Domain 8: – Software Development Security (Weightage 10%)
Software Development Security is about creating secure software. It covers the fundamental principles behind designing, testing, and building enterprise applications. Closed-source software is software that can be executed but the source code is kept secret. Software that is free to download. Shareware is fully functional proprietary software, which can be initially free of charge. Crippleware is a partially functional proprietary software program, with many key features disabled.
Different models are used for application development. For example, the Waterfall model is a linear model that uses rigid phases. When one phase ends, another begins. The sashimi model is a highly overlapping model that can be compared to the waterfall model. It is often called the sashimi waterfall modeling. Agile software development was developed as a response to rigid software development models such as scrum and XP. The spiral model repeats steps in a project. It starts with small goals and expands outwards in ever-larger spirals called rounds. Rapid application development (RAD), which allows rapid software development, uses prototypes, dummy GUIs and back-end databases to quickly develop software. The systems development cycle is used in the IT industry and focuses on security.
Software escrow is the process of having a third party store an archive computer software. Security of private/internal codes repositories falls under other corporate security control discussed previously: defense-in-depth, secure authentication firewalls, version controls, and firewalls. Security of private/internal codes repositories falls under other corporate security control discussed previously: defense-in-depth, secure authentication and firewalls, version management, etc. Software change and configuration management are tools that allow software to be managed as it is developed, maintained and retired. DevOps is an agile development and support model that echoes the Agile programming methods.
This module also discusses database, which is a structured collection related data. A relational database is composed of two dimensional tables or relations that contain related data. A table has rows and columns. A row is a database record called a tuple and a column an attribute. Database normalization is a process that makes data in a database table logically compact, organized, consistent. Database query languages can be used to create database tables and allow read/write access to them. Clients can simultaneously read and write to multiple databases through database replication. A shadow database is similar in function to a replicated one, with one important difference. The shadow mirrors all changes to the primary database but clients cannot access it. Data warehouses are large collections of data, while data mining is used for searching for patterns.
Next, it discusses Object Oriented Programming, which uses an object metaphor for designing and writing computer programs. It also provides Data encapsulation and Inheritance as well as Polymorphism. Common application vulnerabilities include Buffer Overflow and SQL Injection, SQL Injection (hard-coded credentials), SQL Injection, Directory Path Traversal. Cross Site Scripting. Backdoors. Software Capability Maturity Model (CMM), is a framework that evaluates and improves the software development process. Acceptance testing is used to determine whether software meets certain end-state requirements. This can be done from a customer, contract, or compliance perspective.