Is3445 Unit 5 Project Part 5 Analysis
NAME
IS3445 – Security Strategies in Web Applications and Social Networking
Unit 5 Project Part 5: Analyze the Software Development Life Cycle (SDLC)
January 29, 2015
Report
Resources to create secure coding and guidelines:
Web application design and coding defects are the main reasons to create a secure coding policy and guidelines. The policy/guidelines are to provide awareness and ensure security when developing code.
Techniques to secure code review:
Generally, IT analyst can divide the secure code review process into two different techniques:
1. Automated tool based/ Black Box: In this approach, the secure code review is done using different open source/commercial tools. Mostly developers use them while they are coding, but a security …show more content…
Manual/ White Box: In this technique, a thorough code review is performed over the whole code, which may become a very tedious and tiresome process. But in this process, logical flaws may be identified which may not be possible using automated tools, such as business logic problems. Automated tools are mostly capable of finding technical flaws such as injection attacks but may miss flaws like authorization problems. In this process, instead of going line by line through whole code base, we can concentrate on potential problems in the code. Those potential vulnerabilities can be given a high priority. For example, in C/C++, if we try to find any copying function in the code and check whether it’s using functions such as, strcpy() for performing copy function. As we know, strcpy() is known to be vulnerable to buffer overflow attacks. We may also want to check if any customized encryption is being used in the application, which automated tools may miss as they can identify standard algorithms only …show more content…
This includes defining stakeholders, conducting stakeholder interviews and possibly some basic prototyping. It is also important to identify security requirements (Harwood, 2011).
Development & Acquisition Phase - Transition functional and technical requirements into detailed plans for an actual information system. Results from interviews, use cases, and mock ups are developed into sequence diagrams, activity diagrams, state diagrams, and other artifacts that can be interpreted by software developers. User interfaces are also defined in greater detail (Harwood, 2011).
Implementation & Assessment Phase - Actual coding of an information system. All of the analysis and design artifacts previously created are transformed into application code by developers/programmers. This phase also includes testing and debugging (Harwood, 2011).
Operations & Maintenance Phase - Encompasses all activities required to keep the system working as intended (monitoring, patch management, application fault remediation and audits).
Disposition Phase - Ensures that information is retained, as necessary, to conform to current legal requirements and to accommodate future technology changes that may render the retrieval method obsolete (Harwood, 2011).
IS3445 – Security Strategies in Web Applications and Social Networking
Unit 5 Project Part 5: Analyze the Software Development Life Cycle (SDLC)
January 29, 2015
Report
Resources to create secure coding and guidelines:
Web application design and coding defects are the main reasons to create a secure coding policy and guidelines. The policy/guidelines are to provide awareness and ensure security when developing code.
Techniques to secure code review:
Generally, IT analyst can divide the secure code review process into two different techniques:
1. Automated tool based/ Black Box: In this approach, the secure code review is done using different open source/commercial tools. Mostly developers use them while they are coding, but a security …show more content…
Manual/ White Box: In this technique, a thorough code review is performed over the whole code, which may become a very tedious and tiresome process. But in this process, logical flaws may be identified which may not be possible using automated tools, such as business logic problems. Automated tools are mostly capable of finding technical flaws such as injection attacks but may miss flaws like authorization problems. In this process, instead of going line by line through whole code base, we can concentrate on potential problems in the code. Those potential vulnerabilities can be given a high priority. For example, in C/C++, if we try to find any copying function in the code and check whether it’s using functions such as, strcpy() for performing copy function. As we know, strcpy() is known to be vulnerable to buffer overflow attacks. We may also want to check if any customized encryption is being used in the application, which automated tools may miss as they can identify standard algorithms only …show more content…
This includes defining stakeholders, conducting stakeholder interviews and possibly some basic prototyping. It is also important to identify security requirements (Harwood, 2011).
Development & Acquisition Phase - Transition functional and technical requirements into detailed plans for an actual information system. Results from interviews, use cases, and mock ups are developed into sequence diagrams, activity diagrams, state diagrams, and other artifacts that can be interpreted by software developers. User interfaces are also defined in greater detail (Harwood, 2011).
Implementation & Assessment Phase - Actual coding of an information system. All of the analysis and design artifacts previously created are transformed into application code by developers/programmers. This phase also includes testing and debugging (Harwood, 2011).
Operations & Maintenance Phase - Encompasses all activities required to keep the system working as intended (monitoring, patch management, application fault remediation and audits).
Disposition Phase - Ensures that information is retained, as necessary, to conform to current legal requirements and to accommodate future technology changes that may render the retrieval method obsolete (Harwood, 2011).