Direct Study Security and Governance

Chapter 10: Software Development Life Cycle

Software development deals with putting repeatable and predictable processes in place which helps to ensure functionality, cost, quality, and delivery schedule requirements are met.
Software Development Life Cycle (SDLC) in general covers the following areas:

Answers the "why, what, and for whom" in why do we create this software, what will the software do, and for whom the software will be created?
In this phase, everyone attempts to understand why the project is needed and what the scope of the project will be.
The team examines software's requirements and proposed functionality, brainstorming sessions take place, and obvious restrictions are reviewed.
This is where you can evaluate products currently on the market and identify demands that aren't met by current vendors.
From a security aspect, the following items should be accomplished in this phase:

Design in SDLC covers "how" the software will accomplish the goals that are identified.
The design phase maps theory and reality
Theory encompasses all the requirements that were identified in previous phases and outlines how the product is actually going to accomplish these requirements.
Software requirements commonly come in three models:

Information model (dictates type of information to be processed and how it will be processed)
Functional model (outlines tasks and functions application needs to carry out)
Behavioral model (Explains states the application will be in during and after specific transitions take place)

Attack surface - what is available to be used by attackers against the product itself.
Attack surface analysis - identifies and reduces amount of code and functionality accessible to untrusted users.

Systematic approach used to understand how different threats could be realized and how a successful compromise could take place.

Development is when the actual programming of the software and the code has to meet specifications laid out in the design phase.
The software design created in the previous phase (design) is broken down into defined deliverables, and programmers develop code to meet the deliverable requirements.
Computer-aided software engineering (CASE):

Any type of software tool
Allows for automated development of software (i.e. program editors, debuggers, code analyzers, version-control mechanisms etc.)

We have to validate software to ensure the goals are met and the software works as planned.
Formal/informal testing should be done as soon as possible.
Unit testing:

Start very early in development
After programmer develops a component (unit of code) it is tested with several different input values in many different situations
It isolates each part of the software and show that the individual parts are correct
Continues throughout development phase

Individual components in a controlled environment where programmers validate structure, logic, and boundary conditions.

When changes are made to the system, you have to retest it to ensure functionality, performance, and protection.

After the software is developed and deployed, you have to ensure that it is properly configured, patched, and monitored.

The difference in the software development life cycle and the system development life cycle is how each goal is accomplished. System development life cycle has a focus on operations which the IT department usually follows. Software development life cycle focuses more on design and programming and software engineers and coders usually follow this model.

Direct Study Security and Governance - CISSP