HTTPS://CYVITRIX.COM - 2023 - CYVITRIX@GMAIL.

COM 229

Certified Information System

Auditor Training

HTTPS://CYVITRIX.COM - 2023 - [email protected] 230

 BEFORE STARTING
HTTPS://CYVITRIX.COM - 2023 - [email protected] 231

IMPORTANT NOTICE BEFORE START

This Slides prepared in accordance to CISA Review Manual to act as a study
reference while you are following our Course
This Slides include extra information other than what discussed in the course
Feel free to search using “CTRL+F” in the slides to navigate to the relevant topic
you want to review
We cannot guarantee 100% percent that the slide order will match what you
follow during the course, so if you think this might be a distracting for you, please
consider other resources
If you followed these slides along with the videos and took notes, you will be
amazing
For any information or suggestion, please leave a rating and feedback, reach us
for support

HTTPS://CYVITRIX.COM - 2023 - [email protected] 232

 CISA CERTIFICATION
Certified Information System Auditor - CISA
CISA is a certificate by ISACA by ISACA - Information Systems Audit and Control Association®
Information system Auditing, not just IT!
This training is based on Review manual of ISACA
Pass the exam, 150 questions in 4 Hours,
Exam cost is 760 US $ for ISACA non-members
Membership is an annual fees you pay
Submit application post the exam, attest it and pay processing fees
If you meet the criteria's you will be certified
233
HTTPS://CYVITRIX.COM - 2023 - [email protected]

CISA Knowledge domains

Domain 2 : Domain 3 : IS
Domain 1 : IS
Governance and Acquisition,
Auditing Process
Management of IT Development and
(21%)
(17%) Implementation (12%)

Domain 4 : IS
Domain 5 : Protection
Operations and
of Information Assets
Business Resilience
(27%)
(23%)

HTTPS://CYVITRIX.COM - 2023 - [email protected] 234

 Information Systems
Acquisition, Development
and Implementation
DOMAIN 3

HTTPS://CYVITRIX.COM - 2023 - [email protected] 235

About domain 3
The main objective of Domain 3 is to ensure that information systems are acquired, developed, and implemented
in a manner that fulfills business objectives, meets user requirements, and complies with regulatory and legal
requirements.
12% of the questions on the CISA exam, around 18 questions in the CISA exam
1. Technology Acquisition process
2. Project management
3. Development process and development methodologies
4. Software testing
5. Software implementation and Post implementation
6. Application controls
7. Emerging technologies and their challenges on Auditing
HTTPS://CYVITRIX.COM - 2023 - [email protected] 236
 IT computing node
components

HTTPS://CYVITRIX.COM - 2023 - [email protected] 237

Server components
Processor (CPU): The CPU is the "brain" of the server and performs the calculations and
processing required to run the server software and services.
Memory (RAM): RAM provides temporary storage for data and instructions that the
CPU needs to access quickly. The amount of RAM a server has can affect its
performance when running multiple services or applications simultaneously.
Storage: Servers typically have one or more hard drives or solid-state drives (SSDs) for
storing data and software applications. Storage can be configured in various ways,
such as RAID arrays or network-attached storage (NAS).
Network interface: The network interface allows the server to communicate with other
devices on the network, such as client devices or other servers. This can be a wired
Ethernet interface or a wireless interface.

HTTPS://CYVITRIX.COM - 2023 - [email protected] 238

 Hardware overview

HTTPS://CYVITRIX.COM - 2023 - [email protected] 239

OPERATING SYSTEM AND

APPLICATIONS

OS or Kernel DB Platform Application Platform Web App Platform

Windows MSSQL Microsoft Apache
Linux ORACLE Oracle Tomcat
AIX MANGO SAP IIS

HTTPS://CYVITRIX.COM - 2023 - [email protected] 240

 APPLICATION ARCHITECTURE

HTTPS://CYVITRIX.COM - 2023 - [email protected] 241

Application’s server architecture

DESIGNED USING DESIGNED USING ON TOP OF DB
• HTML • C# PLATFORM :-
• CSS • Python • MS-SQL
• JAVA SCRIPT • PHP • MYSQL
ON TOP OF WEB • JAVA • ORACLE DB
PLATFORM :- ON TOP OF RUNTIME • MONGO DB
• Apache* PLATFORM :- ON TOP OF OS:-
• Tomcat* • Python • Windows
• Microsoft IIS • Net framework • Linux
ON TOP OF OS:- ON TOP OF OS:- RESPOND TO
• Windows • Windows • SQL QUERIES
• Linux • Linux • MONGO QUERY
RESPOND TO RESPOND TO LANGUAGE (MQL)
• HTTP REQUESTS • HTTP REQUESTS
• API CALLS • API CALLS

WEB WEB
APPLICATION DB
BROWSER SERVER

MOBILE WEB
APPLICATION SERVICE

FRONTEND BACKEND
HTTPS://CYVITRIX.COM - 2023 - [email protected] 242
Logical layers in application
architecture

HTTPS://CYVITRIX.COM - 2023 - [email protected] 243

Application architecture
DEPENDENT
APP

API CALLS SQL CALLS DATABASE

WEB API CALLS

HTTP CALLS SERVER HTTP CALLS
APPLICATION

WEB Sockets
API CALLS FILE
STORAGE

CDN
API Calls
HTTP Calls
HTTPS://CYVITRIX.COM - 2023 - [email protected] 244
 Sequence diagram

HTTPS://CYVITRIX.COM - 2023 - [email protected] 245

Network architecture
VLAN
Service Intranet APP OR
Provider Router / SUBNET
Servers DB OR
Network WAN
Switch SEGMENT
L3
IPS VLAN
SERVICES OR
Firewall SUBNET
SECURITY OR
WAF SEGMENT
Internet Internet
Router USERS
DMZ
Switch
Users
Switch PRINTERS
FrontEnd L3
GUESTS
HTTPS://CYVITRIX.COM - 2023 - [email protected] 246
 Software product types AND
LICENSES

HTTPS://CYVITRIX.COM - 2023 - [email protected] 247

Software/SYSTEM Product
Software products are either
◦ Generic / Commercial off the Shelf
◦ Customized / Developed
◦ In House development
◦ Developed by another company

◦ Application is written using programming language

◦ Open Source
◦ Closed Source / Proprietary

HTTPS://CYVITRIX.COM - 2023 - [email protected] 248

LICENSE TYPES
Proprietary
Open Source
Freeware
Shareware
Software Support license
Hardware support license

HTTPS://CYVITRIX.COM - 2023 - [email protected] 249

Proprietary license
Perpetual license
Subscription based
Enterprise license
OEM license
Site license
Named user license
Licenses also can be based on user count, cpus count, or based on
performance required “per transaction or per size of data processed”
For support licenses, it vary depend on the SLA and level of support

HTTPS://CYVITRIX.COM - 2023 - [email protected] 250

 intellectual property

HTTPS://CYVITRIX.COM - 2023 - [email protected] 251

Copyright
A Copyright is a form of legal protection for original works of authorship,
including literary, artistic, and musical works, as well as software code,
databases, and other types of creative works.
Copyright protection gives the owner of the copyright the exclusive right to
reproduce, distribute, display, and perform the copyrighted work, as well as to
create derivative works based on the original work.
Copyright protection typically lasts for the life of the author plus a certain
number of years after their death.

