cy513_project_Project 2
docx
keyboard_arrow_up
School
University of West Alabama *
*We aren’t endorsed by this school
Course
513
Subject
Information Systems
Date
Dec 6, 2023
Type
docx
Pages
14
Uploaded by ProfessorSalmon327
Project: Software Assurance & Security
Katie
University of West Alabama
CY513 - Software and Systems Reliability and Safety
Dr. Perez
Table of Contents
Abstract
3
Project Overview
4
Literature Review
5
Rationale
9
Summary of Findings
11
Recommendations & Conclusion
12
References
13
Abstract
The purpose of this research project is to prepare a report on software assurance and security. The research will assume the role as the Chief Information Security Officer for a mid-
size software development company. It is important to understand the role and what the role entails. The research will detail the importance of the role in detail and explain what the officer does and tasks along with methods to implement them. The research will provide methods, standards, and best-practices related to developing secure software. Through focusing on the information security program in a mid-size software development company that includes securing various assets of the organization which includes applications used in organization, systems used in the workplace of the organization and technology implemented across the organization. With this research we will find why it is important to implement secure software development methods. It will show what it entails and why there is a business case for doing so. We will review the findings of our research which includes the summary of secure software development best practices, standards, requirements, and methods. This research will include recommendations and comments in regards of what steps to take to ensure the software development organization is developing secure and safe software.
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
Project Overview
Assuming the position of the Chief Information Security Officer, CISO, it is important to know the role. The CISO develops secure processes to ensure that the systems are secure from outside attacks, develop processes to avoid cyber-attacks along with detecting and mitigating the same, manage risks associated with the newer technology. The CISO implements framework and
strategies to ensure that cybersecurity is implemented across various components of the organization. The CISO develops and justifies the investments done by the organization in cybersecurity and also ensures that cybersecurity compliance are followed and implemented within the organization. Reviewing scholarly articles, the researcher will provide methods, standards, and best-practices that relate to developing secure software. This will include information security programs that secure various assets of the organization and why it is important. This research will include seven scholarly articles to support our research findings. The articles will support why software development organization should implement secure software development methods. The research will discuss what methods and what all it entails to ensure secure software development methods. The research will support software development best practices, standards, requirements, and methods. The research will detail steps that organizations should take that will help ensure they are developing secure and safe software. It will go into details on how methods, best practices and standards should be implemented and how organization can accomplish them.
Literature Review
Software needs to be designed, built, delivered, and maintained efficiently to be safe and secure. The research shows the importance of software assurance and security and supports the importance of secure coding. The research suggests and supports that no matter the type of software or its functionality mitigating risks and vulnerabilities to the software is done so through implementing security through all phases. Managing the threats we face today in cyberspace requires a layered system of security, with vendors building more secure software, integrators ensuring that the software is install correctly, operators maintaining the system properly, and end users using the products in a safe and secure manner.
Software assurance is the level of confidence that a software functions as intended and is free of vulnerabilities, either intentionally or unintentionally designed or inserted as part of the software throughout the lifecycle (
Mead, N. R., Allen, J. H., Conklin, W. A., Drommi, A., Harrison, J., Ingalsbe, J., ... & Shoemaker, D. (2009.) Software assurance incorporates the development and implementation of methods and processes for guaranteeing that the software functions as intended. It mitigates the risks of vulnerabilities, malicious code or waaknesses that could bring harm to the end users. Security training, coding standards, policies, testing, and techniques all contribute to software assurance (
Black, P. E., Guttman, B., & Okun, V. (2021.) It is vital for securing the security of critical information technology resources and addressing assurance through every stage of application development. An organization cannot have software
assurance without software security. The goal of Software security is to maintain the confidentiality, integrity, and availability of information resources to enable a successful business operation which is accomplished through security controls (
Sodanil, M., Quirchmayr, G., Porrawatpreyakorn, N., & Tjoa, A. M.
