Chapter 5 - Design and Development (A3): SDL Activities and Best Practices (6/6)

Search in book...
Toggle Font Controls
Create new playlist

Name your new playlist

Playlist description (optional)
Sign In

Email address

Password

Forgot Password?

or

Continue with Facebook

Continue with Google
Sign Up

Full Name

Email address

Confirm Email Address

Password

or

Continue with Facebook

Continue with Google

158 Core Software Security

• Percent of software architecture changes

• Percent of SDLC phases without corresponding software security

testing

• Percent of software components with implementations related to

privacy controls

• Number of lines of code

• Number of security defects found using static analysis tools

• Number of high-risk defects found using static analysis tools

• Defect density (security issues per 1000 lines of code)

Note that if too many controls related to privacy need to be imple-

mented in the software components, you might want to review the design

of the components.

5.7 Chapter Summary

During our discussion of design and development (Phase A3), we

described the importance of an analysis of policy compliance, creation of

the test plan documentation, updates to the threat modeling discussed in

the last chapter if necessary, completion of a design security analysis and

review, and a privacy implementation assessment. Out of all of this, best

practices are created from the functional and design specifications that

have been created that will be used throughout the remainder of the SDL

process. Toward the end of the chapter, we discussed key success factors,

deliverables, and metrics for this phase.

References

1. McConnell, S. (1996), Rapid Development. Microsoft Press, Redmond, WA.

2. Grembi, J. (2008), Secure Software Development: A Security Programmer’ s Guide.

Course Technology, Boston, MA.

3. Krutz, R., and Fry, A. (2009), The CSSLP Prep Guide: Mastering the Certified

Secure Software Lifecycle Professional. Wiley, Indianapolis, IN.

4. Information Assurance Technology Analysis Center (ITAC)/Data and Analysis

Center for Software (DACS) (2007), Software Security Assurance State-of-the-Art

Report (SOAR). Available at http://iac.dtic.mil/csiac/download/security.pdf.

5. Krutz, R., and Fry, A. (2009), The CSSLP Prep Guide: Mastering the Certified

Secure Software Lifecycle Professional. Wiley, Indianapolis, IN.

Design and Development (A3): SDL Activities and Best Practices 159

6. Information Assurance Technology Analysis Center (ITAC)/Data and Analysis

Center for Software (DACS) (2007), Software Security Assurance State-of-the-Art

Report (SOAR). Available at http://iac.dtic.mil/csiac/download/security.pdf.

7. Krutz, R., and Fry, A. (2009), The CSSLP Prep Guide: Mastering the Certified

Secure Software Lifecycle Professional. Wiley, Indianapolis, IN.

8. Information Assurance Technology Analysis Center (ITAC)/Data and Analysis

Center for Software (DACS) (2007), Software Security Assurance State-of-the-Art

Report (SOAR). Available at http://iac.dtic.mil/csiac/download/security.pdf.

9. Krutz, R., and Fry, A. (2009), The CSSLP Prep Guide: Mastering the Certified

Secure Software Lifecycle Professional. Wiley, Indianapolis, IN.

10. Information Assurance Technology Analysis Center (ITAC)/Data and Analysis

Center for Software (DACS) (2007), Software Security Assurance State-of-the-Art

Report (SOAR). Available at http://iac.dtic.mil/csiac/download/security.pdf.

11. Fink, G., and Bishop, M. (1997), “Property-Based Testing: A New Approach

to Testing for Assurance.” SIGSOFT Software Engineering Notes, vol. 22, no. 4,

pp.74–80.

12. Goertzel, K., et al. (2008), Enhancing the Development Life Cycle to Produce Secure

Software. Version 2.0. U.S. Department of Defense Data and Analysis Center for

Software, Rome, NY.

13. Michael, C., and Radosevich, W. (2005), “Risk-Based and Functional Security

Testing.” Cigital white paper, U.S. Department of Homeland Security. Updated

2009-07-23 by Ken van Wyk. Available at https://buildsecurityin.us-cert.gov/bsi/

articles/best-practices/testing/255-BSI.html#dsy255-BSI_sstest.