HTTPS://CYVITRIX.COM - 2023 - [email protected] 252

trademark
A trademark is a form of legal protection for a word, phrase, symbol, or design
that identifies and distinguishes the source of goods or services from those of
others.
Trademark protection gives the owner of the trademark the exclusive right to use
the mark in connection with the goods or services for which it is registered.
Trademark protection typically lasts as long as the mark is in use and remains
distinctive.

HTTPS://CYVITRIX.COM - 2023 - [email protected] 253

patent
A patent is a form of legal protection for inventions, including machines,
processes, and compositions of matter, as well as designs and plant varieties.
Patent protection gives the owner of the patent the exclusive right to make, use,
and sell the invention for a certain period, typically 20 years from the date of
filing.
To obtain a patent, the invention must be novel, non-obvious, and useful, and
the patent application must meet certain legal requirements.

HTTPS://CYVITRIX.COM - 2023 - [email protected] 254

trade secret
A trade secret is a type of intellectual property that refers to confidential
information that provides a competitive advantage to a business.
Examples of trade secrets can include customer lists, manufacturing processes,
pricing information, and proprietary technology.
Unlike patents, trademarks, and copyrights, trade secrets are not registered with
any government agency.
Trade secrets are protected using confidentiality agreements and other legal
contracts, as well as through physical and digital security measures to prevent
unauthorized access.

HTTPS://CYVITRIX.COM - 2023 - [email protected] 255

acquisition process for new

technology

HTTPS://CYVITRIX.COM - 2023 - [email protected] 256

 Steps of acquiring new
technology
Identify the need • This may involve conducting a needs assessment, analyzing current processes or workflows, and
identifying areas for improvement.

• research potential solutions that can address the need. This may involve reviewing product
Research potential solutions specifications, consulting with experts or vendors, and evaluating the costs and benefits of
different options.
• develop a business case for the new technology. This may involve defining the expected benefits,
Develop a business case estimating the costs and return on investment, and identifying any risks or challenges associated
with the new technology.

Obtain funding • obtain funding to acquire and implement the new technology. This may involve securing budget
allocations, obtaining grants or loans, or seeking investment from stakeholders.

• begin the process of procuring the new technology. This may involve issuing a request for
Procure the technology proposal (RFP), evaluating vendor proposals, negotiating contracts, and finalizing the purchase
agreement.

Implement and integrate • implement and integrate it into its existing systems and processes. This may involve installing
hardware or software, configuring settings, and training staff on how to use the new technology.

• Once the new technology has been implemented, the organization should evaluate its
Evaluate and optimize effectiveness and optimize its use. This may involve monitoring performance metrics, conducting
user surveys, and making adjustments to workflows or processes as needed.
HTTPS://CYVITRIX.COM - 2023 - [email protected] 257

Researching potential solution

Identify the needs from technical perspective and from stakeholders'
perspective
Assess the benefits required from the technology, and the introduction methods
to align with existing design and controls
Develop potential test cases for what is expected from this solution
Conduct online research, you may use vendor websites, and other online
resources specialized in vendor assessment such as Gartner reports and Gartner
Peer review, Forrester Research and IDC
Identify the products or potential vendors and go through assessment for
scalability and future needs as well
Perform testing or pilot or proof of concept “POC”, and assess solution
performance based on test cases.

HTTPS://CYVITRIX.COM - 2023 - [email protected] 258

Gartner, forrester, idc

HTTPS://CYVITRIX.COM - 2023 - [email protected] 259

Test cases AND POC REPORT

Test case Test Criteria Test Result
Malware detection
False positives
Performance impact
Update frequency
Compatibility
User interface
Support

HTTPS://CYVITRIX.COM - 2023 - [email protected] 260

 stakeholders
Customers
Strategy committee
Steering committee
Project Sponsor
Application development
System development
User management or end-users
Information Security
Quality assurance
Regulator, or other third parties

HTTPS://CYVITRIX.COM - 2023 - [email protected] 261

FEASIBILITY ANALYSIS and

business case

HTTPS://CYVITRIX.COM - 2023 - [email protected] 262

 Feasibility analysis
An assessment of whether a proposed project or initiative is technically,
economically, and operationally feasible.
Takes various factors into account, including economic, technical, and legal
factors, to ascertain the likelihood of completing the project successfully.
Consider how the project will impact the organization in terms of risk, costs, and
benefits.
Provides important information that can be used to develop a business case.

Identify requirements Provide a Evaluate cost- Conduct a formal

Define the project
Conduct analysis based on stockholder recommended effectiveness of the review with
scope
needs approach approach stakeholders

HTTPS://CYVITRIX.COM - 2023 - [email protected] 263

Business Case
A document that outlines the rationale for a proposed project or
investment, and provides a detailed analysis of the costs, benefits,
risks, and potential returns on investment.
A business case is a justification for a proposed project, developed
after the feasibility analysis has been conducted
A business case provides the information required for an
organization to decide whether a project should proceed.
Followed by either RFP or Request for Budget to assess the budget
cost.

HTTPS://CYVITRIX.COM - 2023 - [email protected] 264

 Request for budget and
proposal

HTTPS://CYVITRIX.COM - 2023 - [email protected] 265

Request for budget

A request for budget is a document that outlines the organization's
financial needs and requests funding from the relevant authorities
or stakeholders.
The purpose of a request for budget is to secure the necessary
funding to support the organization's operations, projects, or
initiatives.
It should be clear, concise, and well-supported by data and
evidence, and should make a compelling case for why the funding
is necessary and how it will support the organization's goals and
objectives.

HTTPS://CYVITRIX.COM - 2023 - [email protected] 266

 Request for proposal (rfp)
A Request for Proposal (RFP) is a formal document that is used by organizations
to solicit proposals from vendors or service providers for a specific project or
initiative.
The RFP typically includes a detailed description of the project requirements, as
well as instructions for vendors to submit their proposals.

Introduction Evaluation Technical Terms and Contact

Scope of Work Deliverables Schedule
and Background Criteria requirements Condition Information

HTTPS://CYVITRIX.COM - 2023 - [email protected] 267

Project Management

HTTPS://CYVITRIX.COM - 2023 - [email protected] 268

 Project
A project is a temporary process that is designed to achieve a specific goal or objective.
Projects are typically unique and have a defined scope, budget, and timeline.
Examples of projects include building a new office building, developing a new software
application, implementing a new business process, or launching a marketing campaign.
Project include the following steps:-

Initiating Planning Executing Controlling Closing

HTTPS://CYVITRIX.COM - 2023 - [email protected] 269

Project VS PROGRAM

Project
• Has specific objectives, deliverables, and start and end dates
• Shorter time

Programs
• Group of projects have a common objective
• Longer duration
HTTPS://CYVITRIX.COM - 2023 - [email protected] 270
 Project Management Structures

• The project • The project • Management

Matrix project organization

Pure project organization
manager has manager has authority is
Influence project

only a staff formal shared between

organization

function authority over the project

without formal those taking manager and
management part in the the department
authority. project. heads.

