Software Development Lifecycles

This section is dedicated to software development lifecycles and the integration of security practises into them, for the development of secure practises.


Glossary

Development Operations (DevOps)

"A set of practices for automating the processes between software development and information technology operations teams so that they can build, test, and release software faster and more reliably. The goal is to shorten the systems development life cycle and improve reliability while delivering features, fixes, and updates frequently in close alignment with business objectives." ( NIST )

Development, Security and Operations (DevSecOps)

"DevSecOps is the term that denotes a culture and set of practices with automation tools to drive increased collaboration, trust, shared responsibility, transparency, autonomy, agility, and automation across the key stakeholders responsible for delivering software, including development, operations, and security organizations." ( NIST, 2022 )

Software Development Life Cycle (SDLC)

"A formal or informal methodology for designing, creating, and maintaining software (including code built into hardware)." ( NIST )

Reflection

In the last module we were introduced to SDLC's. Prior to that module, I was aware of some of the buzzwords connected to development such as DevOps and Agile from my own professional experience, but the meaning of them was fuzzy to me, and the distinction between them was blurry. Now though, I have a clearer understanding of the difference between an SDLC, and DevOps. Both aspects of development are valuable for the management of software quality.

While this page is mainly dedicated to SDLC's, I want to point out that well-designed automation minimises human error, so in the future I would like to explore DevSecOps more in-depth. That being said, it's important to be familiar with how to integrate security practices into an SDLC anyway whether those practises are automatable or not, as security efforts are often a legal requirement in software development.


Examples of SDLCs

The Waterfall Lifecycle

Foundational Readings

  • Royce, W. (1970) 'Managing the Development of Large Software Systems'. Technical Papers of Western Electronic Show and Convention (WesCon). Los Angeles, USA, 1970. - Royce builds upon his experience and expresses his advice for managing large software systems. He introduces the waterfall model, and emphasises the importance of documentation.

Review

The non-iterative approach of the waterfall model severly limits security-centred adjustments that are found to be needed later in development, therefore I wouldn't recommend it nowadays.


The Spiral Lifecycle

Foundational Readings

  • Boehm, B. (1988) A spiral model of software development and enhancement. Computer. 21(5): 61-72. - Boehm presents the spiral model of software development, adapting the waterfall model to be iterative and risk driven.

Review

The repetition of risk analysis stages in the spiral model gives every opportunity to develop as secure of software as possible. For that reason, I would recommend the spiral model for secure software development.


The Agile Lifecycle

Foundational Readings

  • Beck, K., Beedle, M., Bennekum, A., Cockburn A, Cunnigham, W., Fowler, M., Grenning, J., Highsmith, J., Hunt, A., Jeffries, R., Kern, J., Marick, B., Martin, R., Mellor, S., Schwaber, K., Sutherland, J. & Thomas, D. (2001) Manifesto for Agile Software Development. Available from: here. - Beck et al. introduce the Agile Manifesto, which outlines the core values of the Agile software development lifecycle.
  • Cockburn. A (2004) A Human-Powered methodology For Small teams, including The Seven Properties of Effective Software Projects. Addison-Wesley. ISBN: 978-0201699470 here. - Cockburn, who wrote the original Crystal Clear guide in 1991, outlines the Crystal Clear framework. The framework consists of a seven core principles to software development, that are designed to be adapted to the needs of the team.
  • Sutherland, J. & Schwaber, K. (2020) The 2020 Scrum Guide^TM. Available from here. - Sutherland and Schwaber, who wrote the original Scrum Guide in 2010, outline the Scrum framework. The framework consists of a 'scrum master' fostering a particular environment that facilitates incremental value production during 'sprints', that consititute an iterative, adaptive approach to completing complex tasks.

Review

Agile is fantastic on a corporate level as it promotes good customer relations, working products and teambuilding. There are many tools and frameworks associated with it too which are great such as the SCRUM framework, and kanban boards. However, Agile is fine-tuned to producing the minimum viable product for an organisation, including minimal security features. For that reason, Agile only works well for secure software development, when legal policies or customer demands enforce it. In those cases, I would recommend Agile over the Spiral model.

Security-Centered Readings

  • Firdaus, A., Ghani, I. & Jeong, S. (2014) 'Secure Feature Driven Development (SFDD) Model for Secure Software Development'. International Conference on Innovation, Management and Technology Research. Malaysia, 2013. - Firdaus et al. identify a negligence of security in common agile methods, such as Scrum, Extreme Programming and Feature Driven Development. Firdaus et al describe key principles of secure software development, and propose a conceptual model of secure FDD.
  • Mougouei, D., Sani, N. & Almasi, M. (2013) S-Scrum: a Secure Methodology for Agile Development of Web Services. World of Computer Science and Information Technology Journal (WCSIT). 3(1): 15-19. - Mougouei et al. describe a variation of Scrum that they call 'S-Scrum' (Secure Scrum). It involves the insertion of additional planning spikes into the Scrum process. They go further and formalise the process using a non-deterministic finite automaton; and a context free grammar is proposed for describing process steps.
  • Pohl, C. & Hof H. (2015) 'Secure Scrum: Development of Secure Software with Scrum'. The Ninth International Conference on Emerging Security Information, Systems and Technologies (SECURWARE2015). Venice, Italy, 2015. - Pohl and Hof describe a variation of the Scrum that they call 'Secure Scrum' (too). It introduces the use of 's-tags' to mark user stories with security concerns.
  • Sharma, A. & Bawa, R. (2020) Identification and integration of security activities for secure agile development. International Journal of Information Technology 14(2): 1117-1130. - Sharma and Bawa compare four security engineering processes: CLASP, Common Criteria, Cigital Touchpoints and Microsoft's SDL, identify security actvities using a systematic literature review, and propose a dynamic integration algorithm for integrating security activities into an agile process.

Reflection

Of the different security-centred readings, I found the paper by Sharma and Bawa (2020) to be the most useful, simply for introducing me to CLASP, Common Critieria, and Microsoft's SDL. When developing secure software, irrespective of the software development lifecycle, it's important to be aware of actual security activities and security standards. A good SDLC should be able to accomodate those activities and standards, and Agile is able to do so. In the future I would like to explore tools for the elicitation of security requirements from customers, to assist agile developers in fufilling international security standards.

Group Project

In this module we were tasked with creating secure database software as a team of four. In order to achieve this, we followed a variation of Agile, splitting the development of software into weekly sprints. We incorporated security into our SDLC through security planning and testing. In order to collaborate effectively, we used the following tools:

Kanban Board

kanban board

Code Repository

repository

Instant Messenger

instant messenger

Email

bg22514@essex.ac.uk

Address

Bath, United Kingdom