(2015, July). Software security is critical because attacks on a system can cause harm to any piece of software while compromising integrity, authentication, and availability. Secure software development helps organization develop secure software that is resistant to attacks and can protect sensitive data. There are best practices for administrating security in software application and should be done in each stage of software development lifecycle (
Khan, R. A., Khan, S. U., Alzahrani, M., & Ilyas, M., 2022.) Security training is needed to all level of employees to be skilled in and knowledgeable of information security. In the early design phase, defining security
requirements will help identify and address potential threat and ways to reduce those risks to a minimal level. Security testing will guarantee that the security requirements are met, and the secure design and coding guidelines were followed. Testing not only covers the functionality but can help eliminate vulnerabilities by emulating the step an attacker would take breaking into a system (
van Wyk, K. R., & McGraw, G. (2005.) Security requirements should include the handling of security issues, how to form security controls, and those options could expose potential security vulnerabilities. The developer needs to evaluate, document, and assess risks posed by potential security gaps in the product and ensure security readiness for the system. Another best practice is security response, making sure any security vulnerabilities are handled through incident response to mitigate the vulnerability. New technologies delivers new threat vectors and investing mechanisms to mitigate the threats and vulnerabilities. Security is an essential component of every phase of a software’s life.
Secure coding protects against secrets and business data from leaking into the public domain. Secure coding practices are essential for secure software development (
Sodanil, M., Quirchmayr, G., Porrawatpreyakorn, N., & Tjoa, A. M. (2015, July). Programmers need to practice secure coding skills to prevent software security issues. Inspecting the application
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
source code will help identify the vulnerabilities. Implementing secure programming practices will reduce frequency and severity of the coding errors. Secure coding practices include reviewing the source code with the use of combination of analysis tools for identifying potential security defects. Improving secure coding can help whip out security vulnerabilities (
Graff, M., & Van Wyk, K. R. (2003).
Not only does security measures need to be implement in each phase of the software development lifecycle but so does secure coding practices. Secure coding practices is a guideline of implementing a secure software development framework in order to mitigate most common software vulnerabilities (
Sodanil, M., Quirchmayr, G., Porrawatpreyakorn, N., & Tjoa, A. M. (2015, July).
Software Development begins with requirement analysis. During this phase, the goals is to define and communicate software requirements that is tailored to customer needs according to Khan, R. A., Khan, S. U., Alzahrani, M., & Ilyas, M. (2022). There are several different software
development methodologies, but they all share common elements which are: concept, requirements, design and documentation, programming, testing, integration and internal evaluation, release, and maintenance, sustaining engineering and incident response. Sodanil, M., Quirchmayr, G., Porrawatpreyakorn, N., & Tjoa, A. M. also states that SDL there are seven processes: training, requirement, design, implementation, verification, release, and response. Khan, R. A., Khan, S. U., Alzahrani, M., & Ilyas, M. also states that the common phases of software development lifecycle include requirement, design, coding, testing, deployment, and maintenance. Secure software development entails a lot of work. One cannot have a secure software without secure coding, security measures implemented in each phase of the software development lifecycle, and software assurance. Developers develop the software and testers test
the software for functionality and vulnerabilities, to ensure the software is secure and free of risks and threats. Ensuring security will help the integrity, confidentially, and available of the software.
