Software Development Lifecycle (SDLC)

Lakukan tugas rumah & ujian kamu dengan baik sekarang menggunakan Quizwiz!

Define an assurance case

A documented body of evidence that provides a convincing and valid argument that a specified set of critical claims regarding a system's properties are adequately justified for a given application in a given environment

Volere Requirements Shell

A formalized structure that can be used to specify atomic requirements analysis. This is part of the requirements analysis step of the SDLC

Define sequence diagram

A graphical depiction of how processes in a system interact with each other and the order of the interaction; this is most commonly used in UML

Define key stakeholder

A person or group with the most influence on a project

Define nonfunctional requirement

A quality or constraint for the system; something that must be upheld as the system operates

Name the elements in a formal system

A set of symbols; rules for constructing well-formed formulas in the language; axioms for formulas postulated to be true; inference rules expressed in metalanguage

Define scope creep

A situation where a project gains more and more functionality beyond the original specification

Describe Relative Attack Surface Quotient (RASQ)

A software security metric that is already in use by Microsoft

Name the aspects that are directly relevant to an open-source system's ability to support secure SCM

Ability to assign access permissions to users and to restrict access to the repository based on those permission assignments; ability to limit read and write accesses to a single directory

Name the security enhancements suggested by the DHS that can be added to current SCM practices

Access control for development artifacts; time stamping and digital signature of all configuration items upon check-in to the SCM system; baselining of all configuration items before they are checked out for review and testing; storage of a digitally signed copy of the configuration item with its progress verification report; separation of roles and access privileges; separation of roles and duties; authentication of anyone before granting access to the SCM system; auditing of all SCM system access attempts, check-ins, check-outs, configuration changes, and traceability between related components

Name the ways that software-intensive systems come into existance

Acquisition, integration or assembly, custom development, software reengineering

"Managing Software Risk" key activity 3

Adherence to security standards and policies for development and deployment

Define a boundary class

An abstraction of data collected directly from a user, typically from a form or other GUI structure. These classes cannot communicate directly with each other

Define security requirement

An associated protection that must be placed on some part of the system as a contingency to normal operation or guarantee of some constraint that would otherwise violate the conditions of safe operation

Define object

An instance of a class

Describe the testing phase of the SDLC

An internal process before the product is released to the customer for consumption. Involves verification and validation

Define entity class

An object-oriented software system is one representing a collection of data and the manipulation and maintenance of that data

Name the activities of the developer

Analyze database design; coding unit testing on local host

Define stakeholder

Anyone with an interest in the project or anyone affected by the project

Morana risk management activity 2

Architecture and design

Describe validation testing

Asserting that the needs of the system and the needs of the stakeholders are being met with the requirements gathered

Name the key activities that should be subjected to QA reviews and controls during the SDLC

Assessment of development risks; ensuring that security requirements have been defined adequately; ensuring that security controls agreed to during the risk assessment process mechanisms intended to protect CIA have been developed; determining whether security requirements are being met effectively

"Managing Software Risk" key activity 4

Assessment, monitoring, and assurance

MSF risk management activity 3

Building

BSI RMF phase 5

Carrying out and validating the identified fixes for security risks

Risk management activities in Development phase of SDLC

Code review, use of security patterns, flaw and bug mitigation, unit security testing

Name the activities of the release manager

Code review; build (Web Application Archive) WAR file; deploy to various environments

Name the traditional method for gathering requirements

Conducting interviews

SDLC Step 3

Construction

BSI RMF phase 4

Defining cost-effective risk mitigation strategy

MSF risk management activity

Deploying

Morana risk management activity 5

Deployment

SDLC Step 2

Design

Describe the verification procedure of the testing phase of the SDLC

Determines whether the product is being built correctly. Should be conducted before delivering the product to the customer. Verifies that the product does everything it's supposed to on the correct platforms

Morana risk management activity 3

Development

The advantages of SafSec over other software assurance processes

Ensures completeness; minimizes overlap and duplication of evidence; provides a single methodology and framework that supports both safety and security certification and accreditation of both products and systems

