Embedding Security into a Software Development Methodology April 5 th, 8:30 AM Jonathan Minter Director, IT Development and Engineering Liberty University.

Slides:



Advertisements
Similar presentations
Implementing a Behavior Based Safety Process at Rockwell Automation
Advertisements

September 2008Mike Woodard Rational Unified Process Key Concepts Mike Woodard.
Upgrading the Oracle Applications: Going Beyond the Technical Upgrade Atlanta OAUG March 19, 1999 Robert Cooney.
2009 – E. Félix Security DSL Toward model-based security engineering: developing a security analysis DSML Véronique Normand, Edith Félix, Thales Research.
Bernd Bruegge & Allen Dutoit Object-Oriented Software Engineering: Conquering Complex and Changing Systems 1 Software Engineering September 12, 2001 Capturing.
1 Requirements and the Software Lifecycle The traditional software process models Waterfall model Spiral model The iterative approach Chapter 3.
Chapter 2 Modeling the Process and Life Cycle Shari L. Pfleeger
Systems Analysis and Design in a Changing World, 6th Edition
CS487 Software Engineering Omar Aldawud
Systems Analysis and Design in a Changing World, 6th Edition
SEP1 - 1 Introduction to Software Engineering Processes SWENET SEP1 Module Developed with support from the National Science Foundation.
INFO415 Approaches to System Development: Part 1
Alternate Software Development Methodologies
Sixth Hour Lecture 10:30 – 11:20 am, September 9 Framework for a Software Management Process – Artifacts of the Process (Part II, Chapter 6 of Royce’ book)
Rational Unified Process
Requirements Analysis INCOSE Systems Engineering Boot Camp
Computer Engineering 203 R Smith Agile Development 1/ Agile Methods What are Agile Methods? – Extreme Programming is the best known example – SCRUM.
Dr. Ralph R. Young Director of Software Engineering PRC, Inc. (703) Fifth IEEE International Symposium on Requirements Engineering.
Mastering OOA/OOD with UML. Contents Introduction Requirements Overview OOAOOD.
VENDORS, CONSULTANTS AND USERS
April 3-5, 2005Security Professionals Conference Ways to Fit Security Risk Management to Your Environment Using the OCTAVE Methodology Tailoring.
Problems with reuse – Increased maintenance costs; lack of tool support; not-invented- here syndrome; creating, maintaining, and using a component library.
Effective Methods for Software and Systems Integration
Developing the Personal Competence Manager Evaluation Work: ‘EPIQ Business Demonstrator’ Elena Shoikova, Vladislav Denishev, Radoslav Milanov Technical.
Chapter : Software Process
COMPGZ07 Project Management Presentations Graham Collins, UCL
Student Learning Objectives 1 Phase 3 Regional Training April 2013.
S/W Project Management Software Process Models. Objectives To understand  Software process and process models, including the main characteristics of.
Introduction to RUP Spring Sharif Univ. of Tech.2 Outlines What is RUP? RUP Phases –Inception –Elaboration –Construction –Transition.
-Nikhil Bhatia 28 th October What is RUP? Central Elements of RUP Project Lifecycle Phases Six Engineering Disciplines Three Supporting Disciplines.
1 Process Engineering A Systems Approach to Process Improvement Jeffrey L. Dutton Jacobs Sverdrup Advanced Systems Group Engineering Performance Improvement.
CS 360 Lecture 3.  The software process is a structured set of activities required to develop a software system.  Fundamental Assumption:  Good software.
What is a life cycle model? Framework under which a software product is going to be developed. – Defines the phases that the product under development.
Chapter 3: Software Maintenance Process Omar Meqdadi SE 3860 Lecture 3 Department of Computer Science and Software Engineering University of Wisconsin-Platteville.
Using a Project Model for Assessment of CDIO skills Tomas Svensson, Svante Gunnarsson Linköping University Sweden June
Systems Analysis and Design in a Changing World, 6th Edition 1 Chapter 8 - Approaches to System Development.
University of Palestine software engineering department Testing of Software Systems Testing throughout the software life cycle instructor: Tasneem Darwish.
Idaho Principal Evaluation Process & Principal Observation Lisa Colón, Idaho State Department of Education Matt Clifford, Ph.D., American Institutes for.
Role-Based Guide to the RUP Architect. 2 Mission of an Architect A software architect leads and coordinates technical activities and artifacts throughout.
What is a Business Analyst? A Business Analyst is someone who works as a liaison among stakeholders in order to elicit, analyze, communicate and validate.
Software Engineering Principles Principles form the basis of methods, techniques, methodologies and tools Principles form the basis of methods, techniques,
CHECKPOINTS OF THE PROCESS Three sequences of project checkpoints are used to synchronize stakeholder expectations throughout the lifecycle: 1)Major milestones,
Top Down View of Estimation Test Managers Forum 25 th April 2007.
1 김 수 동 Dept. of Computer Science Soongsil University Tel Fax
Fifth Lecture Hour 9:30 – 10:20 am, September 9, 2001 Framework for a Software Management Process – Life Cycle Phases (Part II, Chapter 5 of Royce’ book)
6/6/01 1 Copyright 2001 by Ralph R. Young Effective Requirements Practices Designed to improve individual, project, and organizational effectiveness. Based.
Introduction to the Continual Service Improvement Toolkit Welcome.
Federal Aviation Administration Acquisition Career Certification & Management Rebecca Deloney Acquisition Career Management November 4, 2009.
Systems Analysis and Design in a Changing World, 6th Edition
Developed by Reneta Barneva, SUNY Fredonia The Process.
Software Testing and Software Quality Assurance Process.
Overview of RUP Lunch and Learn. Overview of RUP © 2008 Cardinal Solutions Group 2 Welcome  Introductions  What is your experience with RUP  What is.
Software Engineering Principles Practical Advice and Steps for Managing Your Project.
Modelling the Process and Life Cycle. The Meaning of Process A process: a series of steps involving activities, constrains, and resources that produce.
MOSTAFA MAZEN MOIS 549 The ERP Selection Process Survival Guide Article from:
DEVELOPMENT OF UNIFORM CONTRACTING AND PROCUREMENT POLICIES  Procurement Reform Task Force Recommendation #7  Approach  Key Initiatives  “Go Forward”
Software Development Process CS 360 Lecture 3. Software Process The software process is a structured set of activities required to develop a software.
RUP RATIONAL UNIFIED PROCESS Behnam Akbari 06 Oct
What is a software? Computer Software, or just Software, is the collection of computer programs and related data that provide the instructions telling.
International Safety Rating System
Skiing and Boxing Coaching Product and Enterprise Teams 黃馨誼 蘇育光 修訂.
Part III: The Future: Scenarios, Conclusions, and Recommendations [of HSI Methods in System Development] Frank E. Ritter 26 feb 08 1.
An Iterative Method For System Integration
CLE Introduction to Agile Software Acquisition
Application Outsourcing: Achieving Success & Avoiding Risk
Continuous Delivery- Complete Guide
CSE 403 Software Engineering
VENDORS, CONSULTANTS AND USERS
Presentation transcript:

