CISSP Domain 8 — Software Development Security

Domain 8 — Software Development Security

The Software Development Lifecycle or SDLC phases are:

• Project initiation and planning
• Functional requirements
• System design specifications
• Development
• Documentation
• Testing and evaluation
  • Acceptance: verify the system does what it's supposed to
  • Certification: formal process of evaluating the security capabilities, a comprehensive technical analysis
  • Accreditation: Management reviews the certification, authorizes the system to be implemented or deployed into production, can be provisional or full
• Implementation / deployment

Software Development Models

• Waterfall: Each phase is completed before the next one can begin, cannot revisit earlier phases.
• Structured Programming Development: Extensive use and reuse of subroutines and block structures.
• Spiral: A nested version of the original waterfall model, adds four sub-stages to each phase based on the Deming Plan: Plan, Do, Check, Act or PDCA. It's about continuous improvement.
• Cleanroom: Spend more time in design, get it right the first time more often.
• Iterative Development: Can go back and re-design as needed. This term isn't used these days, Agile, Scrum, Extreme Programming, etc,. are used instead.
• Prototyping: Build a simplified version of the application, release it for review, use feedback from stakeholders to build a second, much better version.
• Rapid Application Development or RAD: Strict time limits on each phase, relies on efficient tools to produce quality code quickly.
• Joint Analysis Development or JAD: Helps developers work directly with stakeholders.
• Computer-Aided Software Engineering or CASE: Today called IDE or Integrated Development Environment, like Visual Studio Team Edition.
• Component-Based Development: Use standardized building blocks to assemble, rather than write, the application code.
• Reuse Model: Built the application from existing and tested components.
• Extreme Programming: The team produces the software in a series of small, fully integrated releases intended to fulfill the owner-defined needs.

Component-Based Development and Reuse Model is where we are today.

Object-Oriented Design

• Encapsulation: a.k.a. data hiding
• Inheritance: Subclasses can share some or all characteristics of the main class.
• Polymorphism: Objects of different data types can be processed differently.
• Polyinstantiation: Different versions of the same information can exist at different classification levels. Users at a lower classification level don't know the higher level exists.

Distributed object-oriented systems can use CORBA, Enterprise JavaBean, and DCOM or Distributed Component Object Model. XML web services and cloud services are newer examples.

Code Weaknesses and Secure Coding Practices

• Buffer Overflow
• Covert Channel
• Malformed Input Attacks
• Memory Reuse
• Executable Content / Mobile Code
• Time of Check vs Time of Use or TOCTOU
• Between-the-Lines Attack
• Trapdoor / Backdoor