Secure Software Development Approaches - Coursework Example

?SECURE SOFTWARE DEVELOPMENT APPROACHES Secure Software Development Approaches Affiliation Table of Contents SECURE SOFTWARE DEVELOPMENT APPROACHES 1 Secure Software Development Approaches 1 Table of Contents 2 Abstract 3 Secure Software Development Lifecycle 5 Improving Software Development Security 9 CONCLUSION 13 Abstract Without a doubt, the software is a most important component of a computer and without a desired software the computer is useless. In other words, the majority of people use the computers to use the software. In the past few years, the process of software development has turned out to be more susceptible and weaker to a variety of security threats as a result of massive developments and advancements in technology, complexity, connectivity and size. On the other hand, the majority of software development firms as well as individuals believes that implementing security related features of a software or software development entirely is a post development activity and it has nothing to do within the software development lifecycle. In this scenario, software companies and end-users have to face severe issues and threats because of unaddressed security and privacy based issues in their software development life cycles and ultimately in resulting products. Thus, these serious issues and challenges invite the researchers and technology experts to recognize or build more efficient and effective approaches for ensuring the secure software development process as well as secure software products. The basic purpose of this paper is to address some of the significant aspects associated with “secure software development”. This paper outlines some the important aspects and factors that can affect the software development process. The scope of this paper also covers a discussion on the reasons that can cause various security based threats and issues within the software development process. Finally, this paper also discusses some approaches which can be adopted by the software development firms to develop software applications in a much better and secure way. Introduction Without a doubt, in the past few years technology has made a huge progress and it has given equal opportunities to software developers as well as intruders. In the past few years, software applications are more and more facing both internal and external threats. The result that could be derived from this statement is that the software applications are still being developed with development errors and issues that make them vulnerable to security threats. In fact, this as aspect has turned out to be more serious for the reason that majority of the business organizations, governments and individuals at the present heavily rely on these software applications in order to carry out their daily tasks. On the other hand, the condition turns out to be further critical when these software applications have to be used critical and serious operations such as atomic energy or medical systems. Seeing the importance of security of software applications or software development process, the majority of organizations throughout the world have started to pay more and more attention to improving the security of software applications. Given that customers (such as organizations) have practiced unsuccessful security breaches, therefore it has increased disturbance and awareness regarding software development (Devanbu & Stubblebine, 2000; Kumar, 2009; Davis, Humphrey, Redwine, & Zibulski, 2004). The research has shown that in order to develop secure software applications, software development firms should perform various activities such as they should study and adopt secure software development approaches as well as follow them all the way through the software development lifecycle. In their paper (Devanbu and Stubblebine) discuss a variety of security concerns and guidelines in order to improve the software development process. According to their viewpoint, software development firms should make sure that they consider security concerns at each stage of system development, for instance, they should consider these concerns from software requirements collection to design, implementation, testing and software deployment and maintenance (Kumar, 2009; Davis, Humphrey, Redwine, & Zibulski, 2004; Devanbu & Stubblebine, 2000). This paper discusses some of the important aspects regarding current approaches, standards, processes, life cycle models and methodologies that ease or could support more enhanced and secure software development. However, this research also suggests suitable and possible decision or assessment for definite system development life cycle process, models, frameworks as well as methodologies. Secure Software Development Lifecycle The research has shown that a software application can be made secure if it is developed through secure software development lifecycle. In their paper, (Essafi, Labed, & Ghezala, 2006) discuss that the majority of software development firms believes that the security is a post development activity and they leave this activity until the software product is completely developed. Figure1 demonstrates the results of not considering the security as a key activity throughout the software development lifecycle. The delay in fixing the bugs increases the cost of overall development. Figure 1Cost of fixing software bugs by development phase, Image Source: (Essafi, Labed, & Ghezala, 2006) In this scenario, software development firms should consider security as a key activity throughout the software development lifecycle. They should consider security standards that should be implemented at each software development phase and that every software development stage should be verified with the intention of checking their compliance with those standards. Given below are some of the important guidelines that can be implemented to make secure software development lifecycle. These guidelines are focused on implementing security into the software development lifecycle instead of software product alone (Davis, Humphrey, Redwine, & Zibulski, 2004; Fernandez, 2004): Requirements stage In order to develop a software application in the most secure manner it is necessary for the software development firms to pay serious attention to requirements phase because if errors found at this stage can be fixed quickly the cost and time of overall testing can be saved. This can be ensured by developing use cases that are able to describe the required interactions and relationships with the system. Hence, by making use of these use cases the software development team will be able to decide the required rights for every actor to access the system and hence put into practice a need-to-know policy. In fact, this policy will allow the actors to communicate with functions; this process is acknowledged as a Role Based Access Control (RBAC) model. On the other hand, the collection of use cases should define all the activities and operations of the system and all the use cases should help software development teams decide every right assigned for each user role. In the context of these use cases software development team will be able to identify expected threats and attacks. Analysis stage The software