CSS321_JoshuaGardner_IP5

docx

School

Colorado Technical University *

*We aren’t endorsed by this school

Course

321

Subject

Information Systems

Date

Jan 9, 2024

Type

docx

Pages

25

Uploaded by JudgeClover7287

Report
1 SOFTWARE ASSURANCE GUIDELINE – T-MOBILE U.S.A CSS321: Software Assurance Software Assurance Guideline – T-Mobile U.S.A. Individual Project – Week 5 Joshua Gardner November 5 th , 2023
2 SOFTWARE ASSURANCE GUIDELINE – T-MOBILE U.S.A Table of Contents Unit 1: Project Outline ............................................................................................................. 3 Company Description ....................................................................................................................... 3 Applications Provided ....................................................................................................................... 3 Development Methods ...................................................................................................................... 4 Unit 1: Security in the Development Life Cycle ......................................................................... 5 SDLC ................................................................................................................................................. 5 Security Development Components .................................................................................................. 6 Unit 2: Software Assurance Techniques .................................................................................... 7 Analysis ............................................................................................................................................. 7 Guidelines ........................................................................................................................................ 10 Unit 3: Security in Nontraditional Development Models ......................................................... 11 Identifying Non-Traditional Security Model ...................................................................................... 11 Non-Traditional Development Process .............................................................................................. 12 Non-Traditional Software Development Policies & Processes ........................................................... 14 Section 4: Security Static Analysis .......................................................................................... 16 Application Design Layout ................................................................................................................ 16 Component Diagram ........................................................................................................................ 17 Major Components .......................................................................................................................... 17 C++ Code Samples ............................................................................................................................ 19 Security Static-Analysis Tools & Guidelines ....................................................................................... 19 Unit 5: Software Assurance Policies and Processes ............................................................... 21 Software Assurance Training Plan ..................................................................................................... 21 Software Assurance Metrics ............................................................................................................. 22 Security Team Roles & Responsibilities ............................................................................................ 23 Resources .............................................................................................................................. 24
3 SOFTWARE ASSURANCE GUIDELINE – T-MOBILE U.S.A Unit 1: Project Outline Company Description The purpose of this report is to provide T-Mobile U.S.A with a fully completed software assurance guideline. Software assurance guidelines are vital to large-scale organizations such as T-Mobile U.S.A. because it encourages the organization to invest in techniques, tools, processes, and standards that help with building software, while also finding ways to reduce security breachers. T-Mobile U.S.A is the 2 nd largest wireless provider in the United States with a total of 98.3 million customer (Blumenthal, 2020). While T-Mobile has vastly changed the wireless landscape through a series of “Un-Carrie” moves. While these moves brought great change and a series of great publicity for the company, the companies Achilles heel has been the victim of multiple software security breaches over the last five years. T-Mobile USA brand first began in 2002 after Deutsche Telekom purchased VoiceStream wireless (Katz, 2022). The company is currently being led by CEO Mike Sievert, who assumed the role in April 2020 from previous outspoken CEO John Legere, following the acquisition of Sprint. T-Mobile currently has two main headquarters the first campus in located in Bellevue, Washington. The second campus acquired as part of the merger with Sprint is located in Overland Park, Kansas. In the last fiscal year T-Mobile reported revenues of 79.5 billion dollars (Katz, 2022). Applications Provided Being a part of the wireless industry has led to T-Mobile taking part in a variety of different ventures. As part of these ventures many different pieces of software have be adopted both on a desktop and application level. T-Mobile has a variety of applications that are used on daily basis by their customer base some examples include, T-Mobile App, T-Mobile Tuesdays, or
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help
