Question

What does the SDLC have to do with Computer Security?

Answer 1

Before going through the role of SDLC in computer security, let’s briefly describe the term SDLC and computer security.

SDLC: SDLC stands for Software Development Life Cycle which deals with the each and every process while developing new software as well as enhancing existing software. Software development is carried out in different phases having a specific purpose of that phase in development process.

Computer Security: The term is also known as the Cyber security or information technology security. Computer security is the process and standards which are followed to save the computer data/programs/software from the unauthorized access and damage. Data accessed by unauthorized person can lead to misuse of secure information. E.g. authorized fund transfer in bank account using online web application.

How traditional SDLC has impacted the Computer security: Before developing software, requirements are gathered from various sources and are analyzed by experts. It has been traditional practice to focus on functional requirements only, which in future creates the security issues in the project. In traditional SDLC, security has been a small part of testing phase. Security being the sub-part of testing phase had never been given much importance resulting security bugs being undiscovered. In the current era, every organization is automating their manual process to available software which is attracting different hackers to hack the data and use the hacked data for various illegal uses. Computerized era is demanding the software which is free of security vulnerabilities.

Role of SDLC in securing computer

A secure SDLC process of software development considers the security of purposed software from beginning of software development till the implementation. There are different new methodologies available for secure SDLC such as OpenSAMM, BSIMM etc

Role of SDLC phases in computer security: Software is secure for computer when the security requirement is consider along with the functional and performance requirements of software and security is verified in each of the phase. The role of computer security in different SDLC phases in as below:

Gathering the security requirements of software: This phase includes the gathering and analysis of the software requirements. While gathering functional, performance, user interface requirements, the development team should gather and analysis the security concerns of the software which includes:

• What are the different user types in software
• Which authentication method to be used for password safety
• How the different kind of user will securely use application and authenticate themselves in the application
• How permissions will be imposed on the purposed application which will identify that which type of user can have access to different modules

Creating a secure architecture: This phase includes the secure logical architecture of the software. Secure software will have the below properties in architecture:

• Easy identification of user type
• Session management for different users
• Configuration management for security
• How the data to be stored and accessed securely from database
• Proper object handling in architecture
• Data flow control among different modules and users

Security while programming the code: After analysis of the requirements, coding plays an important role in the software development. Secure code reduces the vulnerabilities in the software project and prevents the security bugs in the software. A secure coding should contain the following while development of software:

• Follow the security standards
• Do not allow access to all domains by default
• Security standards for encrypting the passwords
• Defining the classes and variables private until required in other programming
• Not printing the secure data in application logs or browser console

Security in testing of software: Testing of the software ensures that the software developed in earlier phases is meeting the customer requirements. Security testing plays a significant role to ensure that once the project is deployed for user, it will keep the user’s computer secure from unpleasant hack and damage of data. Penetration testing will help to make the software vulnerability free. Security testing will have below basic checkpoints in validations list:

• User authentication is working securely and password is encrypted everywhere in application
• User password and database details are not visible in plain text
• Software is free from OWASP top 10 vulnerabilities
• Software application is deployed over secured connection
• Software is not accessing any unsecure content from internet
• Inspect the application behavior for scripted data inputs

Security while implementing the software on different platforms: Implementation includes the installation and configuration of software application. A secure application should have capability to store the different configurations for different users in a secure method so that it is not accessible by unauthorized users.

• Implementing the software over the secure connection i.e. https://
• Secure connection to database is established
• Database details should not be visible on the user interface
• The used web services should be secured over the internet
• Any API used in the software should have a secure connection with application