CISSP考试指南笔记：8.2 软件开发生命周期

There have been several software development life cycle (SDLC) models developed over the years, the crux of each model deals with the following phases:

• Requirements gathering
• Design
• Development
• Testing
• Operations and maintenance

Project Management

Project management is an important part of product development, and security management is an important part of project management.

A security plan should be drawn up at the beginning of a development project and integrated into the functional plan to ensure that security is not overlooked.

The security plan and project management activities may likely be audited so security-related decisions can be understood.

If a software product is being developed for a specific customer, it is common for a Statement of Work (SOW) to be developed, which describes the product and customer requirements.

Sticking to what is outlined in the SOW is important so that scope creep does not take place.

A work breakdown structure (WBS) is a project management tool used to define and group a project’s individual work elements in an organized manner.

Requirements Gathering Phase

As it pertains to security, the following items should be accomplished in this phase:

• Security requirements
• Security risk assessment
• Privacy risk assessment
• Risk-level acceptance

The security requirements of the product should be defined in the categories of availability, integrity, and confidentiality.

An initial security risk assessment should be carried out to identify the potential threats and their associated consequences.

After a privacy risk assessment, a Privacy Impact Rating can be assigned, which indicates the sensitivity level of the data that will be processed or accessible. Some software vendors incorporate the following Privacy Impact Ratings in their software development assessment processes:

• P1, High Privacy Risk
• P2, Moderate Privacy Risk
• P3, Low Privacy Risk

A clear risk-level acceptance criteria needs to be developed to make sure that mitigation efforts are prioritized.

Design Phase

The software design phase is a process used to describe the requirements and the internal behavior of the software product.

Software requirements commonly come from three models:

• Informational model Dictates the type of information to be processed and how it will be processed
• Functional model Outlines the tasks and functions the application needs to carry out
• Behavioral model Explains the states the application will be in during and after specific transitions take place

From a security point of view, the following items should also be accomplished in this phase:

• Attack surface analysis
• Threat modeling

An attack surface is what is available to be used by an attacker against the product itself.

The aim of an attack surface analysis is to identify and reduce the amount of code and functionality accessible to untrusted users. The basic strategies of attack surface reduction are to reduce the amount of code running, reduce entry points available to untrusted users, reduce privilege levels as much as possible, and eliminate unnecessary services.

Threat modeling is a systematic approach used to understand how different threats could be realized and how a successful compromise could take place.

It is common for software development teams to develop threat trees.

Development Phase

There are many computer-aided software engineering (CASE) tools that programmers can use to generate code, test software, and carry out debugging activities.

A buffer overflow takes place when too much data is accepted as input to a specific process.

Privilege escalation is the process of exploiting a process or configuration setting in order to gain access to resources that would normally not be available to the process or its user.

What is important to understand is that secure coding practices need to be integrated into the development phase of SDLC.

Static analysis is a technique meant to help identify software defects or security policy violations and is carried out by examining the code without executing the program, and therefore is carried out before the program is compiled.

Testing Phase

Unit testing is concerned with ensuring the quality of individual code modules or classes.

Unit testing usually continues throughout the development phase.

Security attacks and penetration tests usually take place during this phase to identify any missed vulnerabilities.

Testing Types

The following are some of the most common testing approaches:

• Unit testing Testing individual components in a controlled environment where programmers validate data structure, logic, and boundary conditions
• Integration testing Verifying that components work together as outlined in design specifications
• Acceptance testing Ensuring that the code meets customer requirements
• Regression testing After a change to a system takes place, retesting to ensure functionality, performance, and protection

Fuzzing is a technique used to discover flaws and vulnerabilities in software by sending large amounts of malformed,unexpected, or random data to the target program in order to trigger failures.

Dynamic analysis refers to the evaluation of a program in real time, when it is running.

Operations and Maintenance Phase

Verification determines if the product accurately represents and meets the specifications.

Validation determines if the product provides the necessary solution for the intended real-world problem.

Zero-day vulnerabilities are vulnerabilities that do not currently have a resolution.