development team can also use the analysis patterns with the purpose of building a hypothetical model in a more reliable and efficient way. For instance, software development firms can build a theoretical framework where recurrent operations of the approval define, recognize the rights assessed from use cases. In addition, in order to build these analysis patterns any formerly outlined authorizations can be utilized or the roles defined in their use cases. In this scenario, job description can be made a great deal easier by these patterns. Design stage In order to support security in the software development lifecycle, a software development team must design user interfaces in a way that are effective in communication with use cases. Additionally, these interfaces can also be made secure by putting into practice more effective authorization pattern. In fact, these secure interfaces are used to apply authorizations when users communicate with the system. In addition, a multilayer infrastructure is compulsory in order to implement the security controls described at the application level. Moreover, each phase requires from the software development team to utilize patterns to validate appropriate security measures. Implementation stage The implementation phase of a software development lifecycle also plays a significant role in securing the software development lifecycle. This phase requires from the software development team to implement the software code that has been described in security policy in the application. Given that these policies are built as classes, relationships, and constraints, hence the software development team can apply them as supplementary classes. Moreover, in order to make a software development lifecycle secure a software development firm must ensure that they and their team members choose and use definite security packages, such as firewall package and a cryptographic. Overall Software Development Lifecycle In the above sections a discussion has been provided on how each stage of a software development lifecycle can be secured and at each stage what security actions can be taken by the development team to ensure the security of the software development lifecycle. In this section, some of the practices are discussed that are applied on the overall software development lifecycle. Whenever a software development phase ends or any deliverable is completed, a team must be assigned to review that phase or piece of artifact to verify that the company’s policies are being firmly followed or not. In some cases when it is critical, software development teams can also formulate security constraints by making use of Object Constraint Language (OCL) in preference to textual constraints (Davis, Humphrey, Redwine, & Zibulski, 2004; Fernandez, 2004). In addition, the patterns that are defined for security models define the higher level. On the other hand, each lower level of the software development requires us to put into practice the model patterns to apply approaches that can be adopted to implement these models. For instance, in an approach the software development team can define patterns for J2EE components, file systems, web documents, and so on. Additionally, these patterns can be used by the software development teams to evaluate a new or existing system. Also, these patterns are useful in determining the need for implementing a security structure of every part to support their composition and define secure interfaces. In fact, a software application cannot support the corresponding secure method or model if it does not encompass an appropriate pattern. Moreover, software development teams can also merge a wide range of patterns in order to accomplish various functionality and quality requirements, such as RBAC and combining connection patterns and, filter (Davis, Humphrey, Redwine, & Zibulski, 2004; Fernandez, 2004). Improving Software Development Security A software application can be less secure or completely unsecure due to a number of reasons. For instance, it can be intentionally or unintentionally. In intentionally, there can be some flaws in programming which can create issues of buffer overflow, stack overflow. In some case they can happen due to improper dealing with inputs which can cause various issues related to code injection, command injection and SQL injection. In intentional issues, there can be security threats which take advantage of unintentional issues or security breaches in flows both in software application and software development lifecycle. Without a doubt, in many cases a completely unsecure or less protected software application can be developed by some responsible software team members. In addition, in order to develop a software application software development team only follow those instructions which they receive from their customers in the form of software requirements. Hence, if security is included as a requirement in the initial phase of the software development lifecycle then the remaining stages like that design, implementation, and testing would have taken care of security and if security was included into each stage of the application development lifecycle, after that application developed all through it would have been more secure (McGraw & Potter, 2004; Ahmed, 2007). Moreover, there are many strategies and guidelines that software development organizations can adopt in order to secure and improve software development process. Given below are some of the important guidelines: Need for Security Training Until software development firms and their employees do not know about the security and secure software development they cannot be able to develop secure software development lifecycle and software applications. In this scenario, proper training and education can play a significant role in helping them understand the importance of secure software development process. In addition, software development organizations and senior team members must offer their team members a great deal of training with the purpose of improving their attentiveness regarding secure software development. Undoubtedly, having an understanding of what to do is not enough until they don’t know how to really do it. The research has shown that a major part of the software industry is unfamiliar with the importance of security and those who are responsible for implementing security are unfamiliar with the ways they need to follow in order to implement the security. Therefore, it becomes the responsibility of the software organizations that they build awareness of security and privacy improvement. Moreover, only delivering lectures to the team members as well as improving their project management skills will be insufficient. In this scenario, all the employees from top management to customer service personnel, designers, analyst, programmers and testers, everyone needs to be trained and educated. In fact, it is the responsibility of the higher management or CEO of software development organization to take a personal interest in establishing and monitoring these kinds of educational programs (Ahmed, 2007; Whittaker, 2003; Howard & Lipner, 2006). Identify Security Requirements Properly Identifying only the functional requirements is not enough. In fact, the software developers must