4 SOFTWARE ASSURANCE GUIDELINE – T-MOBILE U.S.A T-Mobile Home Internet. Additionally, they also have an online web interface for their account management and an internal desktop application for customer account management that also uses a database to pull all the customers information. Development Methods While T-Mobile is large organization, it is comprised of a multitude of different organizations within the company. In this guideline we will be specifically looking at their technology team. Currently, T-Mobiles technology team recently saw a new change in leadership as John Saw took over as Chief Technology Officer in April of 2023. The company currently employs a hierarchical structure when it comes to reporting. Within the technology field it is divided into subsets with some teams specializing in UX, mobile application, and internal software teams. While T-Mobile does hire remote workers for their tech space, they tend to prefer to hire employees who are located near a customer experience center or headquarters. As part of their development T-Mobile has a set of internal systems used to develop their programs for their internal care teams as well as generalized operating system platforms to produce their application-based platforms. As a direct employee for T-Mobile when it comes to testing their internal software, there are specific employees throughout multiple facets of the business that specifically pilot these programs.
5 SOFTWARE ASSURANCE GUIDELINE – T-MOBILE U.S.A Unit 1: Security in the Development Life Cycle SDLC The purpose of this section is to review the software development life cycle (SDLC) within T-Mobile. I can help provide a breakdown of each of the major components of the company’s SDLC as I am currently employed within their technology team and therefore have firsthand knowledge of the software process. In addition to providing a brief rundown of the major phases within the SDLC, this section will also discuss components of the security development model and how they pertain to each phase of the SDLC model. Lastly, this section will also discuss how the security model is applied within each phase of the SDLC cycle. As mentioned in the first section of this repot, T-Mobile publishes applications that are used on an internal basis only, as well as applications and web platforms that are used externally on the customer facing side. The importance in using an SDLC is essential as it provides the software team with a way to develop, test, and publish their software. While the SDLC follows a general format, dependent on the organization you’re working for, there may be slight differences (Softwaretestinghelp, 2023). In the case of T-Mobile, our organization has a total of six distinct phases. Each project begins with the Requirements Gathering / Planning phases. This is followed by the design phase, then the coding phase (my current role), and then dependent on the team lead there is the deployment phase and lastly the maintenance phase. Dependent on the team in some instances the deployment and maintenance phase are grouped together. In the first phase, the technical leadership team reviews information obtained from feedback both internal and external teams which is then used to develop and idea for a software product. After a need for a service has been identified, a member of our business support team, will meet with a tech lead to discuss what needs to be built and how it will improve the business
6 SOFTWARE ASSURANCE GUIDELINE – T-MOBILE U.S.A need. After meeting with the business analyst our team lead will work with our UX team to determine how the software or feature can best be integrated into our current systems without making major changes to the current software layout. Once the design team has provided a prototype of how the software or feature will look visually, a meeting between the business analyst, the design team, and our tech lead occurs to ensure all parties agree. Once agreed upon, our team lead will provide each team member a task that needs to be completed and built into or updated in the existing code. Our team normally works in two-week sprints. Once all coding by each member of the team has been merged with a successfully functioning prototype, we begin testing the product. A caveat to note is that prior to any coding being merged our code is reviewed through code review sessions. Finally, once tested the software will then be published in a pilot program test. After extensive testing through a pilot program the software then becomes fully released. Security Development Components Part of the reasoning for using an SDLC is to also ensure that when a product or a new form of software is being created is that it is also is secure. To ensure that this is occurring different security components can be implemented throughout each of the stages. To begin when any form of software is being planned, it is essential that an organization is proactive in building out a defense mechanism. During the initial planning using a threat model is a great way to build up security defenses. A threat model provides a representation of different potential pieces of information that can impact the security of your software. During the design stage or the SDLC, a review of the threat model should be completed by the design team. This review is essential because new threats may present themselves based upon the layout of the design, and how the software may interact with pieces of the existing software. Once out of the design stage and into
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help
