Question

In: Computer Science

Building security into the design phase of the software development lifecycle (SDLC) is important to be...

Building security into the design phase of the software development lifecycle (SDLC) is important to be successful in securing software. In this forum, you will research the best secure software design methodologies to prevent vulnerabilities and share your findings with the class.

While a security method may work well for one organization, the same approach may not work well for other organizations. However, there should be some best practices we should follow to be successful in the SDLC phases

  • Considering all aspects of security requirements, implementation, deployment, and the possible consequences of a software breach, respond to the following:
    • Explain what implications we may face if we don’t identify and mitigate security issues in the SDLC phases.
    • Discuss a “right” approach to securing SDLC phases so that we can identify software issues early and mitigate them while designing software.

Solutions

Expert Solution

-------------------------------- Please Upvote!!! Thank You ..;) ---------------------------------

Explain what implications we may face if we don’t identify and mitigate security issues in the SDLC phases.

1. Injection flaws

Injection flaws result from a classic failure to filter untrusted input. It can happen when you pass unfiltered data to the SQL server (SQL injection), to the browser (XSS – we’ll talk about this later), to the LDAP server (LDAP injection), or anywhere else. The problem here is that the attacker can inject commands to these entities, resulting in loss of data and hijacking clients’ browsers.

2. Broken Authentication

This is a collection of multiple problems that might occur during broken authentication, but they don’t all stem from the same root cause.

3. Cross Site Scripting (XSS)

This is a fairly widespread input sanitization failure (essentially a special case of common mistake #1). An attacker gives your web application JavaScript tags on input. When this input is returned to the user unsanitized, the user’s browser will execute it. It can be as simple as crafting a link and persuading a user to click it, or it can be something much more sinister. On page load the script runs and, for example, can be used to post your cookies to the attacker.

4. Insecure Direct Object References

This is a classic case of trusting user input and paying the price in a resulting security vulnerability. A direct object reference means that an internal object such as a file or database key is exposed to the user. The problem with this is that the attacker can provide this reference and, if authorization is either not enforced (or is broken), the attacker can access or do things that they should be precluded from.

5. Security misconfiguration

The web servers and applications that have been misconfigured are way more common than those that have been configured properly. Perhaps this because there is no shortage of ways to screw up. Some examples:

  1. Running the application with debug enabled in production.
  2. Having directory listing enabled on the server, which leaks valuable information.
  3. Running outdated software (think WordPress plugins, old PhpMyAdmin).
  4. Having unnecessary services running on the machine.
  5. Not changing default keys and passwords. (Happens way more frequently than you’d believe!)
  6. Revealing error handling information to the attackers, such as stack traces.

Discuss a “right” approach to securing SDLC phases so that we can identify software issues early and mitigate them while designing software.

PREVENTION

Limit Privilege. Don’t give any user more privileges than he absolutely needs to do his job. Just as you wouldn’t give a random employee the keys to the CEO’s office, don’t give him a password to the CEO’s files.

Secure the Weakest Link. Spend your security budget securing the biggest problems and the largest vulnerabilities. Too often, computer security measures are like planting an enormous stake in the ground and hoping the enemy runs right into it. Try to build a broad palisade.

Use Choke Points. By funneling users through choke points (think firewalls), you can more carefully secure those few points. Systems that bypass these choke points, like desktop modems, make security much harder.

Provide Defense in Depth. Don’t rely on single solutions. Use multiple complementary security products, so that a failure in one does not mean total insecurity. This might mean a firewall, an intrusion detection system and strong authentication on important servers.

Fail Securely. Design your networks so that when products fail, they fail in a secure manner. When an ATM fails, it shuts down; it doesn’t spew money out its slot.

Leverage Unpredictability. You know your network; your attacker doesn’t. This is your big advantage. Make his job harder by disguising things, adding honey pots and booby traps, etc.

Enlist the Users. Security can’t work if the users aren’t on your side. Social engineering attacks are often the most damaging of any attack, and can only be defended against with user education.

Embrace Simplicity. Keep things as simple as absolutely possible. Security is a chain; the weakest link breaks it. Simplicity means fewer links.

Design for security involves designing a secure system architecture, following good practice for secure systems design, and including functionality to minimize the possibility of introducing vulnerabilities when the system is deployed.

To support secure deployment you should provide a way of displaying and analyzing system configurations, localize configuration settings so that important configurations are not forgotten, minimize default privileges assigned to system users, and provide ways to repair security vulnerabilities.

Guidelines for secure systems engineering :

1 Base security decisions on an explicit security policy

2 Avoid a single point of failure

3 Fail securely

4 Balance security and usability

5 Log user actions

6 Use redundancy and diversity to reduce risk

7 Validate all inputs

8 Compartmentalize your assets

Design for deployment

The deployment of a system involves configuring the software to operate in an operational environment, installing the system on the computers in that environment, and then configuring the installed system for these computers .