HTTPS://CYVITRIX.COM - 2023 - [email protected] 271

Project manager and project

management office
A project manager is responsible for planning, organizing, executing, and closing a
project. The project manager is responsible for ensuring that the project is completed
on time, within budget, and to the required quality standards. The project manager
also manages the project team, communicates with stakeholders, and identifies and
manages risks and issues.
A Project Management Office (PMO) is an organizational unit that is responsible for
defining and maintaining project management standards, policies, and procedures.
The PMO provides support to project managers to ensure that projects are completed
successfully and consistently.
In summary, the project manager is responsible for managing the project, while the
PMO is responsible for providing guidance, support, and governance to ensure that
projects are completed successfully and efficiently.

HTTPS://CYVITRIX.COM - 2023 - [email protected] 272

 Project planning and
objective identification

HTTPS://CYVITRIX.COM - 2023 - [email protected] 273

Project Planning
several key factors that need to be considered to ensure that the project is completed
successfully:-
Project Objectives
Project Scope
Project Deliverables
Project Schedule
Project Resources
Project Risks
Project Budget
Communication Plan and escalation matrix
Project Planning help in eliminating Project creep faster
HTTPS://CYVITRIX.COM - 2023 - [email protected] 274
 Project Objectives
The specific action statements that support the project goals.
Should be well defined and communicated
Should be tracked for the progress by identified KPIs (Key Performance Indicators)
Tracked and monitored by project steering committee
Can be divided to smaller sub-objectives for easier management and execution
(Object Breakdown & Work Breakdown)
OBS (Object Breakdown Structure) and WBS (Work Breakdown Structure) are two
important project management tools that are used to help plan, organize and
manage projects.

HTTPS://CYVITRIX.COM - 2023 - [email protected] 275

Object breakdown
Object Breakdown Structure (OBS) is a hierarchical structure that
breaks down a system or product into smaller components or
objects.
The OBS is typically used in engineering and manufacturing industries
to help organize and manage complex systems or products.
The OBS typically starts with the highest level of the system or product
and breaks it down into smaller components or subsystems. Each
component is then further broken down into smaller objects until the
entire system or product is fully defined.

HTTPS://CYVITRIX.COM - 2023 - [email protected] 276

Work Breakdown structure
A hierarchical decomposition of the project work into
smaller and more manageable components, called work
packages.
Used to organize, plan, and manage complex projects.
The WBS starts with the project's major deliverables, which
are then broken down into smaller, more manageable
components.

HTTPS://CYVITRIX.COM - 2023 - [email protected] 277

PROJECT SIZE ESTIMATION

TOOLS

HTTPS://CYVITRIX.COM - 2023 - [email protected] 278

Project Cost Estimation Methods

Analogous estimate Parametric estimate Bottom-up estimate

•The cost of a new project is estimated
based on prior projects.
•Fastest method
•Inflation, increased cost of labor might
not be considered
•Past data is used to make the cost •List all activities then estimate each, after
estimation as well as other statistical then sum all of them
method that might consider additional •Most accurate method, most complex
parameters. and most time consuming
•More accuracy
•Consume more time and require
experience.

HTTPS://CYVITRIX.COM - 2023 - [email protected] 279

Project size/time estimation

(for software development)

Source lines of Code Constructive Cost Model Function Point Analysis

SLOC COCOMO FPA
•Advanced way of SLOC
•Size estimation based on total lines of •Put complexity, Input, processing,
code written in the source-code of •Put complexity into the consideration output into the consideration
software •May result in Better results •Use indirect estimation methods to
•We may rely on OOP, so the modules estimate the size of software and time
are already there required to create it.
•Not fit complex projects •More reliable than SLOC & COCOMO
•Not accurate way

HTTPS://CYVITRIX.COM - 2023 - [email protected] 280

 Project SCHEDULING TOOLS

HTTPS://CYVITRIX.COM - 2023 - [email protected] 281

Critical Path Methodology / cpm

A CPM scheduling tool is a software application that is specifically designed to help
project managers create, manage and update their project schedules using the CPM
technique.
Used to create a schedule that identifies the critical path of a project and helps to
determine the shortest possible time to complete the project.
The tool allows project managers to define the project scope, activities, durations,
dependencies, and resources required to complete the project.
The critical path is the longest sequence of activities that must be completed to finish
the project on time.
Activities on the critical path should have zero slack time, by maintain that the critical
path will have shorter duration (Slack time is the buffer or extra time).
CPM always consider a single scenario for time required unlike other techniques,
consider critical path a priority to reduce the slack time
HTTPS://CYVITRIX.COM - 2023 - [email protected] 282
Cpm example

HTTPS://CYVITRIX.COM - 2023 - [email protected] 283

Program Evaluation Review Technique /

pert
It is a statistical tool that enables project managers to estimate the duration of a
project, identify the critical path, and manage project risks.
By using PERT, project managers can develop more accurate project schedules,
improve project performance, and increase the chances of project success.
Followed by CPM for each task, PERT More holistic than CPM as it is more
focused on the time required to complete the project, while CPM focus on the
critical path
PERT is probabilistic while CPM is deterministic, also PERT use three estimates for
activity duration, while CPM use only 1

HTTPS://CYVITRIX.COM - 2023 - [email protected] 284

Pert example

HTTPS://CYVITRIX.COM - 2023 - [email protected] 285

Gantt chart
Gantt chart is a horizontal bar chart that represents project tasks and activities
along a timeline.
Show the chronological order of activities, and show when activity should start
and end to monitor the overall project progress
Gantt charts are useful for visualizing the project schedule and identifying task
dependencies.
Gantt chart typically uses a single estimate for task duration
Gantt chart does not explicitly show the critical path
Gantt chart focuses more on schedule management, risk is not in focus
Suitable for simpler and more predictable projects.

HTTPS://CYVITRIX.COM - 2023 - [email protected] 286

 GANTT CHART EXAMPLE

HTTPS://CYVITRIX.COM - 2023 - [email protected] 287

Project Scheduling tools (Timebox

Management)
Involves breaking down a project into time-bound iterations or
timeboxes. Each timebox typically lasts between one to four weeks
and includes a set of tasks or activities that must be completed
within the timebox.
A time management method
Lead to more focus work and better quality in delivery, and
prevent cost overruns
The term is very common in Agile development methodology and
method (such as Prototyping and Rapid Application development)
in software development field.

