1 Software Engineering and Security DJPS April 12, 2005 Professor Richard Sinn CMPE 297: Software Security Technologies.

Slides:



Advertisements
Similar presentations
Basic SDLC Models.
Advertisements

SOFTWARE DEVELOPMENT METHODOLOGIES Methodologies Waterfall Prototype model Incremental Iterative V-Model Spiral Scrum Cleanroom RAD DSDM RUP.
The System and Software Development Process Instructor: Dr. Hany H. Ammar Dept. of Computer Science and Electrical Engineering, WVU.
CHAPTER 1 SOFTWARE DEVELOPMENT. 2 Goals of software development Aspects of software quality Development life cycle models Basic concepts of algorithm.
SEP1 - 1 Introduction to Software Engineering Processes SWENET SEP1 Module Developed with support from the National Science Foundation.
System Development Life Cycle Process of creating and altering systems or software by using methodologies or models to develop the systems in a logical.
RUP/UP Software Development Method Hoang Huu Hanh, Hue University hanh-at-hueuni.edu.vn.
Ch 3 System Development Environment
1 Prescriptive Process Models. 2 Prescriptive Models Prescriptive process models advocate an orderly approach to software engineering Prescriptive process.
Sharif University of Technology Session # 3.  Contents  Systems Analysis and Design Sharif University of Technology MIS (Management Information System),
Alternate Software Development Methodologies
Software Life Cycles ECE 417/617: Elements of Software Engineering
Computer Engineering 203 R Smith Agile Development 1/ Agile Methods What are Agile Methods? – Extreme Programming is the best known example – SCRUM.
Software Development Overview CPSC 315 – Programming Studio Spring 2008.
Chapter 3 – Agile Software Development Lecture 1 1Chapter 3 Agile software development.
Chapter 2- Software Process Lecture 4. Software Engineering We have specified the problem domain – industrial strength software – Besides delivering the.
Software Development Process
Chapter 3 – Agile Software Development 1Chapter 3 Agile software development.
Chapter 3 – Agile Software Development Lecture 1 1Chapter 3 Agile software development That's been one of my mantras - focus and simplicity. Simple can.
Chapter 3 – Agile Software Development Lecture 1 1Chapter 3 Agile software development.
IT Systems Analysis & Design
1 Advanced Computer Programming Project Management: Methodologies Copyright © Texas Education Agency, 2013.
CS 360 Lecture 3.  The software process is a structured set of activities required to develop a software system.  Fundamental Assumption:  Good software.
University of Palestine software engineering department Testing of Software Systems Testing throughout the software life cycle instructor: Tasneem Darwish.
Extreme/Agile Programming Prabhaker Mateti. ACK These slides are collected from many authors along with a few of mine. Many thanks to all these authors.
Chapter 3 Agile Software Development (1/2) Yonsei University 2 nd Semester, 2015 Sanghyun Park.
Rational Unified Process Mr Hisham AlKhawar. Iterative versus Waterfall  We need to use a life cycle model in order to approach developing a system easily,
University of Toronto at Scarborough © Kersti Wain-Bantin CSCC40 other methodologies 1 Method/Process = step-by-step description of the steps involved.
The Confounding World of Process Methodologies By Thelma Hataria.
Software Development Overview CPSC 315 – Programming Studio Spring 2013.
CS3100 Software Project Management Agile Approaches.
© 2007 BigVisible Solutions, Inc. All Rights Reserved Training Solutions Agile Training Game v
Chapter 6 CASE Tools Software Engineering Chapter 6-- CASE TOOLS
Lecture 4 – XP and Agile 17/9/15. Plan-driven and agile development Plan-driven development A plan-driven approach to software engineering is based around.
WATERFALL DEVELOPMENT MODEL. Waterfall model is LINEAR development lifecycle. This means each phase must be completed before moving onto the next!!! WHAT.
Virtually Agile Astro Sabre (Matt Ganis) IBM, Senior Technical Staff Member Hawthorne, NY - September 20, 2007.
Department of Informatics, UC Irvine SDCL Collaboration Laboratory Software Design and sdcl.ics.uci.edu 1 Informatics 43 Introduction to Software Engineering.
The System and Software Development Process Instructor: Dr. Hany H. Ammar Dept. of Computer Science and Electrical Engineering, WVU.
Copyright © 2009 Pearson Education, Inc. Publishing as Prentice Hall Appendix B Agile Methodologies B.1.
Overview of RUP Lunch and Learn. Overview of RUP © 2008 Cardinal Solutions Group 2 Welcome  Introductions  What is your experience with RUP  What is.
Agenda: Overview of Agile testing Difference between Agile and traditional Methodology Agile Development Methodologies Extreme Programming Test Driven.
Intelligence and Information Systems 1 3/17/2004 © 2004 Raytheon Company USC/CSE Executive Workshop on Agile Experiences March 17, 2004 A Raytheon Agile.
Software Development Process CS 360 Lecture 3. Software Process The software process is a structured set of activities required to develop a software.
CS223: Software Engineering Lecture 18: The XP. Recap Introduction to Agile Methodology Customer centric approach Issues of Agile methodology Where to.
By Ramesh Mannava.  Overview  Introduction  10 secure software engineering topics  Agile development with security development activities  Conclusion.
Copyright 2015, Robert W. Hasker. Classic Model Gathering Requirements Specification Scenarios Sequences Design Architecture Class, state models Implementation.
1 Chapter 2 SW Process Models. 2 Objectives  Understand various process models  Understand the pros and cons of each model  Evaluate the applicability.
RATIONAL UNIFIED PROCESS PROCESS FRAMEWORK OVERVIEW.
Software Engineering cosc 4359 Spring 2017.
Introduction To System Analysis and Design
AGILE METHODS Curtis Cook CS 569 Spring 2003.
Embedded Systems Software Engineering
CS223: Software Engineering
Software Development Overview
Methodologies and Algorithms
CSC 355 – Newer Approaches to System Development Life Cycles & Processes, Spring 2017 March 2017 Dr. Dale Parson.
Appendix B Agile Methodologies
Software Development methodologies
Agile Software Development Brian Moseley.
Software Process Models
Chapter 2 SW Process Models
Introduction to Software Engineering
Object Oriented Analysis and Design
How to Successfully Implement an Agile Project
Teaching slides Chapter 1.
Chapter 3 – Agile Software Development
Baisc Of Software Testing
Appendix B Agile Methodologies
Agile software development
Software Development Overview
Presentation transcript:

