Monday, July 6, 2020

Cyber ​​security in software development: the good rules to follow

Cyber ​​security must be the cornerstone of the software code development process . It is of fundamental importance, in fact, to guarantee the safety requirements in every phase of its life cycle. From the embryonic phase of the project, a path must be taken that has information security as its guiding thread .

According to this modus operandi, it is necessary to apply development rules and make use of professionals with specific skills. An information security risk assessment and an impact assessment is required to ensure the privacy of sensitive data processed by the project application.

Finally, a test repeated over time in all phases of the software life cycle is indispensable.

Topic index

Cyber ​​security in software development: the risks
Paying attention to cyber security in development is important to minimize vulnerabilities , related to possible programming errors, which can be exploited by increasingly effective and constantly increasing cyber attacks, but also affect the quality of the final product.

Protecting the code and data managed by the application being developed as well as guaranteeing the IT security protection parameters ( integrity , confidentiality and authentication ) must represent the main objectives of software security.

Cyber ​​security in software development: the stages
We will describe below the various phases of the software life cycle, according to a common denominator: to guarantee the security requirements of the data, functions and programming language.


The precise definition of these phases and their organization constitutes a development model: the so-called software life cycle model . The model to which we will refer is for simplicity a cascading model which, as the name suggests, is nothing more than a sequential succession in which, only after completing a phase, we move on to the next.

This does not mean that each phase can be revised to be eventually revised and corrected: in fact there are alternative and less rigid models than the one proposed, to make the entire production and management process of the software more reliable.

Each phase must be verified and approved in compliance with certain guidelines consistent with the main safety standards .

Feasibility study
It is the phase in which possible costs and benefits of the product to be developed are evaluated. A document is produced which must contain: Security architecture definition

the definition of the project;
possible solutions and their reasons;
for each of the proposed solutions, the estimate of the benefits, costs, resources required and delivery times.
Analysis and specification of requirements
This phase aims to determine the functionality required by the customer and the properties of the software in terms of performance, safety, ease of use, portability and maintenance .

The collection of requirements must take into account the technological and regulatory context. These properties are also recorded in a document, which will allow the customer to verify the specified characteristics and allow the designer to proceed with the development of the software architecture. In this phase it can be foreseen to draw up a user manual and a definition of the system test methods .

PA FORUM 6 - 11 JULY
Building digital trust: cybersecurity and privacy
Network Security
Privacy
Sign up for the event
The analysis and specification of the safety requirements represents an important and conditioning element for the solution that will be decided upon.

Particular attention will have to be paid with regard to the choice of the operational safety modalities of the application, infrastructure and development environment.


System architecture design
The purpose of this phase is the production of a document containing a description of the software architecture both globally and at the level of the individual integrated and interacting modules.

The functions and solutions proposed in the feasibility phase will be analyzed , times and resources planned for the implementation of the requirements and the conduct of the tests, and establish the safety rules defining with the developers the programming language to be used and the characteristics of the application.

This is the moment in which to carry out preliminary investigations for the drafting of a risk assessment document to which the application is exposed, and of impact assessment on data processing , to safeguard information security respectively ( ISO 27034, ISO 29151 ) and the protection of personal data ( GDPR - General Data Protection Regulation, EU regulation 679/2016 ).

Realization of individual components and their verification
It is the phase in which the programs are actually implemented by applying rules of good practice for the safe drafting of the code and by performing functionality tests and searching for any vulnerabilities.

For each component we provide:

encoding
documentation
specification of the tests carried out
For security purposes, the development environments must be equipped with audit, backup, access control systems and kept up to date and protected by specific software security modules on the basis of guidelines shared and imparted by subjects providing support, training services and information.


System integration and verification
This phase has the purpose of assembling the product code, checking its effective compatibility, solving any interaction and security errors, and may not be considered conceptually distinct from the previous phase.

It is advisable to prepare a test plan with test cases and related acceptability criteria, simulating intrusions with various attack scenarios, keeping the test environment separate from the development environment.

The objectives of the tests must allow to highlight the degree of exposure of the software to known vulnerabilities and to review the source code in search of anomalies in the correct functioning of the security controls and operational specifications.


Delivery
In this phase, the system is distributed to users who verify its operation, identifying any anomalies or dissimilarities with respect to the project specifications. For the release of the software in production it is necessary to have passed an acceptance test to verify compliance with the functional and safety requirements , to have created a system documentation and planned training for users and users.

Delivery takes place in two stages:

Beta test : the system is distributed to a selected set of users for the purpose of testing in real cases. The errors found should be corrected before the actual distribution of the product.
Distribution : the software is permanently released to users. The errors that are found after this release are usually corrected in subsequent versions or through the use of appropriate corrective software.
Maintenance
This phase encompasses all the evolution of the system from delivery onwards. It therefore includes modifications and evolutions of various types . Furthermore, the maintenance phase, encompassing each activity that follows the delivery of the product, can affect well over half of the overall costs of the entire life cycle.

Conclusions
The cost of correcting a vulnerability or error is higher the later it is detected in the life cycle. For this reason, the safety requirements should be acquired and verified before development and production.

A planned test, verifying the completeness and consistency of the functions, the quality, safety and functionality of the software, can in fact help to identify any anomalies when the cost for the correction does not significantly affect.

Periodic tests can also be useful in the post delivery (maintenance) phase . In fact, they can prevent the outcomes of any new vulnerabilities and / or attack techniques and monitor the application functionality following significant changes in the product delivered.

The key to obtaining a good result is to structure a project team by clearly defining roles and responsibilities such as the project manager, the safety manager, programmers, system engineers, testers, customers, suppliers and end users.

In some cases, it may be necessary to provide preventive training for all development personnel by specifying 5 macro areas:

policies and guidelines for software lifecycle security;
best practices for safe code compilation;
security issues according to the technologies used;
code vulnerabilities that could be exploited by cyber attacks;
reference standards on software security.

No comments:

Post a Comment