7 SOFTWARE ASSURANCE GUIDELINE – T-MOBILE U.S.A the coding phase, a key component to security testing would be to complete the code reviews. As noted, before, prior to any code being merged at T-Mobile, a code review is completed by a minimum of two members. This is crucial as code reviews not only look for logical errors and styling guidelines, but they are also extremely vital in identifying security vulnerabilities. After going through vigorous code reviews, we pilot our software through beta application testing, or through internal teams specifically assigned to test new internal software. During these releases we can use things such as penetration testing to test the application security. Finally, once the software has been fully released and it enters the maintenance phase, our teams continually test for new vulnerabilities to ensure that the system software remains secure. Unit 2: Software Assurance Techniques Analysis When developing a software assurance guide it is essential to determine which software assurance techniques can be applied to the applications within the company. In this section we will be reviewing a variety of applications that T-Mobile USA commonly uses on a frequent basis, where each of these apps pose a security risk, and a technique that can be used to counter act these risks. T-Mobile USA has exponentially grown over the course of the last decade both regarding its consumer group, its own employment group, and in the products that is has put out. With that growth has come a variety of new published software that is used to help ensure the products are running as intended. In addition to developing apps to run their products T-Mobile has created an internal system for its customer care team as well as a website for its own consumers to manage their account.
8 SOFTWARE ASSURANCE GUIDELINE – T-MOBILE U.S.A The first application we will review is T-Mobile’s Home internet application. This application is used in conjunction with T-Mobile Home Internet service. The app allows customers to take control of their modem. Once successfully paired customers can setup their internet, monitor usage, and set parental controls. Additionally, T-Mobile uses this application to ensure during the setup process customers are choosing the best location to place their modem for best results. A few security risks can be posed when using this application. The first security risk could be unauthorized access to the account through password sharing. In this situation, if a password is leaked or given out mistakenly, a bad actor can now gain full access into the customers WIFI control system and lock them out of their own system. Additionally, this use would then have access to sensitive data including general internet usage. One technique that could be implemented to curb this issue would be to implement a system generated password reset on occasion (Content & Engineer, 2021). While this may be considered cumbersome it ensures that in the case a password is leaked, users still can have secure control of their account. The second potential risk to this application is that if the end-user were to leave their device unattended with the application open there is a risk that someone can tap into their session and then again gain access to the account and exploit the customers information. A possible security assurance technique to address this issue would be to use session management. In doing so a session could be ended if there was no activity within a certain period, and to re-login credentials would have been reverified. The second application that T-Mobile incorporates into its products is its customer facing online website. Using My.T-Mobile.com, a customer can manage their T-Mobile account. Some of the actions a user may take includes viewing or paying their bill, checking usage, changing their rataplan, upgrade their devices, or activate new lines to their account. As you can see this
9 SOFTWARE ASSURANCE GUIDELINE – T-MOBILE U.S.A website has a large amount of sensitive consumer data that must be protected. With all software this also has inherent security risks. On inherent security risk to our account management website is that there is the possibility that sensitive data may be accessed by users that do not have the proper authorization. For example, per out policy and procedures on the primary account holder should be able to see call and text logs. In this case, if this information were to be obtained without authorization, T-Mobile could face a lawsuit as part of a data breach. A technique that can be implemented to prevent this would be to assign user authorization profiles. For example, you can assign different levels of account permissions to each phone number which can either add or remove account access. Additionally, you can implement a check of permission levels each time that profile were to login (Loginradius). Another potential security risk would be that if the consumer is looking at their information on an unsecured connection, a bad actor could then gain access to the customers sensitive data. A technique that could be used to protect against this would be to ensure also sensitive data information is encrypted to ensure that all locally stored sensitive information is protected. The last application we will review is T-Mobile’s internal desktop application that allows its consumer group to access its customers information to help resolve any questions that customers have. In 2020, T-Mobile developed their own internal application called Atlas, that provides T-Mobile care and store reps with a user interface that allows them to pull up a customer’s account quickly and easily. After verifying the account information, a T-Mobile employee can view up to 24 months of bills, and equipment that is financed out, all the active and canceled lines on an account, billing addresses, birthdates, and any other critical account information. This application can pull and present all this information quickly as it is tied to servers that store databases full of our customers information. A major security that T-Mobile
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help