1 Software Engineering and Security DJPS April 12, 2005 Professor Richard Sinn CMPE 297: Software Security Technologies

2 DJPS’ Members 1. Danai Wiriyayanyongsuk 2. Jack Leung 3. Patai Sangbutsarakum 4. Sanjaya lai

3 Agenda Background Security System Overview Security Software Approach – CLASP – Threat Modeling – XSE Water Fall Model and Security References Question and Answer

4 Backgrounds The computer virus is obvious example of software security. Nimda first surfaced on September 18, Nimda targets both server and client computers. Nimda propagated via attachments, shared files on server, and web page containing java script.

5 Security System Overview A security system depends on: Hardware Software People Procedures Culture

6 Software in Security System Server Operating System ex. Windows TM. Network Operating System ex. IOS. Database ex. Oracle. Application ex. ERP, CRM, , Virus Scanner, API etc.

7 Approaches Threat Modeling CLASP (Comprehensive, Lightweight Application Security Process) XSE (Extreme Security Engineering)

8 Extreme Security Engineering (XSE)

9 XP & XSE What is Extreme Programming (XP) – An "agile" software development methodology characterized by face-to- face collaboration between developers and an on-site customer representative, limited documentation of requirements in the form of "user stories," and rapid and frequent delivery of small increments of useful functionality. What is Extreme Security Engineering (XSE) – An adoption of "agile" software development principles in general and XP practices in particular to security engineering and to security development projects – XSE is meant to aid the projects developed for business customers with achieving “good enough security” without defining a proposition what it is. Relation Between XP & XSE – XSE implements XP styled “patterns” to deliver “Good Enough Security” to customers not the opposite, an “Absolute” security. – XSE exists with XP.