HTTPS://CYVITRIX.COM - 2023 - [email protected] 288

 Project Scheduling tools (EVA)
Technique used to measure the progress of a project against its planned schedule and budget.
Help to monitor project progress, identify problems early on, and take corrective action to keep
the project on track.
Forecast the completion date and the final cost, and to analyze any variance in the budget
(Cost variance) or Schedule (Schedule variance) or earned value (Earned value performance
index)
SV, CV, EVPI are known as EV metrics
Help in determining if the project is on track or behind schedule or over budget
EVA used to predict and do forecasting for the project progress

HTTPS://CYVITRIX.COM - 2023 - [email protected] 289

Project closure

HTTPS://CYVITRIX.COM - 2023 - [email protected] 290

 Project Closure
Performance Evaluation: The performance of the project is evaluated against the project
objectives and success criteria to determine whether the project was successful.
Deliverable Acceptance: The project deliverables are reviewed and accepted by the
stakeholders to ensure that they meet the required quality standards and are complete.
Resource Release: The project resources are released from the project and reassigned to other
projects or operational activities.
Financial Closure: The project finances are reviewed and closed, including the final budget and
any outstanding expenses or payments.

HTTPS://CYVITRIX.COM - 2023 - [email protected] 291

Project Closure
Lessons Learned: A lessons learned process is conducted to identify areas of
improvement and best practices to be applied to future projects.
Project Closure Report: A project closure report is prepared to document the
results of the project and to provide a record of the project for future reference.
Communication: The project closure is communicated to all stakeholders,
including the project team, sponsors, and other relevant stakeholders.

HTTPS://CYVITRIX.COM - 2023 - [email protected] 292

 Auditor roles in project
management review

HTTPS://CYVITRIX.COM - 2023 - [email protected] 293

Auditor’s & Feasibility and

business case
◦ Review the assumptions made in the business case and feasibility analysis to determine
if they are reasonable and based on accurate data.
◦ Audit the feasibility analysis to determine if it was conducted comprehensively and if it
included all relevant factors, such as technical, economic, and operational feasibility.
◦ Review the cost estimates in the business case and feasibility analysis to ensure that
they are accurate, complete, and reasonable.
◦ If the required need can be achieved with existing solution
◦ Audit the alternatives analysis to ensure that it was conducted comprehensively and
objectively.
◦ Review the project plan to ensure that it is comprehensive, realistic, and achievable.

HTTPS://CYVITRIX.COM - 2023 - [email protected] 294

 Auditor’s & project management
◦ Evaluating the effectiveness of project management processes and controls.
◦ Reviewing project documentation: The auditor may review project documentation,
such as project charters, project plans, status reports, and contracts, to ensure that
they are complete, accurate, and consistent.
◦ Review the exception process (if any) to identify it follow the governance requirements
◦ Assessing the project performance against goals and intended benefits
◦ Review the project acceptance process and reports related to testing

HTTPS://CYVITRIX.COM - 2023 - [email protected] 295

Software development
overview

HTTPS://CYVITRIX.COM - 2023 - [email protected] 296

 What is programming?
Programming is the process of creating computer software, applications, and
systems using a programming language.
A programming language is a set of instructions and rules that are used to
communicate with a computer and tell it what to do.
Programmers use programming languages to write code, which is a series of
instructions that the computer can understand and execute.
Programming involves several steps, including planning, designing, coding,
testing, and maintaining the software.
Program include codes and modules

HTTPS://CYVITRIX.COM - 2023 - [email protected] 297

How is program written?

Coding refer to writing computer code in way to achieve program requirements
Program code is known as source code, could be close source, or open source
Module is a self-contained unit of code that perform specific function or set of
functions, modules are designed to be reusable and interchangeable
Each program is written by a specific programming language
Programming language influence the environoment where the program can run such
as Windows, Linux, Android, IOS
Some cross-platform languages exist (Java, Python, C# - C Sharp, Kotlin)

HTTPS://CYVITRIX.COM - 2023 - [email protected] 298

Coding tools
The tool used to write code is called an Integrated Development Environment
(IDE). An IDE is a software application that provides programmers with a
comprehensive environment for writing and testing software. – Microsoft visual
studio and PyCharm, Eclipse, Atom
IDE is also known as (COMPUTER-AIDED SOFTWARE ENGINEERING)
IDE or CASE can be used in code auditing and debugging as well
Code generators can generate source code based on parameters defined by
developer or system analyst.

HTTPS://CYVITRIX.COM - 2023 - [email protected] 299

Types of programming language

HTTPS://CYVITRIX.COM - 2023 - [email protected] 300

code in real life & oop, oosd,
cbd

HTTPS://CYVITRIX.COM - 2023 - [email protected] 301

EXAMPLE FOR PROGRAMMING

CODE

HTTPS://CYVITRIX.COM - 2023 - [email protected] 302

 Object oriented programming
In OOP, a system is modeled as a collection of interacting objects, each with its own set of properties and behaviors.

HTTPS://CYVITRIX.COM - 2023 - [email protected] 303

Oosd & cbd

Object-oriented system development is an approach to software development
that emphasizes the use of object-oriented programming (OOP) techniques for
designing and building complex software systems.
In OOP, a system is modelled as a collection of interacting objects, each with its
own set of properties and behaviours.
Component-Based Development (CBD) is a software development approach
that emphasizes the use of reusable software components to build complex
software systems.
In CBD, a software system is created by assembling pre-existing, independently
developed components into a larger system.

HTTPS://CYVITRIX.COM - 2023 - [email protected] 304

OOSD & CBD Examples

HTTPS://CYVITRIX.COM - 2023 - [email protected] 305

Software re-engineering and

reverse engineering

HTTPS://CYVITRIX.COM - 2023 - [email protected] 306

SOFTWARE RE-ENGINEERING
Software re-engineering is the process of transforming an existing software
system into a new form, using modern programming languages, tools, and
techniques.
This may involve re-architecting the system to improve its scalability,
maintainability, and performance, as well as updating the system to support new
features and technologies.
Software re-engineering is typically done to extend the life of a legacy system or
to migrate it to a new platform.

HTTPS://CYVITRIX.COM - 2023 - [email protected] 307

SOFTWARE REVERSE ENGINEERING

is the process of analysing an existing software system to extract information
about its design, behaviour, or implementation.
This may involve analysing the source code, binaries, or other artifacts of the
system, and using reverse engineering tools and techniques to understand how
the system works.
Software reverse engineering is typically done to gain insight into a system, to
recover lost or missing source code, or to create interoperable components for
the system.