Rationale
Software development organizations should implement secure software development methods. Software security and integrity are important and aids in reducing the risk
of security vulnerabilities in the software products in production. When developing a secure software, one needs to integrate security measures in each step. Writing security requirements with functional requirements and performing risk analysis during all phase of the development lifecycle will mitigate risks and vulnerabilities. Implementing secure software development methods is cost beneficial for the organization. Implementing secure software development methods entails many different steps. First, security training is a basic part of secure software development lifecycle. Security training increases awareness, security knowledge, and keeps team members current with new threats. It starts with a strong plan and determining functional or non-functional application characteristics,
such as performance. There are security requirements when dealing with security activities and these requirements come from laws and regulations, obligations, conditions, and applications functionality. The security requirements need to be testable, clear, measurable, complete, and consistent. During the design stage, the choices that are made need to meet the requirements. In this stage, reviewing the design, testing, and completing risk analysis will uncover weaknesses and vulnerabilities within the software. The implementation stage, developers code and make decisions about the most secure way to deploy the software. Secure coding guidelines and code reviews will be used to ensure security in this stage. The verification stage, testers will examine the software for weaknesses, risks, and vulnerabilities will it runs. Different tests can and should be ran in this stage such as pen testing or interactive application security testing. Release stage is when the software is lunched to production and users can work with the software. The company
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
should continue maintenance and test the software for any vulnerabilities that might have been missed or have surfaced. The incident response plan will be executed in this stage and patches will be created if any emerging threats and vulnerabilities surface. Implementing secure software development can save costs, help with compliance and compliance reporting, save time, brand reputation, profitability and growth, and competitive differentiation. Integrating security into all levels of software development can minimize vulnerabilities and make the product more secure from the beginning. By doing so, it will reduce the time and money that can be spent on correcting or improving flaws and risks. By ensuring code is developed securely from the beginning, it can save time in assessments, threat modeling, and analyses. It can save time with compliance by ensuring policies and standards are followed from the initial stage. Implementing secure software development can help customers stay loyal to the organization and maintain a competitive edge. Lack of security can affect the bottom line and can lead to breaches which can cause irreparable damage, money, and time. Being proactive in software security development ensures compliance with regulations, guidelines, and helps avoid data breaches which will help drive profitability and growth for a company.
Summary of Findings
In this section prepare a 1-2-page response in which you summarize the findings of your research. This should include a summary of following potential items: secure software development best practices, standards, requirements and methods.
Recommendations & Conclusion
This section should be about 1-2 pages in length. In this section, provide your analysis, recommendations and concluding comments regarding what steps an software development organization should take to ensure they are developing secure and safe software. Discuss any methods, best practices or standards that should be implemented and how this would be accomplished.
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
References Graff, M., & Van Wyk, K. R. (2003).
Secure coding: principles and practices
. " O'Reilly Media, Inc.".
https://books.google.com/books?
hl=en&lr=&id=dD60dU9Xvj4C&oi=fnd&pg=PR11&dq=secure+coding+for+software+develop
ment+organization+&ots=jZW2ogpax4&sig=hzIBOHAEGdLbx1Ch5Vwb2hetTf4#v=onepage&
q=secure%20coding%20for%20software%20development%20organization&f=false
Khan, R. A., Khan, S. U., Alzahrani, M., & Ilyas, M. (2022). Security assurance model of software development for global software development vendors.
Ieee Access
,
10
, 58458-58487.
https://ieeexplore.ieee.org/abstract/document/9782440
Mead, N. R., Allen, J. H., Conklin, W. A., Drommi, A., Harrison, J., Ingalsbe, J., ... & Shoemaker, D. (2009). Making the Business Case for Software Assurance.
https://citeseerx.ist.psu.edu/document?
repid=rep1&type=pdf&doi=d0b53c7de5728eca0ff7fc92adb1836074760f3a
Black, P. E., Guttman, B., & Okun, V. (2021). Guidelines on minimum standards for developer verification of software.
arXiv preprint arXiv:2107.12850
.
https://arxiv.org/pdf/2107.12850.pdf
Wagner, E. L., Scott, S. V., & Galliers, R. D. (2006). The creation of ‘best practice’software: Myth, reality and ethics.
Information and Organization
,
16
(3), 251-275. https://www.sciencedirect.com/science/article/abs/pii/S1471772706000121
Williams, L. (2010). Agile software development methodologies and practices. In
Advances in computers
(Vol. 80, pp. 1-44). Elsevier.
https://www.sciencedirect.com/science/article/abs/pii/S0065245810800014
Sodanil, M., Quirchmayr, G., Porrawatpreyakorn, N., & Tjoa, A. M. (2015, July). A knowledge transfer framework for secure coding practices. In
2015 12th International Joint Conference on Computer Science and Software Engineering (JCSSE)
(pp. 120-125). IEEE.
https://ieeexplore.ieee.org/abstract/document/7219782
van Wyk, K. R., & McGraw, G. (2005). Bridging the gap between software development and information security.
IEEE Security & Privacy
,
3
(5), 75-79. https://ieeexplore.ieee.org/stamp/stamp.jsp?arnumber=1514408