10 XSE: “Good Enough Security” Defined by customer NOT by security engineer. Simple, small, and secure. Provides what the customers want, no more and no less.

11 Inside XSE: Detail Planning game/objective User stories Small releases Testing Continuous integration Simple design and refactoring Pair development On-site customers

12 XSE: Advantages Increase customer satisfaction Lower defect rates Faster development times Able to handle rapidly changing requirements, caused by budget priorities and business process Give customers freedom to adjust security requirements as often as they want

13 XSE: Limitations XSE is best when exists with XP. Difficulty (in some projects) of creating staging environment where early versions of the solution are deployed. Hard to perform incremental security testing.

14 Threat Modeling

15 What is Threat Modeling? Threat Modeling allows you to systematically identify and rate the threats that are most likely to affect your system. Thus you can address threats and prioritize from the greatest risk.

16 Threat Modeling: Principles Threat Modeling Process is an iterative process. Starts during the early phases of the design and continues throughout the application development life cycle.

17 Threat Modeling: Process 1. Identify assets 2. Create an architecture overview 3. Decompose the application 4. Identify the threats 5. Document the threats 6. Rate the threats

18 TM’s output document: Audience Designers make secure design choices Developers use it to mitigate the risk Testers can write test cases to test for the vulnerabilities.

19 Threat Modeling: Advantages Prioritize the risk of each threat. Ensure that security is built into the product. Could help prevent bugs since the design process. Eliminate potentially costly patches later.

20 Threat Modeling: Limitation Require time, effort, and large number of resources

21 CLASP Comprehensive, Lightweight Application Security Process

22 A set of process pieces for secure application development. A Plug-in for Rational Unified Process (RUP) environment. Also a stand-alone process. CLASP: Definition

23 Effective and easy to adopt. Activity-centric approach. Defines 30 core activities. CLASP: What is CLASP (Cont’)

24 ActivityOwnerParticipants Identify user roles and requirements Requirements Specifier Specify resource-based security properties Software Architecture Perform source-level security review Security AuditorImplementer Identify and implement security tests Test AnalystSecurity Auditor CLASP: Some of 30 core activities

25 CLASP: Limitations Driven by Secure Software, Inc. and IBM (not by a standard organization) Need security expertise

26 Waterfall Model and Security

27 A sequence of stages in which the output of each stage becomes the input for the next. The Waterfall model is a different model from the iterative model. What is Waterfall Model

28 What is Waterfall Model (Cont’) Example of Waterfall model’s stages: – Requirements and use cases – Design – Test plans – Code – Test results – Field feedback

29 Advantages of Water Fall Model Clearly state of the progress of development stages – Good for project management – Engineers know their tasks Good for short life-time project

30 Disadvantages of Water Fall Model Difficult (expensive) to accommodate change after process is underway Does not allow for much revision Does not work with complex system

31 Plain Waterfall Model Security requirements Abuse cases Risk analysis External review Risk-based Security tests Static Analysis (tools) Risk analysis Penetration testing Requirements and use cases Design Test plans Code Test results Field feedback

32 Waterfall Model and Security Security requirements Abuse cases Risk analysis External review Risk-based Security tests Static Analysis (tools) Risk analysis Penetration testing Security breaks Requirements and use cases Design Test plans Code Test results Field feedback

33 Last but not Least The followings are highly recommended: – Recurring risk tracking – Monitoring activities

34 Conclusion No Silver Bullet for security Carefully adopt the proper security processes that fit your project needs Possible to combine, more than one techniques. Security is an iterative process

35 References ml -us/dnnetsec/html/thcmch03.asp#c _014 g/issues/03/11/resourcefile/default.aspx ibm.com/developerworks/rational/library/content/RationalEdge/oct04/viega/viega.pdf download/software-security-gem.pdf

36 Q & A

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.