HTTPS://CYVITRIX.COM - 2023 - [email protected] 308

Software development
methodologies

HTTPS://CYVITRIX.COM - 2023 - [email protected] 309

Software development life cycle

(SDLC) is a process used by software development teams to plan, design, build,
test, and deploy software applications.
SDLC is a continuous process, and each phase may overlap with others. The
exact process may vary depending on the specific development methodology
used
Typical phases are Planning, Analysis, Design, Implementation, Testing,
Deployment, Maintenance
Many development methodologies are there
General phases remain the same

HTTPS://CYVITRIX.COM - 2023 - [email protected] 310

 WATERFALL MODEL
Traditional model for software development
Suitable if requirements are defined properly
Suitable when no change is expected
No fallback (No new requirements)

HTTPS://CYVITRIX.COM - 2023 - [email protected] 311

AGILE METHODOLOGY
Agile methodology is an iterative and incremental approach to software development
that emphasizes flexibility, collaboration, and customer satisfaction.
developed as a response to the rigid and inflexible approach of traditional software
development methodologies, such as the Waterfall model.
The Agile process is typically divided into short iterations, or sprints, which can last from
one to four weeks. During each sprint, the development team works on a set of
prioritized tasks, called user stories, which are identified and prioritized by the product
owner or customer.
In each iteration, the full SDLC is considered
Emphasizes collaboration, transparency, and continuous improvement.

HTTPS://CYVITRIX.COM - 2023 - [email protected] 312

 AGILE / SCRUM
Scrum is based on the idea of short iterations, called
sprints, which typically last two to four weeks.
the development team meets with the product owner
to identify and prioritize user stories, or tasks, for the
sprint.
The team then creates a sprint backlog, which is a list
of tasks that they will work on during the sprint.
During the sprint, the team meets daily for a short
stand-up meeting, or scrum, to discuss progress,
identify any obstacles, and plan the work for the next
day.
At the end of the sprint, the team reviews the work that
was completed and demonstrates a potentially
shippable product increment to the product owner
and stakeholders.
HTTPS://CYVITRIX.COM - 2023 - [email protected] 313

SCRUM Roles
The product owner, who is responsible for defining
and prioritizing the product backlog and represent
end user and communicate their requirements
The development team, who responsible for
delivering the product increment, consist of 5-9
members
The scrum master, who is responsible for promoting
and facilitating the scrum process and act as the
project manager

HTTPS://CYVITRIX.COM - 2023 - [email protected] 314

 Rapid application development
and prototyping
Prototyping is another way of doing Agile, the project is broken into smaller
versions and developed incrementally.
Using Prototype, users can provide feedback, which help in product
adaption to user requirements
Prototyping help in getting early version from the product
RAD use smaller teams, and rely on prototyping concept, it suitable for more
rigid time, the greatest advantage of RAD is the shorten in development
time by adopting (RAP) – Rapid Application Prototyping

HTTPS://CYVITRIX.COM - 2023 - [email protected] 315

Spiral model
Combination between waterfall and prototyping
Project is divided to phases
In each phase, risk assessment and alternative
evaluation is performed
The result of risk assessment and requirements review will
devide if project will continue or not
Help to avoid losses very early

HTTPS://CYVITRIX.COM - 2023 - [email protected] 316

Test cases

HTTPS://CYVITRIX.COM - 2023 - [email protected] 317

Use case
Testing technique that involves creating and executing tests based on how a
user would interact with the software in real-world scenarios.
used to validate the functionality, usability, and reliability of the software
application, and to ensure that it meets the requirements and expectations of
end-users.
Use case testing typically involves creating test scenarios based on user stories,
personas, or other representations of typical users, and executing these scenarios
to validate the behaviour of the software application.
Helpful in identifying user requirements and acceptance criteria

HTTPS://CYVITRIX.COM - 2023 - [email protected] 318

Misuse / abuse test case
Testing technique that involves testing the software application for potential
security vulnerabilities and misuse scenarios.
Used to identify and prevent attacks that may be carried out by malicious actors
or attackers.
Misuse case testing typically involves creating test scenarios based on known
attack vectors and vulnerabilities and executing these scenarios to validate the
security and resilience of the software application.

HTTPS://CYVITRIX.COM - 2023 - [email protected] 319

Application controls

HTTPS://CYVITRIX.COM - 2023 - [email protected] 320

 How to identify the required
controls
Risk Management
Threat Modeling
Abuse case scenario
Try to strive the balance between Usability and Security

HTTPS://CYVITRIX.COM - 2023 - [email protected] 321

Application controls

• Only full, • Correct task is • Output results is

accurate and performed as per the
correct type of • Data is delivered expectation
data is entered properly
to system
Process or
Input Stage Output Stage
Transmit Stage

HTTPS://CYVITRIX.COM - 2023 - [email protected] 322

 INPUT CONTROL: AUTHORIZATION
ANY INPUT SHOULD BE AUTHORIZED AND ALLOWED BASED ON MANAGEMENT
APPROVAL
EXAMPLES FOR TRANSACTION APPROVAL:-
◦ File type or Source document
◦ Internal Approval Cycle
◦ Source device or user used for data input via Access Control

HTTPS://CYVITRIX.COM - 2023 - [email protected] 323

Input control : input batch check

Input batch controls are a set of procedures and techniques used to ensure the
accuracy, completeness, and validity of data entered a computer system.
One type of input batch control is the input batch check, which is a set of procedures
designed to validate the data in a batch of input records before they are processed
by the system.
Input batch check can validate
◦ Record Count via hash total or total items : verify that the number of records in the batch
matches the expected count.
◦ Content check: checking the content of each field in each record to ensure that it is valid and
within the expected range.
◦ Limit check : Control data input up to predefined count

HTTPS://CYVITRIX.COM - 2023 - [email protected] 324

Input control : CHECK DIGIT
A check digit is a single digit added to a numerical code to detect errors
introduced during data entry or transmission.
It is calculated using a mathematical algorithm that takes into account the other
digits in the code.
The check digit is used to verify the accuracy of the code during data entry or
transmission, and if the two check digits match, the code is assumed to be
accurate.
The use of a check digit can help to reduce errors and improve accuracy in
data entry and transmission, save time and money, and improve the reliability of
business processes.

HTTPS://CYVITRIX.COM - 2023 - [email protected] 325

Processing controls:
parity bit
A parity bit is an extra bit added to a binary code to detect errors during data
transmission or storage.
It is used to ensure that the number of bits with a value of one in a transmission or
storage block is either even or odd.
The parity bit is calculated based on the values of the other bits in the block, and
is set to either a one or a zero
When the block is received or retrieved, the parity bit is recalculated and
compared to the original value. If the values do not match, an error has
occurred, and corrective action can be taken.
The use of a parity bit can help to improve the reliability of data transmission and
storage by detecting and correcting errors.