Embedding Security into a Software Development Methodology April 5 th, 8:30 AM Jonathan Minter Director, IT Development and Engineering Liberty University

2 Overview About the environment Establishing a software development methodology Changes made to the methodology relative to security Challenges, successes, and future direction

3 About the Environment Growing Christian liberal arts university in Lynchburg, VA 8,000 residential students 12,000 distance students Growing 20% per year for last several years Emphasis on growth continues Beginning phases of SCT Banner implementation

4 Liberty University IT CIO Library and Academic IT Support IT Support Operations IT Development and Engineering Application Development (11) Systems Development (4) Project Management (3) Verification and Testing (1 + students) Image Development (1)

5 Drivers for a Methodology Growing staff Impending ERP project with department- wide retooling Increasing complexity of projects Desire to align with industry best practices Desire for a training plan for developers

6 Establishing a Methodology Began in April 2004 Created task force of myself and three others –Developers –Project manager Methodology created by peers, not handed down by management Created in an iterative, incremental way

7 Goals of the Methodology Define areas of expertise and knowledge Enable communication among IT Development employees, customers, and other IS employees Flexible for all projects, large and small Flexible for each project to tailor the methodology Support iterative and incremental development

8 Overview of Phases

9 Structure of the Methodology Each phase is defined with the following components –Tasks –Artifacts –Questions to answer –Milestone for completion Project managers are responsible for enforcing the methodology

10 Current Status of the Methodology Finishing Stabilizing phase Slowly working through adoption –Department meetings –Empowerment of project managers –Personal conversations –Lessons learned –Management direction

11 Security and the Methodology Security must be considered throughout the lifecycle It is difficult to patch security onto a product after development Developers create vulnerabilities, just like they create bugs Business units must understand the nature of security as it applies to their systems All security problems are ultimately software problems

12 Interaction with the SEI Conversation started with Carol Woody at last year’s Security Professionals Conference Continued onsite in August 2004 After Carol’s visit and subsequent discussions, several changes were made to the methodology…

13 Methodology Changes - Envisioning Security Analysis –High-level view of application in the context of security –How sensitive is this product? –Integration into risk assessment –Use of security levels (Homeland Security style)

14 Methodology Changes - Planning Security Checklist –Focused on identifying specific security risks –Use of standard “Top 10” lists OWASP Top 10 SANS Top 10 –A guide to keep the developer focused on security during coding Integration into Requirements –Misuse cases –Engagement of product stakeholders

15 Methodology Changes - Developing Security Implementation –Use of security checklist developed in previous phase Peer Reviews –Validation that the checklist was followed Test Planning –Should include tests for security vulnerabilities –Setup for testing team

16 Methodology Changes - Stabilizing Security Testing –Testing against security checklist and requirements –Currently evaluating use of automated tools for vulnerability assessment Deployment Planning –Well documented deployment plan reduces hacking at go-live

17 Successes Security conversation has started –Developers –Business community at large Setup of Verification and Testing Unit –Oversee testing of all applications –Oversee deployments –Developer training on validation and security –“Defective software is insecure software” Slowly getting training and awareness –Circulation of articles and resources –Verification and Testing Unit a key part

18 Challenges Adoption of the methodology as a whole –Large scale change in behavior and culture –Can’t be mandated, must be internalized Same applies to security –Yesterday we didn’t care about security –Now we do… Difficulty in applying abstract security concepts to actual code Rapid pace of software development –Business users want features and assume security

19 Future Direction Refinement of methodology through use Adoption of security mindset throughout the University Better ground-level training of developers Use of automated tools to assist in testing Broadening methodology to better accommodate systems implementations vs. development efforts

20 Conclusion Questions/comments Contact Information: Jonathan Minter Director, IT Development and Engineering Liberty University