566-8
Source code repository
A database of source code, typically used for projects involving a large number of developers and/or to store code that may be used on a number of projects. A repository may be private to an organization or public. Public repositories may be open source or restricted to developers from multiple organizations. Repositories help developers submit patches of code in an organized fashion. Often these archives support version control, bug tracking, release management, mailing lists, and wiki-based documentation
security architecture design activity Expected outputs include:
A schematic of security integration that provides details on where within the system security is implemented and shared A list of shared services and resulting shared risk Identification of common controls used by the system
Began to gain favor in the early 2000s
Agile software development
corresponds to step 1 in the NIST risk management framework defined in SP 800-37, Guide for Applying the Risk Management Framework to Federal Information Systems
Categorizing information systems
A key result of this process should be a set of security requirements that are to be incorporated into the overall set of requirements for the system
Categorizing information systems and assessing impact
The expected outputs of ...................... include supporting rationale for the information system security categorization and a level of effort estimate for applying the necessary security controls, together with a specification of security requirements.
Categorizing information systems and assessing impact
The purpose of ........................ is to identify information that will be transmitted, processed, or stored by the system and to define applicable levels of information categorization based on an impact analysis.
Categorizing information systems and assessing impact
The result of .............................. should be an information taxonomy or catalog of information types.
Categorizing information systems and assessing impact
A number of security-related activities are needed to assure that security is incorporated effectively in that design phase
Major security activities
SP 800-64 makes use of the following elements in defining the security considerations applied during each phase:
Major security activities Expected outputs Synchronization Control gates
This activity includes the practices of continuous monitoring, customer feedback, and optimization to monitor how applications are performing post-release, allowing businesses to adapt their requirements as needed
Monitor and optimize
Determine whether the proposed system will in fact satisfy system requirements as defined for the user's environments.
Operational feasibility
This phase involves maintenance, replacement of outdated or malfunctioning hardware and software, and regular software updates.
Operations/maintenance
This phase involves monitoring and evaluation to determine whether requirements are being met and what is in need of improvement.
Operations/maintenance
Determine whether the proposed system is consistent with the organization's strategic objectives.
Organizational feasibility
Security testing in which evaluators mimic real-world attacks in an attempt to identify ways to circumvent the security features of an application, a system, or a network
Penetration testing
This activity focuses on business units and their planning process
Plan and measure
DevOps is viewed as a repetitive cycle of four major activities:
Plan and measure Develop and test Release and deploy Monitor and optimize
Carry out activities such as detailing what will actually go into the system release (for example, new features and fixes), creating initial project plans, and improving budget estimates.
Planning
Ensure that the system release is fully aligned to the master strategy and intent. System or asset owners work with appropriate stakeholders to develop a high-level strategy or roadmap of work, outlining the details of a specific system release.
Strategy
Initiation phase include
Strategy Research Feasibility Planning Requirements
A feedback loop between tasks provides opportunities to ensure that the SDLC is implemented as a flexible approach that allows for appropriate and consistent communication and the adaptation of tasks and deliverables as the system is developed
Synchronization
Contains the details of system design, programs, their coding, system flow, data dictionary, process description, and so on
System documentation
A person or an organization that has responsibility for the development, procurement, integration, modification, operation, maintenance, and final disposition of an information system
System owner
, it is often determined whether the project will be an independent information system or a component of an already defined system T or F
T
A traditional information system development project proceeds sequentially through these stages, without delivering working pieces in between and without obtaining customer feedback on the way (waterfall development) T or F
T
Assessing business impact synchronizes with the categorization activity. T or F
T
It is characterized by rapid releases, feedback loops embedded throughout the process, and a comprehensive set of tools and documented best practices to automate the DevOps process T or F
T
Operations/maintenance can mean recommending additional training, operations, procedures, or upgrades. T or F
T
Determine whether the available technology and resources are adequate to implement the proposed system.
Technical feasibility
application life cycle management (ALM)
The administration and control of an application from its inception to its demise. ALM embraces requirements management, system design, software development, and configuration management, and implies an integrated set of tools for developing and controlling the project
Targeted at system functions that end users will be able to execute while operating in the final production environment
User acceptance testing (UAT)
Provides a complete description of the system from the user's point of view, detailing how to use or operate the system
User documentation
types of documentation are prepared for the system:
User documentation System documentation
A phase of system development in which the software or system is tested in the "real world" by the intended audience.
