Development LyfeCycle Securily for Providing Secure Software
In order to provide secure software there are 2 main issues to address:
- Software Quality (Security IINSIDE the software)
- SDLC in itself (Security AROUND the software)
Security Inside Software
There are a lot of standard to use about that:
- CERN: Security Checklist for Software Developer
- SANS: SWAT
- Microsoft: DREAD
- OWASP: Application Security Verification Standard
- OWASP: Secure Coding Practice
- (ISC)2: Security Issues in SourceCode
Security Issues in Software
The most common issues are the followings:
- Buffer OverFlow: when a (user through the) program fills up the assigned buffer of memory with more data than assigned buffer can hold
- Covert Channel: information flow through a way that violates usual security policies
- TOC/TOU: having to enable a functionality after checking for a condition, the Time Of Check is ugly previous to the Timoe Of Use
- Malformed Input Attack: the data put in by user is not checked against malformation
- Memory (Object) Reuse: reading residual information contained in a reallocated piece of memory/object
- Trapdoor/Backdoor: hidden mechanism that bypasses access control measures (e.g. account defined in the source code)
Security Around Software
The main issue is about the SDLC model to apply:
- StackExchange: Secure SDLC to use
- Coverity: Building Security in SDLC
Usual SDLC for Software
The most common models for software development are the followings:
- Waterfall: sequential (not iterative) design process
- Spiral: risk-driven process focused on iterative enhancement
- DevOps: agile methodology that rely on collaboration among developers and operatos, emphasizing responsibilization