Acquisition/Development

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
5 hours 58 minutes
Difficulty
Intermediate
CEU/CPE
6
Video Transcription
00:00
>> Welcome back to Cybrary.
00:00
Yes, of course, I'm your instructor, Brad Rhodes.
00:00
Let's jump into the next phase of
00:00
the system development life
00:00
cycle, that's acquisition/development.
00:00
In this learning objective,
00:00
we're going to cover the security activities.
00:00
We're again going to look at linkages.
00:00
Now, we're going to talk
00:00
about what acquisition/development is.
00:00
Our security activities here when we talk
00:00
about the acquisition or development process,
00:00
is we're going to do our risk assessments.
00:00
Previously in the risk management is
00:00
a domain about what we do in risk assessments.
00:00
We're going to look at those security requirements
00:00
that have come out of phase 1.
00:00
We are going to potentially perform
00:00
functional security testing where we're
00:00
taking the things that we're going to reuse.
00:00
Maybe things like got-government off
00:00
the shelf that already exist that we can grab.
00:00
We're going to test those. We're going to make
00:00
sure they're going to work for us.
00:00
Then we're going to start to begin to prepare
00:00
the documentation for certification and accreditation,
00:00
which we now know
00:00
is tied to what we call the risk management framework,
00:00
RMF, and that's where we get terms like
00:00
authority to operate or interim authority to operate.
00:00
Then the last thing we do from
00:00
a security perspective here,
00:00
in the acquisition or
00:00
development phase is we look at the architecture.
00:00
Where does the security controls that we need to
00:00
mitigate risk fit into the overall design of our system?
00:00
Based on our decision that we made in phase 1,
00:00
which we said here's what development,
00:00
if we're developing, here's
00:00
what development model we're going to use.
00:00
Here's what happens. We've made the decision,
00:00
we come in and we start to assess system risks.
00:00
We then look at our controls and decide what
00:00
we're going to do and those output
00:00
into the security plan.
00:00
You should for the AC content understand these outputs.
00:00
They're very important to understand.
00:00
Then we work on the security
00:00
architecture and out of the bat is
00:00
the integration of security
00:00
into our architecture or into our system.
00:00
Then we're going to engineer those security controls,
00:00
and basically, that's where we place,
00:00
if we're developing,
00:00
the controls and putting them
00:00
into operations and testing them.
00:00
This is a really important one here.
00:00
We're going to document what we do.
00:00
This is one of those things that we struggle
00:00
with in the input sec and cybersecurity communities,
00:00
we are terrible at documentation.
00:00
I'm personally terrible at documentation.
00:00
You need to know and become very good at documentation.
00:00
It just is what it is.
00:00
Then we have a series of
00:00
control gates we go through and then
00:00
we decide are we going to implement or not?
00:00
What's great about the system development life cycle
00:00
is you can get all the way that you could get from
00:00
your initiation phase into
00:00
this acquisition stage development phase and
00:00
decided not to go forward, and that's okay.
00:00
That's the great thing. That's why
00:00
each of the gates between
00:00
the different functions and the different phases of
00:00
the system development life cycle exists
00:00
is decision points that
00:00
allow us to decide whether it's worth it to
00:00
continue or not and hopefully not waste a lot of money.
00:00
What is acquisitions/development?
00:00
It's the buy versus build decisions.
00:00
If we're going to buy something because maybe
00:00
it's less expensive to buy it and build it ourselves.
00:00
Because remember, if you build it yourself,
00:00
you own all the zero days.
00:00
That's a decision we have to make here.
00:00
We can't just say we're going to develop it.
00:00
No. As ACs we're going to do those trade-offs in each of
00:00
those areas because we want to make
00:00
sure we make the right decision.
00:00
Then, of course, the flip side of that is built.
00:00
Maybe we go out and assess the market when we're doing
00:00
our buy-build decision process and
00:00
we determine through a series of trade-offs.
00:00
Remember, we've talked about trade-offs before.
00:00
Through a series of trade-offs we go, man,
00:00
it is just not worth it for us to expose
00:00
the things that we're doing
00:00
to buy something that would give away too much.
00:00
Maybe we're developing a great set of threat
00:00
intelligence feeds and we
00:00
don't want to give away our secret sauce by
00:00
buying a bunch of stuff and
00:00
so we just decided to build it.
00:00
There's lots of reasons why we decide to buy,
00:00
there's lots of reasons why we
00:00
decided to build, but ACs,
00:00
you're at the forefront of helping to make
00:00
those decisions from both a
00:00
technical and a non-technical perspective.
00:00
In this lesson, we talked about
00:00
the acquisition/development phase of
00:00
the system development lifecycle,
00:00
we reviewed security activities that an AC does,
00:00
we talked about the linkages and
00:00
decisions around different things,
00:00
and then we talked about that acquisition/development
00:00
and is the buy or build decision.
00:00
It's modeling what it is we're going to do.
00:00
Sometimes it's better to buy,
00:00
sometimes it's better to build.
00:00
But as ACs we help to inform
00:00
those decisions. Will see you next time.
Up Next