Secure Development and Acquisition Lifecycle

00:03

Hey, guys, Welcome to another episode of the S S C P Exam Prep.

00:07

I'm your host, Peter Simple.

00:10

This is domain to lesson three.

00:13

So far in domain to we have looked at the code of ethics, which is the minimum of required standard behavior for all SS CP practitioners. We've looked at the CIA Triad. That's the triangle of confidentiality, integrity and availability, which is

00:32

the fundamental aspect of cybersecurity.

00:35

We've looked at security, architecture, er, and how to successfully build security systems using different security practices. And we've looked at controls, the managerial, technical and operation controls.

00:49

We've taken a look at system security plans, which is a detailed document describing all of the different aspects of cyber security within a given system. And today, in this lesson, we're gonna take a look at secure development in acquisition life cycles, which is

01:06

how to securely design computer systems.

01:08

And we'll also take a look at system vulnerabilities, secure development and acquisition practices and how they relate to each other. We're gonna look specifically at how secure development reduces system vulnerabilities. And when we make this a habit,

01:23

it will be a perfect opportunity to design a secure system.

01:27

Let's get started

01:30

physically in actively participate in the development of a system. It is important for the practitioner to know and understand how these systems have developed.

01:41

The most popular, says Secure Development System is known as the waterfall meant

01:47

this is the one that's used in most organizations around the world.

01:51

How it works is starts up at the top of the first step of requirements,

01:56

and it can systematically goes down each level until the system is completed so it starts or requirements. And then it goes to system design, implementation, integration, deployment and finally made it.

02:13

The way the waterfall method works is it's a one way stream, kind of like having our waterfall, but you cannot go back up once you go down, so it's important to make sure everything in the current step is completed before the next step is started.

02:31

So in the first step, requirements gathering analysis, functional and non functional requirements have documented

02:38

functional requirements are user interactions and processing steps. Things that the system users will have to deal with

02:47

non functional requirements are things like performance and system constraints.

02:54

Security requirements are also defined at the first step

03:00

the next step is the system design. This is where the requirements are turned into diagrams and presented to the stake holders or people who have an interest in the system.

03:12

Once these system designs are turned into flow charts and narratives, and once they pass the approval of all the stakeholders to make sure all the requirements are there, that's when the system is actually beginning to be implemented.

03:27

Programming is done like in most places in modules real small, little

03:32

compact blocks of code, which can be easily tested, easily applied and be easily edited.

03:39

Security practitioner is responsible for the correct implementation off all the security concepts in this death.

03:49

The next step is the integration. All the tiny little modules are come together and are tested together separately and in groups to ensure that they work as expected.

04:00

Once the testing has been thoroughly done,

04:02

the system is deployed into a controlled environment for quality assurance. This is when the system is tested with test data as a whole to see how it will respond If all goes well, the system is then put into production

04:18

as always, like all system's not perfect. So as bugs and vulnerabilities or rise or come about.

04:27

They are patched up and fixed to maintain the integrity of the system.

04:35

Another lesser known method is known as the spiral method. This method is very similar to the waterfall method and that there are six different steps starting from the requirements and which go down to the maintenance

04:50

dealing difference between the spiral method. On the waterfall method, there is a little loop in each one of the steps.

04:58

Little work is known as the P D. C. A, which is the plan Do Check Act, and this group is done as many times as needed until each step is thoroughly done. So, for example, the first step to the waterfall method is where all the requirements are

05:15

here. The requirements are gathered,

05:17

everything is written down there. Check to make sure they are all there, and then they start acting upon. If the loop is needed to be done again, then it will. If not, the system designed can be started.

05:32

Another type of application development method is known as rad rapid application developed.

05:38

This is where the programmers

05:40

build very small little components and prototypes as the gap that get requirements are gathered. So as soon as they have a requirement that both small prototype for

05:50

then they modify that prototype by building another small prototype. And the system gives repeated until all of the requirements are taken care of. Now this is good, and that is good in the sense that errors or detective very early.

