Domain 8 – Secure Software Development

Waterfall development

  • Project is divided into sequential phases, with some overlap and splash back acceptable between phases.
  • Emphasis is on planning, time schedules, target dates, budgets and implementation of an entire system at one time.
  • Tight control is maintained over the life of the project via extensive written documentation, formal reviews, and approval/signoff by the user and information technology management occurring at the end of most phases before beginning the next phase. Written documentation is an explicit deliverable of each phase.

The waterfall model is a traditional engineering approach applied to software engineering. A strict waterfall approach discourages revisiting and revising any prior phase once it is complete. This “inflexibility” in a pure waterfall model has been a source of criticism by supporters of other more “flexible” models. It has been widely blamed for several large-scale government projects running over budget, over time and sometimes failing to deliver on requirements due to the Big Design Up Front approach. Except when contractually required, the waterfall model has been largely superseded by more flexible and versatile methodologies developed specifically for software development.

The waterfall stages can be memorized using the mnemonic A Dance In The Dark Every Monday, representing Analysis, Design, Implementation, Testing, Documentation and Execution, and Maintenance.

Prototyping

Prototyping is not a standalone, complete development methodology, but rather an approach to try out particular features in the context of a full methodology (such as incremental, spiral, or rapid application development (RAD)).

  • Attempts to reduce inherent project risk by breaking a project into smaller segments and providing more ease-of-change during the development process.
  • The client is involved throughout the development process, which increases the likelihood of client acceptance of the final implementation.
  • While some prototypes are developed with the expectation that they will be discarded, it is possible in some cases to evolve from prototype to working system.
  • Sit down with customer and get ‘rough’ idea of look and feel
  • Show customer the ‘prototype’ and get feedback – no back end database/systems
  • Four main phases
  • Initial concept
  • Design and implement initial prototype
  • Refine through several iterations
  • Complete and release final version
  • Issues
  • Scope Creep
  • Easy to release before all phases, including security, are complete

Clean room

  • Quality software
  • Defect free
  • Focus on defect prevention vs defect removal
  • NASA
  • Quality over Quantity
  • Long term development costs should be lower

Incremental development

Various methods are acceptable for combining linear and iterative systems development methodologies, with the primary objective of each being to reduce inherent project risk by breaking a project into smaller segments and providing more ease-of-change during the development process.

There are three main variants of incremental development:[2]

  1. A series of mini-Waterfalls are performed, where all phases of the Waterfall are completed for a small part of a system, before proceeding to the next increment, or
  2. Overall requirements are defined before proceeding to evolutionary, mini-Waterfall development of individual increments of a system, or
  3. The initial software concept, requirements analysis, and design of architecture and system core are defined via Waterfall, followed by incremental implementation, which culminates in installing the final version, a working system.

Iterative and Incremental development

Iterative development[3] prescribes the construction of initially small but ever-larger portions of a software project to help all those involved to uncover important issues early before problems or faulty assumptions can lead to disaster.

Spiral development

The Spiral Model combines key aspect of the waterfall model and rapid prototyping methodologies combining advantages of top-down with bottom-up concepts. It emphasizes deliberate iterative risk analysis.

The basic principles are:

  • Focus is on risk assessment and on minimizing project risk by breaking a project into smaller segments and providing more ease-of-change during the development process, as well as providing the opportunity to evaluate risks and weigh consideration of project continuation throughout the life cycle.
  • “Each cycle involves a progression through the same sequence of steps, for each part of the product and for each of its levels of elaboration, from an overall concept-of-operation document down to the coding of each individual program.”
  • Each trip around the spiral traverses four basic quadrants: (1) determine objectives, alternatives, and constraints of the iteration; (2) evaluate alternatives; Identify and resolve risks; (3) develop and verify deliverables from the iteration; and (4) plan the next iteration.
  • Begin each cycle with an identification of stakeholders and their “win conditions”, and end each cycle with review and commitment.
  • Well suited for large-scale complex systems.

Rapid application development

Rapid application development (RAD) favors iterative development and the rapid construction of prototypes instead of large amounts of up-front planning. The “planning” of software developed using RAD is interleaved with writing the software itself. Software can be written faster and it is easier to change requirements.

Start with the development of preliminary data models plus business process models using structured techniques. Next, requirements are verified using prototyping, refining the data and process models. Repeat iteratively until development produces a combined business requirements and technical design blueprint to be used in development.

RAD basic principles :

  • Key objective is for fast development and delivery of a high quality system at a relatively low investment cost.
  • Attempts to reduce inherent project risk by breaking a project into smaller segments and providing more ease-of-change during the development process.
  • Aims to produce high quality systems quickly, primarily via iterative Prototyping (at any stage of development), active user involvement, and computerized development tools. These tools may include Graphical User Interface (GUI) builders, Computer Aided Software Engineering (CASE) tools, Database Management Systems (DBMS), fourth-generation programming languages, code generators, and object-oriented techniques.
  • Key emphasis is on fulfilling the business need, while technological or engineering excellence is of lesser importance.
  • Project control involves prioritizing development and defining delivery deadlines or “timeboxes”. If the project starts to slip, emphasis is on reducing requirements to fit the timebox, not in increasing the deadline.
  • Generally includes joint application design (JAD), where users are intensely involved in system design, via consensus building in either structured workshops, or electronically facilitated interaction.
  • Active user involvement is imperative.
  • Iteratively produces production software, as opposed to a throwaway prototype.
  • Produces documentation necessary to facilitate future development and maintenance.
  • Standard systems analysis and design methods can be fitted into this framework.

Extreme

  •  Function specific programming instead of application
  •  Executed by small teams
  •  Simplicity and agility
  •  Coding, Testing, Listening, Designing
  •  Dynamically changing requirements
  •  Risky projects with dynamic requirements are perfect for XP
  •  Emphasizes customer involvement and promotes team work
  • Use case – project is behind in time
    • ‘Obamacare’ Health care website initially performed very poorly, used Extreme programming to fix modules

Agile development

“Agile software development” refers to a group of software development methodologies based on iterative development, where requirements and solutions evolve via collaboration between self-organizing cross-functional teams. The term was coined in the year 2001 when the Agile Manifesto was formulated.

Agile software development uses iterative development as a basis but advocates a lighter and more people-centric viewpoint than traditional approaches. Agile processes fundamentally incorporate iteration and the continuous feedback that it provides to successively refine and deliver a software system.

DataBase Terminology

  • Relation: logical or natural association of two or more objects.
  • Attribute: construct whereby objects or individuals can be distinguished
  • Degree: number of columns in a table.
  • Cardinality: The number of rows in a table
  • Tuple: A row in a table.
  • Element: data in a row
  • Schema: A collection of logical structures of data, or schema objects. A schema is owned by a database user and has the same name as that user.
  • View: An alternative way of looking at the data in one or more tables. A view is usually created as a subset of the columns from one or more tables.
  • Primary key: A column that uniquely identifies a row in a table.
  • Foreign key: A column in a table that matches the primary key in another table.
  • Data dictionary: A set of database system tables that contain the data definitions of database objects.
  • Meta-data: data about data. Data that provides information about, or documentation of, other data managed within an application or environment.
  • Data warehousing: Process of combining data from various sources.
  • Data mining: tools to identify trends using info held in data warehousing and creates metadata.
  • Data communicates using Open Database Connectivity (ODBC). ODBC allows applications to communicate with different types of databases. It is the interface between the apps and database drivers.