Time
5 hours 49 minutes
Difficulty
Intermediate
CEU/CPE
6

Video Transcription

00:00
Hello, everybody, and welcome to the I T Security upset number 3 80 sub would develop a life cycle. My name is Alejandro Gonna and I'll be instructor for today's session.
00:14
Learned oddities of this module is to understand and be able to identify the main faces and concepts off Nancy's up for development Life cycle.
00:27
One of the fundamental task that when you as you begin, your element of off our integration effort is to select your development methodology and you know how to enhance that Max Italy e into more security conscious one.
00:43
To do that, you can use the, you know, building security in maturity model.
00:49
Ah, that. Let's do you understand the security practices
00:54
main implemented by peers of randy stations?
00:58
You know, security
01:00
can be used in an adieu, um, fashion or RG development.
01:06
Uh,
01:07
when selecting a development methodology considered that security must be built in in from the beginning of the process to ensure that security, safety and privacy requirements are selected correctly on their traceable true
01:23
development. On update of the A T device on infrastructure
01:26
to Durst, you know their comm plates. Uh, our approach is available that can be applied
01:34
to any development effort. Some well known models are, you know, Cascade spiral, extreme problem ing prototypes scrum. You know, this cousin named in detail will take forever, but most of them sure, the same faces
01:49
which our information gathering to shine development, implementation, testing and maintains
01:56
many 80 products on systems will be developed using agile Matt methodologies and want to say agile item that it contains several up. You know, it is the name for several methodologies. Are, you know, developer side using Because they're fast
02:14
given that, you know, because they have the ability to quickly designed well features on the fly, you know, and as the customer request, um, so the agile, uh, defines a number of principles some which you know, President,
02:30
you know, they have difficulties
02:31
to the interest since off security approaches, for example, developers have to deliver working suffer margins frequently
02:40
within a few weeks most of the time, So they're, of course, will focus on creating functional or business Britain modules focusing to make things work or not necessarily work in a secure fashion.
02:55
It is difficult to address this requirements in a short development cycle. Also, focus on security, Chris is that you know the velocity that they can, you know, that can be applied to functional user requirements in agile development.
03:13
So basically, they're function are great and, um,
03:16
modules as fast as they can. They're they're not actually thinking that security.
03:23
So they you know, a solution for business may be using the threat. Modeling approaches can help you with this problem. You can start by defining functional security requirements that must be integrated into the product or service.
03:38
You can turn these functional secure garments into the stakeholder requirements.
03:44
I'm not them on the product this time. At the beginning of the process, for example, you can say stuff like as a user, I want to ensure that our access passwords are off my device or the cloud servers are strong. So this becomes security requirements in ST
04:02
into a state All the room apartment
04:04
or functional apartment
04:06
assay user, for example. As a user, I want to be able to track my auntie devices authorized usage.
04:13
Another temple is as a user. I want to ensure that they that data storage in my auntie device isn't gripped.
04:20
So these bull force any development lifecycle to actually include security from the very beginning. That's a huge win for us. Remember, at the break of bats is the threads risk. An amount of money you need to spend to fix them. Increases exponentially so it's not the same. Two. Actually
04:41
focus on a security control from the better beginning at the product
04:45
and to focus on the security control or a secure if it's at the very end of the brain or even after implemented.
04:51
Ah,
04:53
you know
04:55
we can, you know, us UT also concerned with safety.
04:58
I know the security developers. You also consider additional faces like that disposal off the edge, devices off even the result of using their devices incorrectly or for longer or for a longer Peter of time. Maybe sending on alert to the server to discontinue the service if advices
05:17
is presenting
05:19
any kind of kind of malfunction or is being used far, far
05:25
above, off his off, you know, the deputy life fun lifespan.
05:31
So that's something that the developers you should should take into consideration and, you know, to perform this transaction. And when I said turn section transition smoothly, I mean performed transition from the, uh, the security mind. To the safety mind,
05:49
the first step is to create a security concept off operations,
05:55
Uh, con ups a ce we call it a document reflecting nick. You know, given the system security needs and safety needs,
06:03
uh, the security security con ups or, you know, again, concept of operations.
06:10
Um,
06:11
document provides organizations with a tool for methodically
06:15
detailing the security operations of the system.
06:18
The document should be written on maintained by statistics operator to provide a road map for systems implementers during the implementation and integrations of new I ity Sub word.
06:33
Ah, you know,
06:35
kind of condom. Sub sorry. Document can contain topics like confidentially and Terry controls authentication and no repudiation monitoring the compliance. Forensics operators, containers and disposal. Never for security integrations. Probably sending an involvement mechanisms.
06:54
So at the end, things condoms document will help us to
06:58
translate from, um, a user like
07:02
and
07:04
needs two more security and safety needs. For example, as we told a little before these condoms, Duckman will contain stuff like as a user. I want to increase all the data traveling between my device in the cloud, for example. So this will cut, give comments, document will help us
07:23
so to both the developer and the security and safety engineers.
07:27
Understand how the new software and the new I T goodbyes must function in a secure fashion
07:38
mentioned to support a woman. Lifecycle Mental values Waas There's a bunch of little use other that all this one is the cascade
07:46
It was it was is really old, and it is not flexible at all. And the news one, I guess it's from our, you know, a student programming or any agile
07:59
um,
08:00
pathology
08:01
worries. B s i m m. Well, as I said, the beginning is a building security in maturity model. Andi, let's do you understand the security practices being implemented all performed by beer organizations?
08:18
Where is ka tops? Well, it's, ah, document that you can use to put all the security stuff in there for your new development life cycle. You can even use this to the development life cycle, meaning the hard work, part of the physical part of the device.
08:35
And it's it stands for concept concept of operations
08:41
mentioned at least two topics that comments document should contain or confident Shallow and Terry Foreign six. Never security rations are monitoring compliance, authentication and no repudiation.
08:56
And I know I went way about the two requesting this question
09:03
in today's reelection with this cause, the main topics behind a 90 suffered development life cycle, which at the end, calls and we can Also some of them can also be applied to the development life cycle, meaning the physical that chips integrators
09:18
everything that is physical to Lady Bice
09:24
supplements materials won't you can go to any of these links. They have really, really useful information, and you should definitely check it out.
09:35
Looking forward in the next video, we'll review the main concepts off a 90 identity and next management solution.
09:43
Well, that's it for today, folks. I hope you hear the video and a T shirt.

Up Next

IoT Security

The IoT Security training course is designed to help IT professionals strengthen their knowledge about the Internet of Things (IoT) and the security platforms related to it. You’ll also be able to identify the security, privacy and safety concerns related to the implementation of an IoT infrastructure.

Instructed By

Instructor Profile Image
Alejandro Guinea
CERT Regional Director
Instructor