Configuration may be a simple process that involves setting some built-in parameters in the software to reflect user preferences. Sometimes, however, configuration is complex and requires the specific definition of business models and rules that affect the execution of the software. It is at this stage of the software process that vulnerabilities in the software are often accidentally introduced. For example, during installation, software often has to be configured with a list of allowed users. When delivered, this list simply consists of a generic administrator login such as ‘admin’ and a default password, such as ‘password’. This makes it easy for an administrator to set up the system. Certainly, good management practice can avoid many security problems that arise from configuration and deployment mistakes. However, software designers have the responsibility to ‘design for deployment’. You should always provide built-in support for deployment that will reduce the probability that system administrators (or users) will make mistakes when configuring the software.

I recommend four ways to incorporate deployment support in a system:

1. Include support for viewing and analyzing configurations : You should always include facilities in a system that allow administrators or permitted users to examine the current configuration of the system.

2. Minimize default privileges : You should design software so that the default configuration of a system provides minimum essential privileges. This way, the damage that any attacker can do can be limited.

3. Localize configuration settings : When designing system configuration support, you should ensure that everything in a configuration that affects the same part of a system is set up in the same place.

4. Provide easy ways to fix security vulnerabilities : You should include straightforward mechanisms for updating the system to repair security vulnerabilities that have been discovered.

-------------------------------- Please Upvote!!! Thank You ..;) ----------------------------------


Related Solutions

Why is building security into the SDLC important?"
Why is building security into the SDLC important?"
1. Research and discuss why project management is important for the Software Development Life Cycle (SDLC).
1. Research and discuss why project management is important for the Software Development Life Cycle (SDLC).
1.Summarize the distinctions between the analysis phase and the design phase of the SDLC. 2. Describe...
1.Summarize the distinctions between the analysis phase and the design phase of the SDLC. 2. Describe the primary activities of the design phase of the SDLC. 3. Describe the three primary strategies that are available to obtain a new system. 4. What is involved with systems integration? When is it necessary? 5. Explain the distinctions between time and arrangements, fixed‐price, and value‐added outsourcing contracts. 6.What are the pros and cons of each?What is the purpose of a request for proposal...
The SDLC (software/system development life cycle) framework is a common development methodology used by organizations to...
The SDLC (software/system development life cycle) framework is a common development methodology used by organizations to build systems and software. Security is often an afterthought or only addressed late in the development process. How can threat modeling be includes during the entire development effort? At what points of the lifecycle would you include threat identification, testing and analysis? Why have you chosen those points in the development cycle?
a) Do you think following a Software Development Life Cycle (SDLC) model for Software development would increase the quality of the product? Why.
QUESTION 2 a) Do you think following a Software Development Life Cycle (SDLC) model for Software development would increase the quality of the product? Why. b) What is the difference between SRS document and design document? What are the contents we should contain in the SRS document and design document.QUESTION 3 a) What is a class and object? Give the diagrams and representation of class and object. b) What is generalization? Give an example of generalization. 
As we talked about the Software Development Lifecycle. We approached it from the standpoint of where...
As we talked about the Software Development Lifecycle. We approached it from the standpoint of where security needs to be added to the SDLC. When code is insecure, it introduces vulnerabilities that get exploited. As security practitioners, this is where we come into the equation. However, that being said - we should be advocates for security in the development phase because it will make everyone's life easier once the software is deployed. We have to make a conscious effort to...
Q1: Discuss the unified process and its lifecycle regarding software development methodology for object-oriented development. Q1:...
Q1: Discuss the unified process and its lifecycle regarding software development methodology for object-oriented development. Q1: Discuss the unified process and its lifecycle regarding software development methodology for object-oriented development.
Standards for Nonmanufacturing Expenses CodeHead Software Inc. does software development. One important activity in software development...
Standards for Nonmanufacturing Expenses CodeHead Software Inc. does software development. One important activity in software development is writing software code. The manager of the WordPro Development Team determined that the average software programmer could write 25 lines of code in an hour. The plan for the first week in May called for 4,650 lines of code to be written on the WordPro product. The WordPro Team has five programmers. Each programmer is hired from an employment firm that requires temporary...
Reviewing the System/Software Development Life Cycle (SDLC) model and methodology then show how this model can...
Reviewing the System/Software Development Life Cycle (SDLC) model and methodology then show how this model can be use in web design. Be sure to define the SDLC model and methodology and identify which SDLC step is associated with each project component
Q-Identify, diagram and discuss implementation alternatives of Systems Development Life Cycle (SDLC) system ? Direct phase...
Q-Identify, diagram and discuss implementation alternatives of Systems Development Life Cycle (SDLC) system ? Direct phase parlallel Could you please explain these alternatives deepely and clearly by using own words and draw its digram
ADVERTISEMENT
ADVERTISEMENT
ADVERTISEMENT