Part 12 - Verification Validation Certification and Accreditation

Video Activity

The series on software security concludes with a discussion of verification, validation, certification, and accreditation. These steps are essential to assure that we produced what the customer and stakeholders requested. In addition, checks are implemented to ensure that the software meets required security standards that are part of the CIA triad...

Join over 3 million cybersecurity professionals advancing their career
Sign up with
or

Already have an account? Sign In »

Time
2 hours 38 minutes
Difficulty
Beginner
CEU/CPE
3
Video Description

The series on software security concludes with a discussion of verification, validation, certification, and accreditation. These steps are essential to assure that we produced what the customer and stakeholders requested. In addition, checks are implemented to ensure that the software meets required security standards that are part of the CIA triad. Even after the software ships, it still must be maintained. This includes warranty support, pushing out updates and patches, and finally, defining an end of life pathway. This will be familiar if you still run an unsupported version of Windows such as XP.

Video Transcription
00:04
Now, the last section of this chapter is just making sure that we understand certain terms that air associate it with product acceptance in these terms kind of sound alikes. We want to make sure that we understand the differences between them.
00:16
So the 1st 2 terms we have our verification and validation
00:21
verification is more about the technical design of the product. Does the software meet the developers description? Does the does the software meet the requirements? Does it do what it's supposed to do,
00:34
then? Validation, which would come next? And validation is essentially, does the product solve a real world need that I have? So it does what it's supposed to do. But does it solve a problem for me? Does it fix the problem that I have not make sense that if it does what it's supposed to do, then it would fix the problem.
00:53
But again, sometimes you can have these variances between requirements
00:57
and where customers don't give us good requirements and we don't collect good requirements, so you might actually have a product that's verified that doesn't get validated. In an ideal world, verification would be followed by validation, we verified. It does what it's supposed to do. Therefore, it will solve the problem that we're trying to solve
01:15
now. We would have checks for verification and validation. Of course, we have to make sure that the security protection mechanisms air in place. We always go back to thinking about the C I. A triad of confidentiality, integrity and availability.
01:32
But remember there lots of other security elements we have to check for, like authenticity,
01:37
non repudiation authorization session management, all that stuff that we've talked about. So these are some of the checks that we would go through for the verification and validation process.
01:48
Now, the remaining two terms certification versus accreditation
01:53
certification is the technical evaluation of the security features of a product
01:59
in a particular environment. So, ultimately, does the product provide the appropriate level of protection that's necessary given an environment, because it's certainly possible for a product to be certified in one environment but not to be certified for a separate environment.
02:15
So certification is technical. Does that do the requirements get satisfied through this product,
02:23
and once the product is certified in the next logical step would be accreditation management's acceptance of the product and at that point in time management accepts all the risks associated with the product and they move forward and say, Let's roll this out, Let's implement.
02:39
So at this point in time, we've gone through the full process. Management's accepted the product. They've rolled out the product after accreditation, and they've accepted the risks associated. So, really, at this point in time, we're in the post acceptance phase. And here's where we really, um,
02:58
are are withdrawing our support for this product. You know, any sort of warranty work
03:02
or any sort of ongoing support, like patching the system. Um,
03:08
anything that's necessary to ensure that the product works well in its environment, that we fix any bugs or flaws that are out there. But again, it post acceptance. We've handed off this product, and we're sort of backing off. Now. If the customer comes to us and wants other changes,
03:27
unless they're a result of the product not meeting its requirements,
03:31
those other changes would be handled as a separate project. So maybe the customer now wants us to come back, and they say, You know, we just assumed you were going to train our customers on this product.
03:42
Well, we've documented that we're not going to provide training or manuals. We'd be happy to do so. But that'll constitute another project, and we can begin from that stage again. So ultimately, after post excess acceptance, we're patching the system any sort of updates that are necessary in any sort of warranty.
Up Next
Security Operations

They are responsible for knowing where a network's possible vulnerabilities are and providing mitigation strategies to combat them. An effective Cyber Security Operations Manager will have experience in a technical security role including ...

Instructed By