Categories that should be included in the security component of a requirement specification

Fail case; consequence of failure; associated risks

Name some other capabilities required to make SCM truly secure that were not developed by the DHS

Flexible but controlled delegation of SCM administrator privileges; no remote access or else remote access only by encrypted, authenticated interfaces; reporting of differences between security aspects of previous and subsequent versions and releases

Name the activities of the Tester/QA

Functional/integrated testing

Name the activities of the business analyst

Gathering requirements; gap analysis with the existing system or process; identifying actors and use cases; work flow diagrams; screen design; facilitating UAT

Describe the design phase of the SDLC

Has significant overlap with requirements analysis. Includes choosing the underlying architecture for the system. The security implications of the platform should be considered here

BSI RMF phase 2

Identifying and linking the business and technical risks within the business context to clarify and quantify the likelihood that certain events will directly affect business goals

Name software configuration management (SCM) methods

Increasing developer accountability for software artifacts by increasing the traceability of software development activities; ongoing impact analysis and control of changes to software development artifacts; minimization of undesirable changes

MSF risk management activity 1

Initiation

SDLC Step 5

Installation

Name some efforts aimed at improving the certification and testing environment for software

International Organization for Standardization/International Electrotechnical Commission (ISO/IEC); The National Institute of Standards and Technology (NIST); federal, DoD, and Intelligence Community certification and accreditation (C&A) processes

Name the items that should be put under the configuration manager's control

Items that are mission critical, security critical, safety critical, or high-risk; items that, if they failed or malfunctioned, would adversely affect security, human safety, or mission accomplishment, or would have significant financial impact; items for which an exact configuration and status of changes must be know at all times

SDLC Step 7

Maintenance

Name the risks involved with software reengineering

Modifications may be required to integrate the new functions with the unmodified portions; new vulnerabilities may be introduced by the increasing complexity of the system; any unexpected behavior in the overall system may manifest as a security vulnerability

Name the elements of a software security assurance case

One or more claims about the required security attributes of the software; a body of evidence supporting those claims; arguments that clearly link the evidence to the claims

SDLC Step 6

Operation

Risk management activities in Deployment phase of SDLC

Patch management, incident management, update of threat models, security measures

ISO/IEC life cycle process expectations

Plan assurance activities; establish and maintain the assurance case; monitor and control assurance activities and products

MSF risk management activity 2

Planning

Define project scope

Refers to the work that is to be completed and is more concerned with how the project itself is governed, such as personnel, timelines, etc

Morana risk management activity 1

Requirements

SDLC Step 1

Requirements analysis

The most important step to defining security

Requirements analysis

Describe an iterative process

Requires that issues/errors be identified and handled immediately in the appropriate phase; allows backtracking; Pros: issues are addressed immediately, and changes do not contradict earlier documentation; Cons: difficult to gauge where the project is according to the plan, and different people can be in different phases simultaneously

Describe an incremental model

Requires that the system be developed in succinct pieces. Each successive phase can reuse assets that were developed in earlier phases; Pros: Allows for frequent releases, one phase does not have to be done before starting on the next; Cons: problems raised in one phase cannot be completed until the next

SDLC Step 8

Retirement

"Managing Software Risk" key activity 1

Risk assessment

Typical risk metrics

Risk likelihood, risk impact, risk severity, and the number of risks that emerge and are mitigated over time

Describe decommissioning

Sanitization of media and proper disposal of hardware and software

Name the limitations of formal methods

Scale, training, applicability

Risk management activities in Architecture and Design phase of SDLC

Security patterns, security testing and planning, security reviews

Risk management activities in Requirements phase of SDLC

Setting of compliance goals, application of standards, threat modeling

SDLC

Software Development Life Cycle

Define functional requirement

Something that the system must do; it is an outcome that the system must produce as part of its useful operation

MSF risk management activity 4

Stabilizing

Describe secure requirements

Standard requirements that have security built into them to determine the necessary constraints to protect the system as a whole