HTTPS://CYVITRIX.COM - 2023 - [email protected] 326

 Processing/TRANSMISSION
controls
• More advanced than parity bit
Checksum • Can recognize more complex errors
• Detect the error only

Cyclic • More advanced than the Checksum

• Known as CRC
Redundancy check • Detect the error only

Forward Error • Detect and correct the error

Control
HTTPS://CYVITRIX.COM - 2023 - [email protected] 327

Output controls
Output controls are a set of procedures and techniques used to ensure the
accuracy, completeness, and security of data output from an application.
Examples of output controls
◦ Reconciliation : comparing output to input (Automated system balancing)
◦ Validity checking : Ensure output data is within acceptable range
◦ Accuracy check : Ensure output data is accurate and is not corrupted
◦ Filtering : Remove sensitive or unnecessary data from output
◦ Access Control : Ensure output is visible only to authorized people

HTTPS://CYVITRIX.COM - 2023 - [email protected] 328

 HTTPS://CYVITRIX.COM - 2023 - [email protected] 329

OTHER TYPES OF CONTROLS

Auditing and logging controls
Anti-Debuggers
Sandboxing
Authorization and access controls

HTTPS://CYVITRIX.COM - 2023 - [email protected] 330

software integrity controls | code
signing
Code signing is the process of digitally signing software code to verify its
authenticity and integrity. Its purpose is to ensure that the code has not been
tampered with or modified by unauthorized parties, and to provide assurance to
users that the software is trustworthy.
An example of code signing is when a software developer signs their application
with a digital certificate before distributing it to users.
The digital signature is verified by the operating system or security software,
which checks the certificate against a trusted list of certificate authorities. If the
digital signature is valid, users can be assured that the software has not been
tampered with and can be installed and used safely.

HTTPS://CYVITRIX.COM - 2023 - [email protected] 331

Software testing

HTTPS://CYVITRIX.COM - 2023 - [email protected] 332

 software testing
The process of evaluating a software application or system to detect defects or errors, and
to ensure that it meets the specified requirements and quality standards.
Quality standards are identified by QA team according to best practices.
Testing is a critical part of the software development lifecycle and is typically performed at
multiple stages of the development process.
Software testing aim to ensure the software quality from multiple point of view
◦ Functional aspects (Also known as reliability testing)
◦ Unit
◦ Regression
◦ Performance
◦ Integration
◦ UAT
◦ Non-Functional aspects (concerned about recoverability aspect)
◦ Load
◦ Stress testing
◦ Security
HTTPS://CYVITRIX.COM - 2023 - [email protected] 333

TESTING APPROACHES
Top-down testing involves testing higher-level modules first and progressively integrating
lower-level modules
Top-down testing is often more appropriate when there is a clear and well-defined overall
architecture or design for the software system, and where the higher-level modules or
components have a greater impact on the overall functionality of the system.
By testing the higher-level user interface first, any design or functional issues can be
identified early in the testing process, which can help to reduce the overall development
time and cost. – Example Web Application FE&BE
bottom-up testing involves testing lower-level modules first and progressively integrating
higher-level modules.
Bottom-up testing is often more preferred when the software system is large and complex,
and when the individual components are relatively independent and can be tested in
isolation. – Example complex financial system

HTTPS://CYVITRIX.COM - 2023 - [email protected] 334

 Unit, regression, integration,
Unit testing
◦ testing individual units or components of the software application in isolation to ensure that
they function correctly.
◦ Done by the developer in very early stage to test program logic using test cases

Integration or Interface testing

◦ testing how individual units or components of the software application work together to
ensure that they function correctly as a whole.
◦ Done by developer and tester (QC)

Regression or Verification testing

◦ Retesting the software application after changes have been made to ensure that existing
functionality has not been affected.
◦ building confidence that changes have not broken existing components.
◦ Done by developer and tester (QC)

HTTPS://CYVITRIX.COM - 2023 - [email protected] 335

Compatibility, SOCIABILITY
Compatibility testing
◦ Testing the software application's compatibility with different hardware, operating
systems, and browsers. This helps ensure that the software application can function
properly in different environments.
◦ Done by developer and tester (QC)

Sociability testing
◦ evaluate how well a software system or application interacts with external systems or
components.
◦ The goal of sociability testing is to ensure that the system or application is able to
communicate and exchange data with other systems or components in a reliable and
efficient manner.

HTTPS://CYVITRIX.COM - 2023 - [email protected] 336

 Usability and system testing
Usability testing
◦ testing the software application's user interface and user experience to ensure that it is
user-friendly and easy to use. This includes testing for accessibility, ease of navigation,
and overall user satisfaction.
◦ Done by tester

System testing / Quality Assurance testing / Alpha testing

◦ Testing the entire software application to ensure that it meets the specified
requirements and quality standards.
◦ System testing is a general term, in reality it include security, load, stress, recovery tests.
◦ Done by testers (QC & Security) with minimal user impact

HTTPS://CYVITRIX.COM - 2023 - [email protected] 337

Performance, load, stress

Volume testing
◦ Evaluates the ability of a software application or system to handle large volumes of data or
transactions. The goal of volume testing is to ensure that the system is able to handle the expected
volume and variety of data without any errors or performance issues.

Performance testing
◦ Testing the software application's performance under various conditions, such as heavy user loads
or high volumes of data. This helps ensure that the software application can handle these
conditions without performance degradation.

Load Testing
◦ Evaluate how well the software application or system performs under expected or peak load
conditions, such as high user traffic or data volume.

Stress Testing
◦ Evaluate how well the software application or system performs under unexpected or extreme load
conditions, such as sudden spikes in user traffic or data volume, ensure exception handling in place
HTTPS://CYVITRIX.COM - 2023 - [email protected] 338
 Security Testing
◦ Testing the software application's security measures to ensure that it is secure
and protected against unauthorized access or attacks. This includes testing
for vulnerabilities in the software application's code and testing for
compliance with regulatory requirements.
◦ Vulnerability scanning – testing internal modules and libraries to identify if
there any vulnerable or outdated components
◦ VA testing better to be authenticated scan not unauthenticated

HTTPS://CYVITRIX.COM - 2023 - [email protected] 339

Code review - sast

◦ Secure Code Review
◦ Known as Whitebox or crystal as everything is clear, source code is required
◦ Use automated and manual tools as well
◦ Automatized tools are known as (Static application security testing SAST) and
◦ DAST use various techniques to emulate
◦ Microfocus solution, SonarQube, IBM App scna
Fagan code inspection or Fagan peer reviews is a type of formal testing for code
developed in 1970s , help in identify coding errors, design flaws and performance
issues, adopted wherever safety and reliability of software is a great concern.
◦ Planning, overview, preparation, inspection, rework, follow-up

HTTPS://CYVITRIX.COM - 2023 - [email protected] 340

 Dynamic application security
testing - dast
DAST (Dynamic application security testing) and SCA (Software composition analysis)
involves running a software application with a set of pre-defined inputs and analysing
the output for potential security vulnerabilities.
DAST typically involves a tool or set of tools that automate the process of testing the
application for common security vulnerabilities, such as SQL injection, cross-site
scripting (XSS), and buffer overflow vulnerabilities.
DAST is focused on testing the application from the outside, as if it were a potential
attacker.
DAST use various techniques to achieve the objective such as
◦ Synthetic transactions which simulates user interactions to test the performance and
availability of a software application
◦ Interactive application security testing provide real-time feedback on security vulnerabilities
during application runtime.