User testing
A method of deploying software or systems in which development moves through a series of fairly well-defined stages. With large projects, once each stage is completed, it cannot be easily reversed, much as it would be difficult to move up a waterfall. This traditional system engineering flow allows for a requirements-driven process that leads to assured and verified function
Waterfall development
An expected output of Initiating project security planning activity is
an initial set of security activities and decisions related to the SDLC.
This categorization process depends initially on ......................... and should be revisited if there are updates to either of these assessments.
business and privacy impact assessments
This planning activity enables developers to
design security features into the project.
During the development/acquisition phase, the system is
designed, purchased, programmed, developed, or otherwise constructed
In addition to designing the operational solutions associated with functional and non-functional requirements, the design process also includes ........................... that will be used to verify the quality of all work performed in all downstream phases and environments
designing unit, module, integration, user acceptance, and production signoff tests
The system owner and the development team should work together to ............................ throughout the SDLC.
develop a set of principles and plans that document security expectations
The plan must include ..................... that are used to evaluate software, adapt and adjust continually, relate to customer needs, and continually update the development plan and the measurement plan
developing measures
The focus of DevOps has been the
development of application software and support software
The planning process relates business needs to the outcomes of the
development process
Typical stages in the development and deployment of applications are
development, system integration testing, user acceptance testing, and production
refers to the process of preserving (if applicable) and discarding system information, hardware, and software.
disposal phase of the system life cycle
A build team creates a fully centralized, repeatable, and automated build that will be used for ............................ in downstream phases and environments
distribution/deployment, quality assurance, and signoff
User testing Also called
end-user testing
Enterprise security considerations dictate that security focused activities and deliverables be a part of every phase of the SDLC in order to
ensure that the developed system is able to withstand malicious attacks
The information to be processed, transmitted, or stored is typically............................, along with who needs access to such information and how
evaluated
While initiating project security planning, the key security roles that will be active throughout the SDLC should be................
identified
User documentation Includes the ....................... likely to be encountered by the user
major error messages
During the initiation phase The organization establishes the
need for a particular system and documents its purpose
During the initiation phase The responsible individual or group documents the
purpose of the system and defines the requirements
The detailed design of a system release is............................, with the intent that it will be handed off for a centralized and repeatable build that can be used for distribution/deployment, quality assurance, and signoff in downstream phases and environments
realized and optimized
A ......................... enables an organization to determine the risk to operations, assets, and individuals resulting from the operation of information systems and the processing, storage, or transmission of information
risk assessment
The expected output of ..........................is a refined risk assessment that accurately reflects the potential risk to the system, known weaknesses in the design, identified project constraints, and known threats to both business and IT components
risk assessment activity
The results of ........................... are used to supplement baseline security controls identified during the initiation phase
risk assessment activity
The...................... looks at the current knowledge of the systems design and the impact assessment information from the initiation phase
risk assessment activity
It is also important to ensure that all key stakeholders have a common understanding, including
security implications, considerations, and requirements.
An expected output of Initiating project security planning activity is a ......................... that provide a record of the agreed-upon planning decisions.
set of supporting documents
Implementation is the
stage of a project during which theory is turned into practice.
Characterized by frequent release, in an iterated loop fashion, with a certain amount of automation in the form of tools that can be used to
support collaboration
All data and technology connections are ...................... for a specific system moving through the SDLC and all of its upstream system dependencies and all of its downstream system targets
tested
needs to identify the standards and regulations that apply and develop an overall plan for security milestones during system development.
the system owner
Emphasizes teamwork, customer involvement, and the creation of small or partial pieces of the total system that are tested in a
user environment
The goal of Integration testing is to........................... that will need to interact in the final operating environment
verify all appropriate data connections and data exchanges between systems
If the new system replaces an existing IT system or even a manual system, the organization needs to shift the work from the old system to the new.
■ Changeover
The data need to be converted from the old system to operate in the new format of the new system. During this part of the process, all the programs of the system are loaded onto the user's computer.
■ Conversion
The old system is completely replaced by the new system. This is a risky approach and requires comprehensive system testing and training.
■ Direct changeover
The hardware and the relevant software required for running the system must be made fully operational.
