SYSTEM LIFECYCLE

MANAGEMENT
PHASE 1 - SYSTEM LIFECYCLE MANAGEMENT

 Planning
 Analyzing Risk

 Cost Analysis

 Security Requirements

2
HOW TO APPROACH THE RISKS

 Application Security
 issue based, short term
 Penetration
 patching

 threat modeling

 code reviews

 Software Security
 holistic, long term
 root cause analysis
 organizational change

3
HOW TO APPROACH RISKS

4
WHEN TO ADDRESS THE SECURITY
VULNERABILITIES

 Most developers today test after the software

is built.

5
SAMPLE SOFTWARE SECURITY
COSTS

 Unbudgeted time to fix security problems 1000 employee hours

 Cost of training software developers in security $100 million

 Inadequate software testing costs $3.3 billion

 DoS Attack $500 million

 Fixing a Patch with 1K servers, costs $300K to test and deploy

 Fixing a Defect $6K per defect

 Source: Business Week, Gartner, Microsoft, NIST

6
SO HOW DO WE DO IT?

 define roadmaps for software security

 define entry scenarios

 define strategic activity tracks

7
THE SOFTWARE DEVELOPMENT LIFE CYCLE

The Software Development Life Cycle with Security

Incorporated
8
PHASE 2 - SYSTEM LIFECYCLE MANAGEMENT

 Designing Securely
 Integration of Security

 Implementation

9
DESIGNING SECURELY

 Influence
 Establish and follow best practices
 best time to implement a security plan is early in the
life cycle
 threat modeling must be completed during this phase
 Security Requirements
 security design review with an advisor for a project
 Privacy Requirements
 complete detailed privacy analysis
 have a privacy subject matter expert

10
INTEGRATION OF SECURITY

 Recommendations
 Functional and Design Specification
 section dedicated to impacts on security
 Security architecture document
 provides a description of security on a software project
 Attack surface Measurement

 Product structure

 Minimize default attack surface

11
RISK MANAGEMENT

 Disaster recovery
 Have a plan
 Disasters are inevitable
 Risk Mitigation
 know what risk are associated with the project
 Options to handle include:
 Assume,Avoid,Control,Transfer,Watch/Monitor

12
RISK MANAGEMENT

13
SECURITY MANAGEMENT CYCLE

14
STEPS FOR CREATING A SECURE DESIGN

 Making sure proper security protocols are

defined
 Having a solid Security Plan and Disaster

Recovery Plan
 Review Security protocols with experts in

security

15
PHASE 3 - SYSTEM LIFECYCLE MANAGEMENT

 Implementation Phase
 Securing the Implementation

16
WHAT OCCURS?

 After the system design documents are

received, is time for the project or application
or project to be brought to life.
 This involves whatever actions that are

necessary to get the project up and running.

 Successful completion of this phase includes:

system deployment, and training on the

system.

17
ACTIVITIES

 Activities in this phase also include efforts

required for utilization including notification
to end users, execution of training, and data
entry or conversion.

 This phase continues until the production

system is operating in accordance with the
defined requirements and planning for
sustainment has begun.

18
ACTIVITIES

19
SECURITY IN THE IMPLEMENTATION PHASE

 When security comes into play in this phase

there are several actions that must be taken.
 One must create and maintain a list of

recommended software frameworks, services

and other software components.

20
SECURITY IN THE IMPLEMENTATION PHASE

 In addition, one must develop a list of

guiding security principles as a checklist
against detailed designs.
 Also, one must distribute, promote and apply

the design principles to the project that is in

development.

21
REVIEWING

 The reviewing and analysis of the software’s

code is also required to ensure security.
 It is essential to review the code for the

software being developed not only amongst

yourself, but amongst your peers as well.
 This portion of the phase is essential to the

success of the project.

22
PHASE 4 - SYSTEM LIFECYCLE MANAGEMENT

 Security in the Testing Phase

 Security testing in software.

 Types of Software Testing

 What it means to have secure software.

23
WHAT IS SECURITY TESTING IN SOFTWARE

 Security Testing in software is the process

of revealing possible vulnerabilities in the
system.
 Ensuring software quality
 Reliability: All functions within the software works.
 Resiliency: Software that can withstand attempts
of attackers.
 Recoverability: Software that can be restored if
something goes wrong with a function or its
resiliency.

24
HOW TO APPROACH SECURITY TESTING

 Thinking outside the box

 Think like an attacker in some cases from a
user’s perspective, and it other cases from a
developer’s perspective.
 Must have a passion for technology
 Stay up to date with new technologies and adjust
to new attack strategies.
 More than 317 million new pieces of malware
was created in 2018.

25
TYPES OF SOFTWARE TESTING

 Functional testing
 Unit testing breaks the software into smaller parts and tests each
part individually
 Logic testing validates the accuracy of the software’s process logic

 Performance testing
 How the software performs when subjected to large volumes of data
 How the software performs when the peak load is exceeded

 Security testing
 Ensures the software is designed and developed in a way that
reduces the risk of exploitation
 Black Box/White Box Testing

26
TYPES OF SOFTWARE SECURITY TESTING

 Black box testing

A method of testing in which the tester has no
knowledge about the software’s architecture or
how it was built.
 Tests how the software behaves from a users
perspective.
 White box testing
A method of testing in which the tester has
considerable knowledge about the software’s
architecture, how it was built, and even about its
source code.

27
TYPES OF SOFTWARE SECURITY TESTING

28
WHAT IS MEANS TO HAVE SECURE SOFTWARE?

 Successfully testing software means to have

quality software and achieve software
assurance.
 Can we adequately secure software through

testing?

29
PHASE 5 - SYSTEM LIFECYCLE MANAGEMENT

 Maintenance Phase

30
MAINTENANCE PHASE

 The Maintenance Phase involves making

changes to hardware, software, and
documentation to support its operational
effectiveness
 This includes making changes to improve a
system’s performance, enhance security, correct
problems, and/or address user requirements
 Establishing appropriate change management
standards and procedures helps to ensure mods
do not disrupt operations or negatively affects a
system’s security or performance.

31
MAINTENANCE PHASE

 Systems and Products are put in place and

operating enhancements are developed and tested,
also hardware and software components are added
or replaced.
 Configuration Management and control activities
should be conducted to document any proposed or
actual changes in security plan of the system.
 Documenting information system modifications and
evaluating the impact of these changes on the
security of a system are ideal when trying to
prevent lapses in the system security accreditation

32
MAINTENANCE PHASE

33
STEPS TO IMPROVE DEVELOPMENT
METHODOLOGY

 Assigning a security team to every development project

 Make it known that they are a big part of the team

 Educate developers about security and the attack surface;

 The developers should understand the importance of security and all
points of exposure

 Evaluate policies and procedures

 Review existing policies and procedures and in certain cases create new
policies and procedures focused on security

 Measure Success
 Building security into the SDLC reduces errors, reduces costs and creates
a more secure application

34
 End

35