be able to understand and define security requirements clearly. Additionally, for this purpose they should assign separate human resources who will be responsible for dealing with and monitoring the execution of security requirements. Without a doubt, the software requirements serve as a basis throughout the software development lifecycle and the entire subsequent software development completely relies on requirements. In fact, these requirements define the functionality and behavior of the system. Hence, if this phase is not completed effectively and accurately, then the whole software development lifecycle can turn into a failure. Moreover, a software development firm should make use of a wide variety of resources and sources in order to complete this phase effectively. In this scenario, these resources and sources can include financial and political backgrounds, direct system users (customers), competitors etc and so on. Furthermore, it is the responsibility of the system analyst to identify and collect these system requirements effectively through a project team member can also come with requirements (Ahmed, 2007; Howard & Lipner, 2006). Develop a Security framework Almost all the software development lifecycles consider the security in the testing phase. On the other hand, everyday there emerge a variety of new security threats and existing software development approaches cannot be much effective in dealing with these security threats. The software development firms should establish their own secure development lifecycle that they could follow to develop a secure software application. In addition, they should continuously monitor and improve their process in the light of existing threats and available resources. In this scenario, (Essafi, Labed, & Ghezala, 2006) present a secure software development lifecycle that is extensible and can be mold according to the organization’s needs. Develop strong Secure Programming Skills In order to build secure software applications, it is essential for the software developers to develop and practice secure programming concepts and skills. So it will be helpful for them to write the secure code. There are many threats that occur especially due to ineffective programming skills for instance stack overflow, buffer overflow and various methods related to inputs such as code injection and cross site scripting. This happens due to improper knowledge of programming languages and programming skills. The programmers must be able to understand what programming languages should be used and which programming languages can be used for specific tasks. They should have an understanding and knowledge of programming flaws and errors that can occur due to poor programming and input handling (Ahmed, 2007; Howard & Lipner, 2006). Develop Effective Security Testing Environment Sometimes software development teams perform testing using those tools which are not effective for security testing. Without a doubt, security issues and errors are more difficult to find as compared to other functional errors. Hence, in order to catch these errors and issues a software development team should program and software quality assurance team should test like an attacker. They should think about all the perspective and actions an attacker can perform in the application (Bruce Potter & McGraw, 2004). Integrate Additional Security Review/Evaluation As discussed above, a review and inspection should be carried out at the end of each phase or whenever a deliverable is completed. The purpose of these reviews should be to identify any remaining or unseen security issues (Howard & Lipner, 2006; Ahmed, 2007). Build a Central Security Authority A software development firm should establish a central security team that is responsible for playing a role of an internal security management and working as a consulting group in the firm for the organization’s rest development team. In addition, this team should also be responsible for defining and identifying the system’s process requirements and most excellent practices to implement security processes (Howard & Lipner, 2006; Ahmed, 2007; Davis, Humphrey, Redwine, & Zibulski, 2004). CONCLUSION This paper has presented a detailed discussion on secure software development. In the past few years, technology has made extensive progress and software applications are becoming more and more complex. As a result, the implementation of security practices in order to secure software applications becomes a challenge. This paper has outlined a wide variety of aspects regarding implementation of the best practices for the better management and development of secure software development process. Software development firms use a mixture of a wide variety of tools, techniques, measures and processes to ensure the success of their software development projects. This paper has presented a detailed discussion on the practices and techniques that software development firms can adopt in an attempt to develop secure software applications. The paper has shown that how the security related activities go along with software development tasks all the way through the software development lifecycle. In fact, all the phases of software development should encompass one ordinary goal, that is, to minimize security and privacy based flaws. The research has shown that the majority of software development firms is conscious of the importance of security however instead of tackling the root causes and identified problems, they utilize the antivirus and firewalls to protect systems. This paper has also presented a number of strategies and guidelines that software development firms can adopt to make their software development processes more secure. References Ahmed, S. R. (2007). Secure Software Development- Identification of Security Activities and Their Integration in Software Development Lifecycle. Ronneby, Sweden: School of Engineering, Blekinge Institute of Technology. Bruce Potter, A. B., & McGraw, G. (2004). Software Security Testing. IEEE SECURITY & PRIVACY, 32-36. Davis, N., Humphrey, W., Redwine, J. S., & Zibulski, G. (2004). Processes for producing secure software. IEEE Security & Privacy, Volume 2 Issue 3, 18-25. Devanbu, P. T., & Stubblebine, S. (2000). Software engineering for security: a roadmap. ICSE '00 Proceedings of the Conference on The Future of Software Engineering (pp. 227-239). New York: ACM. Essafi, M., Labed, L., & Ghezala, H. B. (2006). ASASI: An Environment for Addressing Software Application Security Issues. International Conference on Systems and Networks Communication (ICSNC'06) (p. 19). Tahiti, French Polynesia: IEEE. Fernandez, E. B. (2004). A methodology for secure software design. Procs. of the 2004 Int. Conf. on Software Engineering Research and Practice (SERP’04). Howard, M., & Lipner, S. (2006). The Security Development Lifecycle. Microsoft Corporation. Kumar, T. (2009). A Road Map to the Software Engineering Security. ICCEE '09. Second International Conference on Computer and Electrical Engineering (pp. 306-310). Dubai: IEEE. McGraw, G., & Potter, B. (2004). Software Security Testing. IEEE Security and Privacy, Volume 2 Issue 5, 81-85. Whittaker, J. (2003). Why Secure Applications Are Difficult to Write. IEEE SECURITY & PRIVACY, Volume 1 Issue 2, 81-83. Read More