■ Installation of hardware and software
Implementation major parts of phase are:
■ Installation of hardware and software ■ Conversion ■ User training ■ Changeover ■ Direct changeover ■ Parallel run ■ Pilot run
The two systems are executed simultaneously for a certain defined period, and the same data are processed by both the systems. This strategy is less risky but more expensive.
■ Parallel run
The new system is run with the data from one or more of the previous periods for the whole system or part of it. The results are compared with the old system results. This is less expensive and risky than the parallel run approach. This strategy builds confidence and allows for error tracing without affecting operations.
■ Pilot run
The main topics of user training can include how to execute the package, how to enter data, how to process data, and how to generate reports.
■ User training
This activity focuses on collaborative development, continuous integration of new code, and continuous testing
Develop and test
It focuses on streamlining development and testing teams' capabilities
Develop and test activitie
Changeover include Three basic strategies are possible:
Direct changeover Parallel run Pilot run
SP 800-64 lists the following as benefits of integrating security into the SDLC:
Early identification and mitigation of security vulnerabilities and misconfigurations, resulting in lower cost of security control implementation and vulnerability mitigation Awareness of potential engineering challenges caused by mandatory security controls Identification of shared security services and reuse of security strategies and tools to reduce development cost and schedule while improving security posture through proven methods and techniques Facilitation of informed executive decision making through the application of comprehensive risk management in a timely manner Documentation of important security decisions made during development, ensuring management that security was fully considered during all phases Improved organization and customer confidence to facilitate adoption and use as well as improved confidence in the continued investment in system development Improved systems interoperability and integration that would be difficult to achieve if security were considered separately at various system levels
Determine whether the likely benefits of the system outweigh the cost, using a cost/benefit analysis.
Economic feasibility
Feasibility: If the overall strategy is acceptable to management, then the next step is to examine the feasibility of the system. Key considerations include:
Economic feasibility Organizational feasibility Operational feasibility Technical feasibility Social feasibility
The output from ......................... should include plans for development phase security training and quality assurance.
Ensuring secure system development
A key to success is to define specific deliverables for each activity
Expected outputs
Security testing in which advertised security mechanisms of an information system are tested under operational conditions to determine if a given function works according to requirements
Functional testing
A contraction of development and operations that refers to the tight integration between the developers of applications and the IT department that tests and deploys them. DevOps is said to be the intersection of software engineering, quality assurance, and operations
DevOps
Decision points at the end of each phase when the system is evaluated and management determines whether the project should continue as is, change direction, or be discontinued
Control gates
is monitored to optimize experiences in business applications
Customer experience
are automated and then mature to a self-service model that provides individual developers, teams, testers, and deployment managers with the capability to continuously build, provision, deploy, test, and promote
Deployments and middleware configuration
Development/acquisition phase include
Design Procurement or coding Centralized build Integration testing Documentation User acceptance testing (UAT)
The initiation phase involves the following control gates:
Determine acquisition strategy System concept review Performance specification review EA/IA (enterprise architecture/ information architecture) alignment Financial review Risk management review
This activity provides a continuous delivery pipeline that automates deployment to test and production environments
Release and deploy
are managed centrally in a collaborative environment that leverages automation
Releases
Develop a requirements specification of what needs to be accounted for in downstream design and implementation activities. The more detailed the requirements, the higher the probability that the design will align to the intended system release strategy and with end-user expectations for the release.
Requirements
Determine opportunities and solution options that meet requirements.
Research
Ensuring secure system development considerations include:
Secure concept of operations Standards and processes Security training for development team Quality management Secure environment Secure code practices and repositories
Determine whether the proposed system will produce unwanted society impacts.
Social feasibility
ISO 27002, Code of Practice for Information Security Controls, suggests that the security requirements consider the following:
The level of confidence required toward the claimed identity of users, in order to derive user authentication requirements Access provisioning and authorization processes for business users as well as for privileged or technical users User and operator knowledge of their duties and responsibilities The required protection needs of the assets involved, especially regarding availability, confidentiality, and integrity Requirements derived from business processes, such as transaction logging and monitoring as well as nonrepudiation requirements Requirements mandated by other security controls, such as interfaces to logging and monitoring and data leakage detection systems
is that all participants in creating a product or system should collaborate from the beginning, including business unit managers, developers, operations staff, security staff, and end-user groups
The philosophy
.......................... produces a detailed architecture that incorporates security features and controls into the system design
The security architecture design activity