10 SOFTWARE ASSURANCE GUIDELINE – T-MOBILE U.S.A needs to be highly aware of is a injection attack. In this instance, information is sent to alter how the system would interpret a command, and from that the attacker can that manipulate the data or can unauthorized access. T-Mobile has unfortunately had a 3 major data breaches over the course of the last five years. One technique that could be used to address this would be to implement code that validates a user response. If the input can’t be validated, then there is no risk for something to be changed. Another security risk is that someone who should not have access to this tool gains access thru an unsecure connection. One way to resolve this conflict would be to implement a firewall. Guidelines The previous section where we looked at each of the potential security risks that T- Mobile faces through each of its different applications. Using that analysis this second part to the software assurance technique will provide a set of guidelines that T-Mobile can use to help with reducing future security risks. By following the recommendations listed below, T-Mobile can increase the protection to customer data and their own application. This will ensure that both T-Mobile customers and the corporation will remain safe. To keep with the general formatting of this document the first guideline we will look at is the T-Mobile home internet application. The first thing that T-Mobile should do is conduct code reviews on a continual basis. By implementing these code reviews those who work within the software department will be able to highlight code that may be vulnerable to security risks, or defects that could cause a security bug. In addition to completing these code reviews, T-Mobile also needs to ensure the application has strong encryption mechanism that ensure the data within the application is secure and any sensitive customer proprietary information.
11 SOFTWARE ASSURANCE GUIDELINE – T-MOBILE U.S.A The next application that was analyzed in part one was the my.T-mobile.com account management system. In this section we reviewed ensuring that strong session management techniques are in place. By implementing these session management techniques this will help with reducing the chances of a session hijack by a bad actor. The second guideline that T-Mobile needs to include is increased account validation techniques. An example of this would be to incorporate user credential verification. If the credentials do not pass the tests there should also be a lockout method inputted to avoid possible account takeover. The last application that we analyzed in the first section was T-Mobiles internal customer care software that acts as a liaison between T-Mobile’s account database and the customers questions. The first good practice for T-Mobile would be to ensure they perform scheduled backups on their database system. This is extremely important because it protects the company from outages and in some instances can help ensure the company has data it can turn back into in the case the newest data becomes compromoised. Additionally T-Mobile needs ensure they are implementing parameterized queries which will help with ensuring that there are a reduced risk of injection attacks. Unit 3: Security in Nontraditional Development Models Identifying Non-Traditional Security Model The next piece in this software assurance guideline document is being able to address security options that T-Mobile USA would be able to incorporate in a non-traditional development model. In addition to identifying the model, a brief synopsis of each of the major steps within that specific model. Additionally, at each of these steps this guideline will identify
12 SOFTWARE ASSURANCE GUIDELINE – T-MOBILE U.S.A security threats at each step within the process. Lastly, referencing the security development model, a set of policies and process will be implemented to help with minimizing these threats. A non-traditional method that T-Mobile could look at adopting would be using the agile software development methodology. The agile methodology differs from the standard development approach in that end users can apply their input which in turn can mean modifications are made during the development of the product (Team, n.d.). A good example of this process being used within T-Mobile is that the product owner (President of the consumer group), a scrum master (business support member), and lastly the development team. In this instance, the scrum master works daily with the office of the president to build out products that will support the consumer group both internally for some applications (Atlas), as well as for customer facing websites (my.tmobile.com). Based on these interactions they will then report back to the development team to ensure the product being made is meeting the requirements of the president. Non-Traditional Development Process As with a traditional software development cycle, the agile development still follows a general path to development. In the agile development life cycle, there is a general six step process. The first step in this process would the information gathering phase. In this part, the srum manager would gather information from multiple parties about what would need to be implemented to have a successful and functioning product. In this section, one security risk is that during information gathering many searches are conducted through this process. During this time in some cases if a bad actor is accidently given access to information gathering they
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help