HTTPS://CYVITRIX.COM - 2023 - [email protected] 341

Software composition analysis

(sca)
(SCA) tool is a type of security tool that is used to analyze the open source
components and third-party libraries used in a software application.
SCA tools can detect and report on known vulnerabilities and license issues that
may be present in the software components used in an application.
SCA tools typically operate by scanning the software application's
dependencies and comparing them to a database of known vulnerabilities and
license issues.
They can provide a detailed report of the vulnerabilities and issues found, along
with recommendations for remediation and mitigation.

HTTPS://CYVITRIX.COM - 2023 - [email protected] 342

RUNTIME APPLICATION SELF
PROTECTION (RASP)
RASP (Runtime Application self-protection) is not a testing tool; however, it is a
security technology that operate within the application runtime, and it can
detect and prevent the attacks in real time.
RASP can identify and block attacks at the application layer, even if the
application has vulnerabilities that have not yet been identified or patched.
RASP come as a solution that you can integrate your application with, for
example
◦ AppTrana
◦ Contrast Security
◦ Sqreen
◦ Waratek

HTTPS://CYVITRIX.COM - 2023 - [email protected] 343

Penetration testing
◦ Penetration testing – Black box (No knowledge) and grey box (Partial
knowledge)
◦ PT consist of stages (Planning, Gathering information, Attack, Reporting)
◦ PT should be performed based on clear rules of engagement
◦ Penetration tester perform it, using many tools related to ethical hacking
◦ Try to predict the vulnerability based on providing input and fuzzing
◦ Fuzz testing, also known as fuzzing, is a type of software testing that involves
inputting random and unexpected data into a software application or system,
with the aim of identifying vulnerabilities or defects that could lead to
unexpected or incorrect behaviour, fuzzing can mutate, generate and flap
which make it more intelligent

HTTPS://CYVITRIX.COM - 2023 - [email protected] 344

 Acceptance testing
◦ Testing the software application with end-users to ensure that it meets their
needs and expectations.
◦ Last step of testing before getting user management sign off, without this test,
management acceptance will not be guaranteed
◦ The goal of the test is to ensure application meet the requirements as defined
during the requirement gathering
◦ Test cases and acceptance criteria should be documented and agreed
upon since the required gathering stage.
◦ Also known as Smoke testing or end-user testing
◦ Done by end user or customer
◦ Beta testing is a form of acceptance testing
HTTPS://CYVITRIX.COM - 2023 - [email protected] 345

Commercial of the shelf software

(Cots) testing
COTS are developed by vendor or software house by following the development
life cycle and all mentioned tests
The software vendor perform testing on the Alpha release and might release
beta version after completing the alpha testing for the public preview
Example for Beta release, is one Microsoft release free-public preview or for a
subset of users for Windows 11 to allow users to test and provide feedback
Feedback can be helpful in fixing issues identified in beta release in the final
release or production release “public availability”
When company need to purchase COTS, they might request a PoC first (AKA
Pilot)

HTTPS://CYVITRIX.COM - 2023 - [email protected] 346

 Release management

HTTPS://CYVITRIX.COM - 2023 - [email protected] 347

RELEASE MANAGEMENT
Release management is the process of planning, scheduling, coordinating, and
controlling the release of software and other applications into production environments.
It involves the management of all activities related to the release of software, including
planning, testing, deployment, and monitoring.
The goal of release management is to ensure that software releases are delivered on
time, with the required functionality, and with minimal disruption to users.

HTTPS://CYVITRIX.COM - 2023 - [email protected] 348

 Release management systematic
process

Change
Release planning: management: Build and test: Deployment: Monitoring:
This involves This involves This involves This involves This involves
defining the scope managing changes building and deploying the monitoring the
of the release, to the software and testing the software software into software in
setting release ensuring that to ensure that it production production
dates, and changes are meets quality environments and environments to
identifying any properly tested standards and is ensuring that it ensure that it is
dependencies or and documented. ready for release. operates as functioning
risks. expected. properly and to
identify any issues
that may arise.

HTTPS://CYVITRIX.COM - 2023 - [email protected] 349

Software release types

Major release: Minor release: Patch release: Hotfix release: Beta release: Release candidate:

• major release is a • minor release is a • patch release is a • hotfix release is a • beta release is a • release candidate is
significant update smaller update that small update that is small update that is pre-release version a near-final version
that includes major includes minor new used to fix specific used to address of the software that of the software that
new features or features or bugs or security critical issues or is made available to is made available to
functionality. It functionality, bug vulnerabilities in vulnerabilities that a limited group of a larger group of
may also involve fixes, and other the software. Patch need to be fixed users for testing users for testing
changes to the user improvements. releases are immediately. Hotfix and feedback. Beta and feedback.
interface or other Minor releases are typically numbered releases are releases are used to Release candidates
significant changes typically numbered using a third typically released identify and are used to identify
to the software. using a decimal decimal point, such outside of the address issues any remaining
Major releases are point, such as from as from version regular release before a full release. issues before the
typically numbered version 1.2 to 1.2.1 to version cycle and may not final release.
using a new version 1.3. 1.2.2. include full
version number, regression testing.
such as from
version 1.0 to
version 2.0.

HTTPS://CYVITRIX.COM - 2023 - [email protected] 350

Certification vs Accreditation

HTTPS://CYVITRIX.COM - 2023 - [email protected] 351

Certification vs Accreditation
Certification refers to a process in which an independent third-party
organization, such as a certification body, evaluates a product or service to
determine if it meets certain standards or requirements. Certification can be
voluntary or mandatory, and it can cover a wide range of areas, such as quality
management, information security, and software development.
In software development, certification can be used to ensure that products
meet certain standards, such as the ISO 9001 quality management standard, the
ISO 27001 information security standard, or the IEEE software engineering
standards.

HTTPS://CYVITRIX.COM - 2023 - [email protected] 352

Certification vs Accreditation
Accreditation, on the other hand, refers to a process in which an organization
evaluates a product or service to determine if it meets certain standards or
requirements.
Accreditation is typically mandatory and is often required by law or regulation or
based on internal governance requirements
In the field of software, accreditation can be used to ensure that products or
services meet certain regulatory requirements, such as those related to privacy,
security, or data protection.
Accreditation is the management authorization to operate the system or
application and accept all risks related to that

HTTPS://CYVITRIX.COM - 2023 - [email protected] 353

Software implementation and

maintenance

HTTPS://CYVITRIX.COM - 2023 - [email protected] 354

 Implementation or changeover
Implementation should start after QAT and UAT and management accreditation
Implementation plan should be available and prepared and communication
Implementation should be carried by another team (better), but software operation
and support shall be with different department other than original development team.
Implementation plan should consider
◦ Data migration to make sure migrated data integrity will be preserved and verified
◦ Appropriate security controls over data during migration
◦ Data conversion process is doable with no impact on original data
◦ Rollback plan is in place
◦ All required documentations in place
◦ Change is following internal change management process