06:03

But if bad in the sense that you can get caught up in a building so many prototypes, you can get away from what the true purpose of the system is actually for

06:16

another one.

06:18

Another application development method, which is actually rising in popularity,

06:23

especially in universities and start up companies, is agile development. This relies on feedback from application users and development teams as their primary control. It

06:34

this is very similar, but also very different than the waterfall mended. With this, you can go down the steps, or you can go back up the steps, or you could go in a loop as many times as needed.

06:47

So how the agile method works is that the requirements are gathered and the design is started.

06:55

Then, once design has started,

06:58

the programmers who were designing the architecture, the system go back and take a look at the requirements.

07:02

And then from there they tweet the design,

07:04

and this process is continued until they have a good design, and then they start to code.

07:10

They start to code and then go back to the design, look at the design again

07:15

and continue to coach again and go back to the design and tweet the design every single time. So the way this works is

07:24

it's divided up in its time period called sprints. Each sprint is usually one week or two weeks,

07:32

so the developers like code for a week and then go back to design and take a look, show what they have to the stakeholders and then the Conus tweets.

07:43

Then they go back and code for another week,

07:45

and then they bring that new prototype back

07:47

to be looked at by the designers again. And the system is continued all the way down until the system is completed, thoroughly tested and then put into production

08:00

system vulnerabilities and secure development. Exposing applications,

08:05

infrastructure information to external users, freaks, the opportunity for compromise by bad guys who wish to steal customer data and private information

08:16

and damage on organizations reputation there. Many vulnerabilities that face Web facing applications, which provide excellent opportunities for malicious attack by unauthorized users

08:30

and turn development project should combine secure coding practices

08:35

to reduce these vulnerabilities.

08:37

Best way to participate With system vulnerabilities insecure development is too

08:43

use a loss. A loss is the open Web application security project.

08:48

This is

08:50

This provides a freely available listing of the top vulnerabilities found and all of the Web applications. Anything that faces the wet

08:58

they list. Best practices and God lines for developers and areas of authentication. Session management, encryption of sensitive data, Adam van confirmations, air handling.

09:09

I think it's very important that everyone should be familiar with the old boss, especially if you are a Web developer or someone who creates applications that interact with the Wen.

09:22

You can check it out at this link down here in the West. A wasp it dot org's

09:28

hardware and software. More specifically, I 10 I t Asset Management.

09:33

This is the process of collecting inventory, financial and contractual baited to manage I t. Asset throughout their life cycle.

09:43

This is a very important process because it is important to know what assets you have and it's even more important to know what is on your network

09:52

so

09:54

unmanaged harbor assets or more likely to be vulnerable to attacks.

09:58

So if this is one your network, if you have an unmanaged asset on your network, your network is more vulnerable to attacks. So that's why it's important to know what you pass that you have in your organization

10:13

now underneath I T Asset Management or four different types of management's.

10:18

One is Hardware Asset Management, which is really anything that has an address, anything that is addressable that sits on your network hardware.

10:28

2nd 1 is software inventory management. What software programs or systems do you have running on the computers, the printers, the servers? That kind of

10:37

the third is configuration settings management.

10:41

How are these assets configured? Are they configured securely? It's very important to know the configuration of your assets because then you can determine whether or not these assets are protected or not. And the 4th 1 Vulnerability Patch Management.

10:58

When management of vulnerability is found, it can be properly taken care of. To keep your network and organization more secure, we'll be looking at these four types of management a little bit later in this domain.

11:15

In today's lecture, we discuss secure development in acquisition life cycles. That is the process of building systems securely using the waterfall method Spiro Method and the agile method. And we've looked at system vulnerability, secure development, acquisition practices,

11:31

family how, when you develop securely, it reduces system vulnerabilities

11:37

With John.

11:39

This application development model consists of six linear steps.

11:43

Is it a agile,

11:45

be rapid application development?

11:48

See spiral model or D The waterfall model

11:54

If you pick D than you are correct. Remember, Waterfall Model consists of six steps going from requirements all the way down to maintenance. It only goes in one direction, so each that must be completed before the next step is started.