13 SOFTWARE ASSURANCE GUIDELINE – T-MOBILE U.S.A may be given credentials allowing them to gain unauthorized access to the account (sciencedirect, 2010). The second step of the agile development process would be the product design stage. Within this stage using the information that was gathered from our initial phase, we know have the information to design a model that is feasible for the product. In addition to building out the model, the initial prototypes of the UX design can be implemented out. It is during this step it is essential to identify the areas of security risks. Examples of security risks in nature can range from unauthorized permissions given to a user, to technical requirements that can lead to increased security vulnerabilities. Once risks have been identified, they need to the be accessed to determine first the likelihood that the risk would come forth. As well as if it were to arise, what impact it would have on both the consumer and business level. The third step within the agile development process is the coding piece. In this portion of the development process, the prototypes of the product are handed over to the development team to put into action. During this process, the developers will bring the prototypes to life using an agreed upon language. One of the downsides to agile software development is that due to the customer input, there are rapid release cycles that can occur to meet the goals of the product owner. A part of this issue is that due to rapid development developers can in some cases lack security integration (Brathwaite, 2023). The fourth step to this process would to be to complete system testing. In this iteration, implementation testing will be complete. This portion can occur multiple times throughout the agile development cycle as new features or software can be inserted and redacted as the app is continually built out. The purpose of this is to ensure that the product is working as expected
14 SOFTWARE ASSURANCE GUIDELINE – T-MOBILE U.S.A during the acceptance criteria method. A security risk that is involved in this step is that as mentioned previously, due to the rapidly involving nature of the app, if updates are being pushed continually, there is a higher chance of security vulnerabilities. This is due to the fact of the quick turn-around time, and the ability for new bugs to arise with the quick addition of new code is larger. The final stage in agile development model would be the deployment and maintenance phase. As with any deployment applications or software products face a large variety of security risks. In cases, that products deal with database, you face injection attacks. In other software products you face unauthorized access, or large-scale traffic attacks to cause the software to break. Non-Traditional Software Development Policies & Processes The second section of Unit three is discussing policies and process that would be able to address a variety of security threats through each stage of the agile development cycle. By implementing these policies T-Mobile would be able to ensure the products and systems they are developing would be resilient and fend off software threats. During the planning and development stage that first policy that could be implemented to avoid security risks would be a security inclusion policy. The goal of this policy would be to ensure a specific section of planning would go specifically into software security requirements. In order to ensure the policy is deployed successfully, the cybersecurity team would overview any project plans, to ensure that the security requirements would be cover any major security threat.
15 SOFTWARE ASSURANCE GUIDELINE – T-MOBILE U.S.A During the coding process a security policy that could be implemented to ensure the code being used is secure is that all developers would be required to follow general coding standards. By doing this it would ensure the code is written with quality and also in compliance with coding standards. A process that could be implemented within this process would be ensuring standard coding practices such as code reviews and debugging tools are used with extreme frequency. In the testing phase of the agilve development cycle, the basic policy would be to ensure that the code that is produced goes through a variety of security measures. This would include using a variety of penetration testing methods. While code reviews ensure it passes the human eye test, implementing an automated process would ensure there is consistency thru all testing and thru each new build. In the deployment process the software is ready to be launched and used by the public. At this stage it is extremely important to ensure that the product is secure because a security flaw will now affect both the consumer and the business. A policy that needs to be put into place is ensure any servers that are used to run the application, or the data is secure and must be continually reviewed for safety. This can again use an automated tool to ensure servers are running at peak performance and security. Additionally, the IT team should run periodic safety tests to validate the automated tools. Lastly with the application being deployed it is vital that there is continuous monitorization of the software. To ensure that the program is being monitored T-Mobile must implement a variety of incident responses in the instance a security flaw is discovered. Real-
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help
16 SOFTWARE ASSURANCE GUIDELINE – T-MOBILE U.S.A Time monitoring should be implemented by the cybersecurity or IT team to help with detecting any real-time security risks. Section 4: Security Static Analysis In this section of the analysis, I will identify three commonly used security static-analysis tools and based upon those chosen I will prepare a guideline on how they could be used within the software development cycle within T-Mobile. This section will be broken up into two separate sections, the first identifying each of the tools followed by how it will be implemented on the account. Application Design Layout
17 SOFTWARE ASSURANCE GUIDELINE – T-MOBILE U.S.A Above our two separate screen shots that would depict different views of how the application would be viewed on the user side when fully logged in to the T-Mobile App. Component Diagram Major Components In the main T-Mobile user facing application there are total of five main components in the application. The first is the home page, in this section the user is provided the option to view their overall account usage (call, text history, and data usage). Additionally, they can add their payment method for autopay here as well. A major security risk here would be supplying this information to an individual who is not supposed to have access. If a situation occurs where call or texts records are given out can make the individual susceptible to hacking.
