Software security is as important as individual’s personal security. This statement may sound a little bit exaggerated however it is not. I will prove my hypothesis with examples.
First of all, we need to clarify the SDLC (Software Development Life Cycle) and the leading methodology used for it. Then we can point out the security issues caused by the flaws in this Cycle. A software development life cycle or SDLC is essentially a project management model. It defines different stages that are necessary to bring a project from its initial idea or conception all the way to deployment and later maintenance.
There are seven primary stages of the modern software development life cycle. Here’s a brief breakdown:
⦁ Planning Stage
⦁ Feasibility or Requirements of Analysis Stage
⦁ Design and Prototyping Stage
⦁ Software Development Stage
⦁ Software Testing Stage
⦁ Implementation and Integration
⦁ Operations and Maintenance Stage
Security and Business/Operation balance must be the primary concern during the SDLC. Business or accomplishing the mission is the primary reason for existence of security. Starting from the planning stage, every single feature needs to be interrogated with what if questions.
Planning stage includes developing an effective outline for the upcoming development cycle, planners theoretically catch problems before they affect development. And they should take security problems into consideration as well. The analysis stage includes gathering all the specific details required for a new system as well as determining the first ideas for prototypes. The specific details and the requirements need to be assessed from a security-business balance point of view too. The design stage is a necessary precursor to the main developer stage. Developers will first outline the details for the overall application, alongside specific aspects, such as its:
⦁ User interfaces
⦁ System interfaces
⦁ Network and network requirements
⦁ Databases
Most of the security focus in SDLC is on design stage. A design flaw may cause a vulnerability that can not be easily remediated in the further stages. Agile approach is doing a good job for this stage. Every single security flaw is feedback, and it should be remediated. Development stage is the transformation of ideas to the code. This stage is where Static Application Security Testing or SAST tools come into play. Effective usage of this tools and brainstorming for different possibilities helps to generate a more secure code. Testing phase is mostly considered as the phase for ensuring there aren’t any bugs, and that the end-user experience will not negatively be affected at any point. This is not enough. This phase should be a partial penetration testing as well. This would be a better approach for software security. Depending on the article (Exploring software security approaches in software development lifecycle: A systematic mapping study)
There is no study for security concerns in Implementation and maintenance phases of SDLC. Only creating a secure product is not enough, how you implement and maintain also matters. For example, a product designed for internal network may not be secure for an external facing server, so how you implement is extremely important. And also, during the life cycle patching the new discovered vulnerabilities must be patched, otherwise software would not be secure anymore.
Software security is the first step for CIA triad. Most of the time attackers are searching for an open door forgotten by a developer.
In the first paragraph I promised to prove that software security is as important as personal security of individuals. Here is my proof:
USA Navy LHDs (a kind of aircraft carrier) has many facilities including medical centers and surgery room. In this surgery rooms it is possible to conduct a remote surgery which means that a doctor located in homeland can perform a critical surgery for a wounded marine in the middle of the ocean. For the peace time it is an acceptable risk however for the war time software security is crucial. Considering the outcomes of a vulnerability in a software, we can clearly say that software security is as important as individual’s personal security.
NATO General Secretary (Jens Stoltenberg) announced that “A serious cyberattack could trigger Article 5, where an attack against one ally is treated as an attack against all”. This basically means that response to a cyber attack may be a military operation. As a result, we are living in a world that software security is closely related with global security.
References:
https://www.clouddefense.ai/blog/system-development-life-cycle
https://www.researchgate.net/publication/308960782_Exploring_Software_Securi ty_Approaches_in_Software_Development_Lifecycle_A_Systematic_Mapping_Study
Leave a Reply