BSI RMF phase 3

Synthesizing and ranking risks

Morana risk management activity 4

Testing

SDLC Step 4

Testing

Describe the construction phase of the SDLC

The actual production of the software. Involves setting up the hardware and any off-the-shelf software used in the system as well as coding new software. Requirements must not be gathered during this phase

Define product scope

The collection of functional and nonfunctional requirements that will be included in the final system

Define requirements creep

The gathering of requirements after the scope is established

The outcome of the verification is contingent on an absence of extrinsic interventions of

The integrity of how raw bits are interpreted in software as abstract values; the integrity of the access pathways to those values

Define use case overflow diagram

The mapping of all potential use cases, providing a picture of the entire functionality of the system

Define scope creep management

The part of the project plan that is the formal process for making any changes to the scope after the requirements gathering step

Define verification testing

The process of asserting that the system is being designed according to its intended purpose

Define trade-off analysis

The process of resolving conflicts between any two competing needs and deciding the best outcome for the project

Define stakeholder analysis

The process used to determine the members of each group

Describe the validation procedure of the testing phase of the SDLC

The testing of whether the correct product is being built. This is conducted by the end users of the system.

Name some inherent problems with current assurance cases

The volume and nature of evidence to be considered; lack of explicit relationships among assurance claims, assurance arguments, and supporting evidence; the lack of support for structuring the information; lack of standard "rules of evidence"; exclusive emphasis in current guidance for assurance case development on the format of the information; the lack of guidance on how to gather, merge, and review arguments and evidence; lack of explicit guidance for weighing conflicting or inconsistent evidence; difficulty in comprehending the often-complex imparts of changes because of the immense volume of information to be considered

Atomic requirements

Those that cannot be broken down any further and represent a functionality or constraint upon the system

Define primary stakeholder

Those who are directly affected by the project or those who can directly affect the project

Define secondary stakeholder

Those who are indirectly affected by the project or those who may indirectly affect the project

Name the activities of the project manager

Tracking the project progress; supporting PDD; estimating schedule; researching risk management and customer relationship management

BSI RMF phase 1

Understanding the business context

The phases of SafSec

Unified risk management; risk-directed design; modular certification

Risk management activities in Testing phase of SDLC

Use of attack patterns, automated black-box and white-box activities, third-party security assessments, updating threat models

Describe the waterfall model

Useful only when requirements are clear and do not change; Pros: each phase is independently useful when requirements don't change, or the project is small; Cons: cannot handle changes, users only involved at the end

Name a way to promote accountability and define a clear conclusion on choices

Using completed and signed documentation

"Managing Software Risk" key activity 2

Vulnerability management

Name the SDLC models and methods

Waterfall; Interative and Incremental; Evolutionary; Spiral; Concurrent Release; Unified Process; Agile

Questions to ask to determine correct and thorough answers about requirements specifications

What are the exceptions to the normal case for this requirement; what sensitive information is included in this requirement; what are the consequences if the conditions of this requirement are violated; what happens if this requirement is intentionally violated

Questions that should be asked to create a well-written requirement

Why should this be part of the system; What are the constraints on this requirement; what are the dependencies for this requirement; who are the stakeholders for this requirement

Name the activities of the architect

Workflow analysis; objects (use case realization), requirements and use case analysis; object diagrams, sequence diagrams; class diagrams; moving analysis to implementation; database design

Name the main uses of formal methods in the SDLC

Writing the software's formal specifications; proving properties about the software's formal specification; constructing the software program through mathematical manipulation of its formal specification, using mathematical arguments and proofs to verify the properties of a program


Set pelajaran terkait

Producers, consumers, food web and chain, and types of consumers

View Set

3.1.7 DNA, GENES AND CHROMOSOMES

View Set

Class 5: Circuits, Magnetism, Waves & Sounds

View Set

Personal Finance - 1. Overview of a Budget

View Set

The Limbic System and Other Brain Areas

View Set