Question

In: Computer Science

The SDLC (software/system development life cycle) framework is a common development methodology used by organizations to...

The SDLC (software/system development life cycle) framework is a common development methodology used by organizations to build systems and software. Security is often an afterthought or only addressed late in the development process.

How can threat modeling be includes during the entire development effort? At what points of the lifecycle would you include threat identification, testing and analysis? Why have you chosen those points in the development cycle?

Solutions

Expert Solution

Many people thinks that threat modelling should be done only after the development of sofware. This is because many people thinks that threat modelling can be done only by security professionals.

This is not correct.
Developers etc also can do the threat modelling.

Normaly threat modelling is done after the entire development of architecture. But instead we can implement Threat modelling as a part of SDLC itself.

for integrating the threat model in SDLC

  • During requirement phase

the threat model can be included by considering a threat agent trying to make malicious use of application functionality.

by analysing all the harms a malicious user can do regarding the application functionality, the security requirements can be improved and therefore risk of abuse of application can be reduced

  • During Design phase

During this phase, threat model can be included by identifing the vulnerabilities in the design of application architecure.

this includes identification of vulnerabilites in user interface,data storage,data flow, hardware,components etc.

Hence, Those vulnerablities can be removed during the design phase itself.

This way of including threat model during design helps to reduce the extra cost of solving the vulnerablities after the sofware is developed.

  • during coding phase

even if there exist no vulnerabilities in application architecture, New vulnerablities will be formed in the application if the application design is coded in inappropriate manner.

Attackers can easily find such vulnerablities by scanning the application.

During coding phase, the threat model can help identify such vulnerablities.

the threat model can be included by automatic or manual analysis of source code with respect to specific criterias of existing threat model.

  • During Testing phase

By documenting the Threat model that is implemented during requirement,design and coding phase, the threat model can be included during testing phase also

The software testers can refer this document to check whether all the threat vulnerabilites found during other phases has been solved or not.

normaly security testers will check only for common security vulnerabilities.
Having a threat model documentation will be very much usefull for security testers.

because the documentations helps the testers to focus more on specific architecture of application or specific vulnerabilites other than common issues


Related Solutions

Reviewing the System/Software Development Life Cycle (SDLC) model and methodology then show how this model can...
Reviewing the System/Software Development Life Cycle (SDLC) model and methodology then show how this model can be use in web design. Be sure to define the SDLC model and methodology and identify which SDLC step is associated with each project component
Describe System Development Life Cycle (SDLC) and how it is used.
Describe System Development Life Cycle (SDLC) and how it is used.
5. Describe the systems development life cycle (SDLC) methodology in the context of a “real” example....
5. Describe the systems development life cycle (SDLC) methodology in the context of a “real” example. In other words, think about (or imagine) a situation where you proposed the need for a new information system. For this system development effort, describe what happened (or should happen) during the definition, build, and implementation phases.
Compare and Contrast PDLC (Program Development Life Cycle) and SDLC (System Development Life Cycle) as well...
Compare and Contrast PDLC (Program Development Life Cycle) and SDLC (System Development Life Cycle) as well as Application Programmers and Web Programmers and also Application and Website. Please answer. Thank you
Why software development life cycle (SDLC) is not enough for any game development? Any discuss the...
Why software development life cycle (SDLC) is not enough for any game development? Any discuss the different phrases of game game development Life cycle (GDLC)? solution plz ?
1. Research and discuss why project management is important for the Software Development Life Cycle (SDLC).
1. Research and discuss why project management is important for the Software Development Life Cycle (SDLC).
a) Do you think following a Software Development Life Cycle (SDLC) model for Software development would increase the quality of the product? Why.
QUESTION 2 a) Do you think following a Software Development Life Cycle (SDLC) model for Software development would increase the quality of the product? Why. b) What is the difference between SRS document and design document? What are the contents we should contain in the SRS document and design document.QUESTION 3 a) What is a class and object? Give the diagrams and representation of class and object. b) What is generalization? Give an example of generalization. 
​Describe the System Development Life Cycle (SDLC), Joint Application Development (JAD), Rapid Application Development (RAD), and...
​Describe the System Development Life Cycle (SDLC), Joint Application Development (JAD), Rapid Application Development (RAD), and Agile methods. Compare and contrast these methods and explain advantages and disadvantages of each.
Identify the stages of the System Development Life Cycle (SDLC) and four (4) activities. (20 marks)...
Identify the stages of the System Development Life Cycle (SDLC) and four (4) activities. Hints : student must describe each stage and link the stage with activities. remark : This is 20 marks question, please answer me in full sentence.
In the system development life cycle (SDLC), why does the planning phase exists and what does...
In the system development life cycle (SDLC), why does the planning phase exists and what does it contribute to the development of a system?
ADVERTISEMENT
ADVERTISEMENT
ADVERTISEMENT