Domain 8: Software Development Security
8.1 Understand and integrate security in the Software Development Life Cycle
Machine Code is binary language built into a CPU. Just above that is assembly language, which are low level commands. Humans use source-code and convert it into machine code with compilers.
Interpreters can translate each line of code into machine language on the fly while the program runs
Bytecode is an intermediary form between source and machine code ready to be executed in a Java Virtual Machine
Procedural and Object-Oriented Languages
Procedural – uses subroutines, procedures and functions, step-by-step. Examples include C and FORTRAN
Object-oriented – define abstract objects through the uses of classes, attributes and methods. Examples include C++ and Java
Computer-Aided Software Engineering (CASE)
Databases are structured collections of data that allow queries (searches), insertions, deletions and updates
Database Management Systems are designed to manage the creation, querying, updating and administration of databases. Examples include MySQL, PostgreSQL, Microsoft SQL Server, etc
Types of databases:
8.2 Identify and apply security controls in development environments
8.3 Assess the effectiveness of software security
8.4 Assess security impact of acquired software
8.5 Define and apply secure coding guidelines and standards
Application Development Methods
Waterfall - has a feedback loop that allows progress one step backwards or forwards.
Spiral – improves on the two previous models because each step of the process goes through the entire development lifecycle
Agile – highest priority is satisfying the customer through early and continuous delivery. It does not prioritize security.
Individuals and interactions over processes and tools
Working software over comprehensive documentation
Customer collaboration over contract negotiation
Responding to change over following a plan
Software Development Lifecycle Phases
Initiation – Define need and purpose of project
Development/Acquisition – determine security requirements and incorporate them into specifications
Implementation – install controls, security testing, accreditation
Operation – backups, training, key management, audits and monitoring etc
Disposal – archiving and media sanitation
Third party archives source code
Source code is revealed if product is abandoned
Protects the purchaser should the vendor go out of business
Old system had strict separation of duties between devs, quality assurance and production
DevOps is more agile with everyone working together in the entire service lifecycle
Software Capability Maturity Model (SW-CMM) – states all software development matures through phases in a sequential fashion. Intends to improve maturity and quality of software by implementing an evolutionary path from ad hoc, chaotic processes to mature, disciplined software processes.
Initial – developers are unorganized with no real plan. No defined software development process
Repeatable – lifecycle management processes are introduced. Code is reused.
Defined – devlopers operate according to a set of documented processes. All actions occur within constraints of those processes.
Managed – Quantitative measures are used to understand the development process.
Optimizing – Processes for defect prevention, change management, and process change are used.
Object Oriented Programming
Java, C++, etc. Objects contain data and methods. Objects provide data hiding.
Object – account, employee, customer, whatever
Method – actions on an object
Class – think of a blueprint. Defines the data and methods the object will conain. Does not contain data or methods itself, but instead defines those contained in objects
Polymorphism – objects can take on different forms. This is common among malware that modifies its code as it propagates to avoid detection.
Coupling and Cohesion
Coupling – how much modules depend on each other
Cohesion – refers to how the elements of a model belong together. High cohesion reduces duplication of data
You want low coupling and high cohesion