Security in the Software Development Lifecycle: “Build Security In”

 

Background

Summary:

Security should be considered at all phases of the software development lifecycle.

Description:

The traditional Software Development Lifecycle (SDLC) is a structured methodology for developing software. These phases of development include:

  1. Analysis or requirements gathering — at this phase the problem is clearly defined.
  2. Design or planning– creating an algorithmic solution for the problem.
  3. Implementation– the solution is coded using a programming language and run for correctness.
  4. Testing– formal testing and debugging.
  5. Maintenance– program is maintained, changed, and documented.

Since security has become a more prevalent concern, it is important to consider security at all stages of a software project. Building secure software is more effective than adding security features after the project is complete.

Risk — What’s the Risk?:

Poor design and insufficient testing leads to insecure software. Most security issues result from attacks exploiting insecure software.

Examples of Occurrence:

  1. In 2002, in response to the proliferation of security issues, including terrorist attacks and malicious software, Bill Gates wrote a famous “security evangelist” memo (found here), committing his company to building secure software.
  2. Thousands of vulnerabilities are reported each year (see here). At the same time, the number and severity of the attacks continues to increase.

Lab/Homework Assignment

  1. Create a project.
  2. Edit: Type in the following program exactly as written. Include your name and date.
  3. Compile: There should be a syntax error. The compiler indicates the error with a message at the bottom of the screen. Double-click on the error message shown by the compiler to find the error. Correct the error and compile again.
  4. Run: Examine the output carefully.
  5. Look for errors. You should see a spelling error in the output. This is an example of a bug or logic error.
  6. Correct the error, compile, and run again.
  7. Examine the output again. If you carefully completed the background section, you will see that 6 is incorrect. Security features should not be added after the program is complete, but should be included at all levels of the SDLC. Revise the program (remove step 6 and add “with security in mind” at each step), so that it produces the correct output. Copy and paste the final program and output to TURN IN.
  8. Add the following lines to the program
float num1;
float num2;
float avg;
cout << “Enter two numbers” << endl;
cin >> num1 >> num2;
avg = num1 + num2/2;
cout << “The average is “ << avg;
 

9.   Examine the output carefully. What is wrong? Is this a syntax error or a logic error?  Correct the program so that it produces the correct output. Copy and paste the final program and output to TURN IN.

Lab Questions

  1. What is the role of the compiler?
  2. What is syntax error? What was the syntax error in the above program? What happens when you have a syntax error in your program?
  3. What is a logic error or bug? What was the logic error in the above program?
  4. In one sentence, summarize the difference between syntax errors and logic errors.

Introduction to Checklists

Checklists are used by airline pilots, in emergency rooms in hospitals, and increasingly in the software industry, to enforce safety procedures. We will use checklists throughout the semester, primarily to check the security of our code. Use the following checklist to ensure you have completed this lab correctly.

SDLC Checklist
Intro to the SDLC: CS0
Look at your output from Program 1: Completed
1. Is security considered in the analysis phase, when you are defining the problem?  
2. Is security considered in the design phase?  
3. Is security considered in the implementation phase?  
4. Is security considered in the testing phase?  
5. Is security considered in the maintenance phase?  
6. Is security considered in all parts of the SDLC?  
If you answered yes to all of the above questions, you are describing the Secure Development Lifecycle (SDLC)

Discussion

  1. Where do you think security should fit into the SDLC?
  2. Why is security more of a concern than it was 10 years ago?
  3. If a program has no syntax error, can we assume the program will run correctly?
  4. If a program has no syntax errors, can we assume that it is secure?
  5. Compare software security and security software.

Turn in program, output, checklist, and questions.

 
Copyright © Towson University