18 SOFTWARE ASSURANCE GUIDELINE – T-MOBILE U.S.A The next component is the account component. In this section a user can view their current benefits to their plan. This again is a risk that if the wrong person gains access to this they would then be able to gain access to a customers unique profile and get an understanding of what that current user has access to. Additionally, this is an important area for two factor authentication as this section is also an area where an individual can change their rate plan which can have major implications financially for a customer. The third component would be the bill section. In this section a security risk would be that the customers financial information is linked in their profile. It is within this section that the customer would make any financial transactions. Having encryption for all payment requests is a must in this section. The fourth component is the shop tab. It is within this section that again there needs to be major encryption as again there are large financial transactions that are completed within this section. If there was a breach and there was no encryption T-Mobile would be susceptible to releasing their customers payment information. Finally, the last major component would be the more component. It's in this stage the customer can update their profile information. So, it would be a good idea for T-Mobile to incorporate a two factor authentication system before any major changes are able to be processed.
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help
19 SOFTWARE ASSURANCE GUIDELINE – T-MOBILE U.S.A C++ Code Samples A common security risk that comes with C++ is buffer overflow. Buffer overflows can be caused when a built-in boundary check is not included. In a buffer overflow attack an attacker is able to inject things such as spyware into a program. Looking at the code above we can see that a buffer overflow attack is a possibility. This can occur if a user decides to enter a string that is longer than the User Input array. There are a multitude of ways that these issues can be prevented. Security Static-Analysis Tools & Guidelines The first static-analysis tool that is common is a static code analyzer ( Zelleke, 2023) . The purpose of this tool is to scan code to identify potential security vulnerabilities. Vulnerabilities
20 SOFTWARE ASSURANCE GUIDELINE – T-MOBILE U.S.A that this tool would be able to notify about include security scares include SQL injection and buffer overflows. An additional perk to this tool is that it will provide a report that provides in depth information about each of the vulnerabilities that were identified, as well as recommendation on how the security flaw could be shored up. The next tool that is popular is SonarQube, which is a platform that completes a static analysis on code to locate bugs, code issues, and security flaws within the code. One major benefit to SonarQube is that this tool can analyze a variety of different programming languages ( Zelleke, 2023) . This is major benefit because like the static code analyzer this tool provides a report that can help the team improve upon not only the security of the app but also the quality of the code. The last tool that can be used is called Checkmarx, and like the first two this program also identifies vulnerabilities within the code. Unlike the first two though this program specifically looks at issues such a file handling and communication protocols. The second piece of this subunit is to discuss how the tools listed above could be implemented successfully within T-Mobile’s software development. Below is a list of recommended guidelines I would suggest for them to use. The first thing is T-Mobile should implement each these tools into any previously released software, as well as ensure each is integrated into any future products. By implementing these tools into the development cycle, it will ensure they are scanning each product for vulnerabilities on a continuous basis throughout the build. As noted in previous guidelines, I would also suggest T-Mobile IT and software team come together to develop a set of standards for their coding that way all developers are on the same page and ensure their code is in compliance with these agreed upon standards. The next guideline I would put in place would be that as vulnerabilities are identified they are then provided a prioritization ranking depended on how impactful against the business it could be. In
21 SOFTWARE ASSURANCE GUIDELINE – T-MOBILE U.S.A addition to providing a prioritization level, T-Mobile should also create a universal procedure for all employees to track the status of these security vulnerabilities. Lastly, T-Mobile should raise awareness for all employees to understand the security vulnerabilities they are at risk for as well as set aside a budget to use for generating trainings for their employees. Though the combination of implementing these security tools alongside the initial guidelines, T-Mobile can better their product security to help alleviate potential security risks during their development cycle. Unit 5: Software Assurance Policies and Processes Software Assurance Training Plan If T-Mobile decides to pursue the use of the software assurance guidelines provided in this report, it is also essential that the company implement a new training program for their development team. To help with making the process more bearable included in this section is a synopsis of what the training program should focus on in addition to why these key events would be necessary for implementation. To be effective in delivering these guidelines I find that T-Mobile should emphasize on three key areas. 1) The first step would be to implement an awareness training session that would discuss how T-Mobile plans to implement these guidelines. Additionally, it would be vital to ensure the developers understand vulnerabilities, know why software assurance is important and finally provide ways to ensure they are implementing secure coding. 2) After going through the initial training session, the next step would be to complete a training in which the roles and responsibilities of developers are implemented into the