HTTPS://CYVITRIX.COM - 2023 - [email protected] 355

Changeover types
Parallel Changeover
◦ Old and new system are live
◦ Once new system is fully ready and tested, old system will be decommissioned
◦ Require 2x resources as two systems are there
◦ More safe
Phased Changeover
◦ New system introduction is based on planned phases
◦ Implementation is broken down into multiple phases
◦ One phase complete, the function in old system replicate it will be discontinued
Abrupt or Direct Changeover / cutover
◦ Remove old system completely and introduce the new one during a downtime
window agreed upon

HTTPS://CYVITRIX.COM - 2023 - [email protected] 356

 Post implementation review
Typically conducted after the project has been in use long enough to realize its
business benefits and costs and to measure the project’s overall success and
impact on the business units.
Help in identifying the
◦ Total cost of ownership (TCO)
◦ Return on Investment (ROI)
◦ Whether the system is still providing the required value

HTTPS://CYVITRIX.COM - 2023 - [email protected] 357

System/software maintenance
System development and maintenance is continuing process
Maintenance aim to fix code defects, introduce new features, and patch security
issues
Across the life of product, there are many versions until software reach the End-of-life
stage
Product life consist of following stages usually
◦ Public availability
◦ End of Sale
◦ End of Support
◦ End of Life

◦ Patch management, configuration management, release management and

change management are essential practices for software maintenance
HTTPS://CYVITRIX.COM - 2023 - [email protected] 358
Change management

HTTPS://CYVITRIX.COM - 2023 - [email protected] 359

CHANGE MANAGEMENT
OVERVIEW
Change management is the process of managing changes to an organization's
systems, processes, and procedures in a controlled and systematic manner.
It involves identifying, documenting, and evaluating proposed changes, and
implementing changes in a way that minimizes disruption to the organization
and ensures that the changes are effective.
It is a preventive control
Involvement of business is very important as change advisory board members
Impact analysis, risk analysis should be prepared
Backout or rollback plan should be ready

HTTPS://CYVITRIX.COM - 2023 - [email protected] 360

 Change management systematic
process
Change request

Impact analysis and evaluation

Change assessment and approval

Change scheduling

Change implementation

Change monitoring

Change closure

HTTPS://CYVITRIX.COM - 2023 - [email protected] 361

Change types
Standard changes Normal changes Emergency changes Major changes

•Standard changes are low- •Normal changes are
risk, pre-approved changes that are not
changes that follow a considered standard or
predetermined process emergency changes and
and do not require require a formal
extensive evaluation or evaluation and approval
approval. Examples of process. Normal changes
standard changes might may involve changes to
include routine systems, processes, or
maintenance tasks or procedures and may
minor configuration require significant
changes. evaluation and testing
before being
implemented.
•Emergency changes are
changes that are required
immediately to address a
critical situation, such as a
security breach or system
outage. Emergency
changes are typically
expedited and may
involve bypassing some of
the normal change
management processes.
•Major changes are
changes that have a
significant impact on the
organization, such as
changes to core business
processes or the
implementation of new
systems or technologies.
Major changes require
extensive evaluation and
approval processes and
may involve significant
risks and costs.

HTTPS://CYVITRIX.COM - 2023 - [email protected] 362

Patch management

HTTPS://CYVITRIX.COM - 2023 - [email protected] 363

PATCH MANAGEMENT
Patch management and vulnerability management is the same
Vulnerability is weakness in system that can be exploited during attack leading
to system disruption
Patch management is the process of identifying, testing, deploying, and
verifying software patches to address security vulnerabilities, performance issues,
and other bugs in software applications and systems.
An effective patch management process is critical for maintaining the security
and reliability of software systems.
Patch management process include testing, testing is very important before
deploying patch at scale
Example for Patch management software is Tenable & Qualys

HTTPS://CYVITRIX.COM - 2023 - [email protected] 364

 Configuration management

HTTPS://CYVITRIX.COM - 2023 - [email protected] 365

Configuration management
A key process for managing the changes made to software or application
configuration or network devices configuration over time and ensuring that these
changes are properly tracked, documented, and tested before being released to
production environments.
Configuration management involves the management of all aspects of the software
development lifecycle, including planning, development, testing, deployment, and
maintenance. It includes the management of source code, build scripts,
documentation, test plans, and other artifacts related to the software.
Identifying the specific version of the software and its dependencies that are required
to run in different environments, such as development, testing, and production.
Help to identify the baseline of required configurations that need to be implemented
Help to ensure that the correct version of the software is deployed in each
environment, and that any changes made to the software are properly tested and
approved before being released to production.
HTTPS://CYVITRIX.COM - 2023 - [email protected] 366
 Systematic configuration
management process

Develop the configuration management plan.

Baseline applicable components.

Analyze and report on the results.

Develop configuration status reports.

Develop release
procedures.

HTTPS://CYVITRIX.COM - 2023 - [email protected] 367

Version control system and

securing source code

HTTPS://CYVITRIX.COM - 2023 - [email protected] 368

 Version control system
A Version Control System (VCS), also known as source control or revision control,
is a software tool that helps software developers manage changes to source
code and other files.
It is a system that tracks the history of changes to a file or set of files over time,
enabling developers to collaborate on a project, track changes, and maintain
different versions of the same file or set of files.
A VCS provides a centralized repository for source code and other files, allowing
multiple users to access and modify the same files simultaneously.
It records changes made to the files, including who made the changes, when
the changes were made, and what changes were made.
Some popular VCSs include Git, Subversion (SVN), and Mercurial.

HTTPS://CYVITRIX.COM - 2023 - [email protected] 369

Source code security

Source code is managed using a version control system (VCS).
VCS provides the ability to synchronize source changes with changes from other
developers.
Help in conflict resolution, allow branching from the code.
To maintain source code security, following need to be identified
◦ Who access the code
◦ Who can change the code, and deploy it to production (SoD / Two-man controls)
◦ Ensure Audit trails are in place
◦ Ensure backup is performed for the source code, and location of backup is identified and
controlled
◦ Ensure code escrow agreement in place

HTTPS://CYVITRIX.COM - 2023 - [email protected] 370

Auditor roles in software
domain

HTTPS://CYVITRIX.COM - 2023 - [email protected] 371

auditor ROLES IN SOFTWARE PROJECTS

AND PROJECTS IN GENERAL
Review business case and feasibility study process
Review threat modelling process, and identification of security threats as a basis for
controls selection and review this controls
Verify the controls related to data integrity and conversion and protection especially
in data migration
Ensure documentations in place the confirm the results of quality assurance results
Review the system flowcharts for adherence to the general design.
Review the user acceptance test reports and confirm management authorization to
use the software or application
Ensure change management process followed properly for all changes
Ensure adequacy of security over accessing the source code and development
environment

HTTPS://CYVITRIX.COM - 2023 - [email protected] 372