14. Saltzer, J., and Schroeder, M. (1974), “The Protection of Information in Computer

Systems.” Fourth ACM Symposium on Operating Systems Principle, October

1974.

15. Ibid.

16. Grembi, J. (2008), Secure Software Development: A Security Programmer’s Guide.

Course Technology, Boston, MA.

17. Microsoft Corporation (2008), Privacy Guidelines for Developing Software Products

and Services, Version 3.1; September 2008. Available at http://www.microsoft.

com/en-us/download/details.aspx?id=16048.

18. Microsoft Corporation (2012). MSDN, SDL—Process Guidance—Appendix C:

SDL Privacy Questionnaire. Available at http://msdn.microsoft.com/en-us/library/

cc307393.aspx.

19. Microsoft (2011), Simplified Implementation of the Microsoft SDL. Available at

http://www.microsoft.com/en-us/download/details.aspx?id=12379.

20. Microsoft Corporation (2008), Privacy Guidelines for Developing Software Products

and Services, Version 3.1; September 2008. Available at http://www.microsoft.

com/en-us/download/details.aspx?id=16048.

21. Microsoft Corporation (2012), MSDN, SDL—Process Guidance—Appendix C:

SDL Privacy Questionnaire. Available at http://msdn.microsoft.com/en-us/library/

cc307393.aspx.

22. Microsoft (2011), Simplified Implementation of the Microsoft SDL. Available at

http://www.microsoft.com/en-us/download/details.aspx?id=12379.

160 Core Software Security

23. Microsoft Corporation (2012), MSDN, SDL—Process Guidance—Appendix C:

SDL Privacy Questionnaire. Available at http://msdn.microsoft.com/en-us/library/

cc307393.aspx.

24. Microsoft Corporation (2008), Privacy Guidelines for Developing Software Products

and Services, Version 3.1; September 2008. Available at http://www.microsoft.

com/en-us/download/details.aspx?id=16048.

25. Ibid.

26. Ibid.

27. Organisation for Economic Co-operation and Development (1980), OECD

Guidelines on the Protection of Privacy and Transborder Flows of Personal Data:

Background. Available at http://oecdprivacy.org.

28. Official Journal of the European Communities (2001), “REGULATION (EC) No

45/2001 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of

18 December 2000 on the Protection of Individuals with Regard to the Processing

of Personal Data by the Community Institutions and Bodies and on the Free

Movement of Such Data.” Available at http://eurlex.europa.eu/LexUriServ/

LexUriServ.do?uri=OJ:L:2001:008:0001:0022:en:PDF.

29. United States Government (1998), Children’s Online Privacy Protection Act of

1998 (COPPA). 15 U.S.C. §§ 6501–6506 (Pub.L. 105-277, 112 Stat. 2581-728,

enacted October 21, 1998). Available at http://www.ftc.gov/ogc/coppa1.htm.

30. Doyle, C. (2008), CRS Report for Congress—Cybercrime: A Sketch of 18 U.S.C.

1030 and Related Federal Criminal Laws, Updated February 25, 2008. Available at

http://fpc.state.gov/documents/organization/103707.pdf.

31. Microsoft Corporation (2008), Privacy Guidelines for Developing Software Products

and Services, Version 3.1; September 2008. Available at http://www.microsoft.

com/en-us/download/details.aspx?id=16048.

32. Microsoft (2011), Simplified Implementation of the Microsoft SDL. Available at

http://www.microsoft.com/en-us/download/details.aspx?id=12379.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.

Table of Contents for Chapter 5 - Design and Development (A3): SDL Activities and Best Practices (6/6)

Create new playlist

Sign In

Sign Up

Table of Contents for
Chapter 5 - Design and Development (A3): SDL Activities and Best Practices (6/6)