Conduct meetings at the end of each iteration to reflect on

successes, identify areas for improvement, and adapt processes for
continuous refinement.

The agile methodology lets teams deliver working software more frequently,
respond quickly to changes in requirements or priorities, and continuously
improve their processes based on feedback from stakeholders. Teams
prioritize tasks in the backlog to ensure the most critical and valuable
features are developed first, enhancing efficiency and alignment with
business goals.

Take a look at the next section to learn more about how an agile
methodology works in DevOps

In the design phase, developers discuss how the CI/CD pipelines should
handle passwords and other secrets. You propose a "key vault" to be used
within the cloud solution to store secrets and call it using encrypted and
hashed API keys. Which of the following cryptographic hash algorithms has
previously been breached and should NOT be used for secret management in
the code or CI/CD pipeline?

Currently, only code review is being performed with pull requests in the code
commits to spot for irregularities or defects. To strengthen security, you want
to implement a static code analysis tool for vulnerability scanning. After
approval, you perform a proof of concept (PoC) with a static code analysis
(SAST) tool. You install this in the environment and perform a scan on the
master branch. The tool discovers one vulnerability, among many, that can
be found in AngularJS versions earlier than (<)1.8.0. It is a cross-site
scripting (XSS) vulnerability that allows for manipulation of sanitized user-
controlled HTML input before it is passed to jQuery Lite (JQLite) methods. The
transformation done by JQLite may modify some forms of a sanitized payload
into a payload containing JavaScript and trigger an XSS when the payload is
inserted into a specific file. What is the name of this specific XSS
vulnerability?

To adapt to an agile working environment, you push for a second automated

security tool to be implemented, called an Interactive Automated Security
Analysis (IAST) tool. You are given green light to introduce an IAST tool and
perform a PoC on it. In which environment is an IAST tool most effective?

Lastly, you would like to enhance the current SIEM tool that the organization
is using for logging and monitoring. You introduce a security dashboard for
their Splunk application to automatically flag for security incidents in
production. You also propose an additional test of how the organization would
react to a real threat, which could help to fully assess the realistic level of
risk and vulnerabilities of the technology, human, and physical assets within
the organization. What is this kind of testing called?
Nice work catching the difference between you and your colleagues’
solutions. Now the JavaScript web development part is going very well, but
you notice something strange when integrating to the Digital Health’s Python
backend. You dig into the backend code base and notice that the client has
implemented a lot of basic algorithms manually. Normally this would not be a
problem, but some of the implementations are quite buggy and are causing
you to have wrong results or even breaking your solution. Time to start
debugging!

One of the algorithms is a binary search algorithm. Luckily, you are very
familiar with it and know that binary search is a search algorithm that finds
the position of a target value in a sorted table.

Binary search compares the target value to the middle element of the array.
If they are not equal, the half in which the target cannot lie is eliminated and
the search continues for the remaining half, again taking the middle element
to compare to the target value and repeating this until the target value is
found. If the search ends with the remaining half being empty, the target is
not in the array.

Here is the implementation you find in the client’s codebase:

What happens if you run code containing this function?

To complete this task, answer the true or false questions.

https://en.wikipedia.org/wiki/Binary_search_algorithm