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help
22 SOFTWARE ASSURANCE GUIDELINE – T-MOBILE U.S.A training. This would change dependent on the role you were specifically working with, but examples of these trainings could include sessions on secure code frameworks, threat modeling, or software design principles. 3) Lastly, as it was brought up multiple times throughout the guidelines itself, the most important aspect is that T-Mobile continues to provide its developers with on-going education. In order to do this, T-Mobile should invest in building a continuous education system that will ensure all parties are aware of new emerging threats, and industry best practices. Ways that this continuing education can be implemented is thru having developers attend seminars or participate in workshops. Software Assurance Metrics The next aspect to ensure the efforts of software assurance are working and there is a return on investment, T-Mobile needs to implement a way to gauge the effectiveness. Below are list of metrics that can be used to measure the effectiveness. 1) The first would be to track how many vulnerabilities are found during code reviews by the software developers. It would also be beneficial for T-Mobile to track the severity of each of the vulnerabilities that are discovered. This not only tracks the benefits, but it also allows T-Mobile to trend frequent vulnerabilities. 2) The tracking of vulnerabilities is essential because once tracked, T-Mobile can also measure how long it takes their teams to fix an issue from the time it is discovered up until its closed out. This metric is highly valuable in understanding how efficient their management process is.
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help
23 SOFTWARE ASSURANCE GUIDELINE – T-MOBILE U.S.A 3) The next would be to determine how many security issues are found per section of code. This will provide the management with the overall security of the software. 4) Lastly, they can incorporate a metric that revolves around incident response. By implementing this T-Mobile can track how many and to the severity the incidents that occur. Security Team Roles & Responsibilities T-Mobiles security team will play a crucial role in ensuring that the software assurance is working effectively. Below are a few of the roles they could play. 1) The first responsibility would be to regularly review these software assurance policies, and update them based on industry wide best practices, and new emerging threats as they emerge. 2) This team would oversee ensuring the software developers were remaining up to date with their training program to ensure they are protecting the company from new threats. 3) The security team should perform random code reviews to ensure the developers are following company standards. 4) When a security vulnerability is identified this team should work together with the incident team to investigate and fix the issue.
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help
24 SOFTWARE ASSURANCE GUIDELINE – T-MOBILE U.S.A Resources 7 agile software development habits that produce security concerns. (2023, July). https://www.softwaresecured.com/7-agile-software-development-habits-that-produce- security-concerns/  7 common Web application security threats . loginradius. (n.d.). https://www.loginradius.com/blog/identity/7-web-app-sec-threats/  Bluementhal, E. (2020, August 6).  T-Mobile leapfrogs AT&T, saying it’s 2nd largest US carrier after Sprint merger . CNET. https://www.cnet.com/tech/mobile/t-mobile-leapfrogs-at-t- claims-status-as-second-largest-us-provider-following-sprint-merger/  Content, D. P. of, & Engineer, D. P. of C. (2021, January 22).  NIST password guidelines and best practices for 2020 . Auth0. https://auth0.com/blog/dont-pass-on-the-new-nist- password-guidelines/  Information gathering phase . Information Gathering Phase - an overview | ScienceDirect Topics. (n.d.). https://www.sciencedirect.com/topics/computer-science/information-gathering- phase  Katz, M. (2022, September 1).  Reflecting on roots as t-mobile brand propels into future - T- mobile newsroom . T. https://www.t-mobile.com/news/blog/cmo-mike-katz-voicestream-to- t-mobile-anniversary   Team, S. S. R. (2022, August 16).  Top 5 C++ security risks . Snyk. https://snyk.io/blog/top-5-c- security-risks/  Team, K. P. N. (n.d.). Traditional vs. Agile Software Development Methodologies. https://www.kpipartners.com/blog/traditional-vs-agile-software-development- methodologies  What is SDLC (software development life cycle) Phases & Process . Software Testing Help. (2023, June 24). https://www.softwaretestinghelp.com/software-development-life-cycle- sdlc/  Zelleke, L. (2023, August 2).  6 best static code analysis tools for 2023 (paid & free) . Comparitech. https://www.comparitech.com/net-admin/best-static-code-analysis-tools/ 
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help
25 SOFTWARE ASSURANCE GUIDELINE – T-MOBILE U.S.A
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help

Related Documents

2.5_Guided Practice Lab Report Template.docx
2.4_Guided Practice Lab Report Template.docx
C850 Template(1).docx
Option #1.docx
HIM 202 - Assignment 13_ System Development Life Cycle.docx
Henegar Module Two SLP Assignment ACC 501.pptx
Module 4 Mini Case 2.docx
CYS103 WK 1 CIA TRIAD ASSIGMNMENT CYS 103.docx
Blumenstein_E_CST610_Project_3 (1) (2).docx
ElliottBlumenstein_CST610_Project_1_SARS (2).docx
BlumensteinElliott_CST610_Project2 (3).docx
Blumenstein_E_CST610_Project_4.edited (1).docx