Presentation is loading. Please wait.

Presentation is loading. Please wait.

Glenn Research Center at Lewis Field Software Assurance of Web-based Applications SAWbA Tim Kurtz SAIC/GRC Software Assurance Symposium 2004.

Published byRosa Golden Modified over 9 years ago

Similar presentations

Presentation on theme: "Glenn Research Center at Lewis Field Software Assurance of Web-based Applications SAWbA Tim Kurtz SAIC/GRC Software Assurance Symposium 2004."— Presentation transcript:

1 Glenn Research Center at Lewis Field Software Assurance of Web-based Applications SAWbA Tim Kurtz SAIC/GRC Software Assurance Symposium 2004

2 Glenn Research Center at Lewis Field 2 Agenda Problem Solution Pilot Project Pilot Results Future Activities

3 Glenn Research Center at Lewis Field 3 Problem NASA is embracing the use of web-based applications (web-apps) to monitor, control and conduct space experiments as well as business type applications. Internet commercialization has resulted in the development of software assurance practices that ensure proper operation of commercial web-apps. NASA needs to identify and adopt a set of software assurance practices to ensure the successful operation of web-apps that monitor, control and conduct space experiments.

4 Glenn Research Center at Lewis Field 4 Solution Implement the same types of controls on web-app development that are used on other types of software development –Requirements management –Configuration management Audit and review projects web-app development activities using a set of checklists that address –Management concerns –Development concerns –Internet specific concerns

5 Glenn Research Center at Lewis Field 5 Checklists Project Management Planning Schedule Requirements Engineering Software Design Page Usability and Accessibility Form Design Web Site Navigation Privacy Policy Security

6 Glenn Research Center at Lewis Field 6 Pilot Projects Micro-gravity Combustion/CMM level 2 pilot projects –GUI Experiment Control Screens –Control and conduct fluids/combustion experiments –Dynamically control experiments and display data Web-based database access application –Risk Management tool –Interfaces with Oracle database –Uses forms to provide interfaces

7 Glenn Research Center at Lewis Field 7 Pilot Projects Micro-gravity Combustion/CMM level 2 pilot projects –GUI Experiment Control Screens –Control and conduct fluids/combustion experiments –Dynamically control experiments and display data Web-based database access application –Risk Management tool –Interfaces with Oracle database –Uses forms to provide interfaces

8 Glenn Research Center at Lewis Field 8 Project Management Generally compliant project management activities for a project of this type Problems identified –Lack of a process established to monitor the project and detect problems and departures from the baseline.

9 Glenn Research Center at Lewis Field 9 Planning Generally compliant planning activities for a project of this type Problems identified –none

10 Glenn Research Center at Lewis Field 10 Schedule Generally compliant scheduling activities for a project of this type Problems identified –No defined and documented process to develop the project schedule –Risk plan not documented –Historical duration data not available for project activities –Activity durations were not reviewed by people experienced in those activities –Float time not documented for all activities not on the critical path –Schedule did not include a time reserve for contingencies and unforeseen events

11 Glenn Research Center at Lewis Field 11 Requirements Engineering Generally compliant requirements engineering activities for a project of this type Problems identified –Design detail been included in the requirements –Members of the requirements change board have not been identified –Impact analysis not performed for proposed requirements changes –No process in place to maintain and control the different versions of the requirements specification [When requirements change the version # gets updated in the filename of the document]

12 Glenn Research Center at Lewis Field 12 Software Design Generally compliant software design activities for a project of this type Problems identified: –Applicable and efficient design methods (SHDT, WSDM, VHDM, etc.) not implemented on the project –Configuration control process not implemented

13 Glenn Research Center at Lewis Field 13 Usability and Accessibility Page usability features were better addressed by the project than accessibility features Problems identified –Graphs and charts not summarized or explained with the longdesc attribute –Alternate content not provided when scripts, applets and plug-ins are used –Pages were not validated with an HTML validator –Page may not display correctly in all intended browser versions [Did not list browser version, but works in Netscape] –Page size not optimized for 800x600 pixel displays

14 Glenn Research Center at Lewis Field 14 Form Design Generally compliant form design activities for a project of this type Problems identified –Instructions not provided to show how to complete and submit the form –Form not usable by users who use screen readers or are unable to operate a mouse –Users not prompted to enter required information on the form –Form does not check the logic of the responses

15 Glenn Research Center at Lewis Field 15 Web Site Navigation In general Web Site Navigation was well implemented although some of the pages suffered from problems navigating within the page Problems identified –Default colors for links and visited links not used –Some pages did not contain at least one link [charts, reports] –Pages longer than two screens contain did not contain Return to Top links –Not all links link to the page they say they do

16 Glenn Research Center at Lewis Field 16 Privacy Policy Due to the type of application being developed, this project did not implement a privacy policy and the majority of the checklist was not applicable. Problems identified –Web-app does not have a privacy policy

17 Glenn Research Center at Lewis Field 17 Security In general, Security planning activities were not performed for this project Viewed as a part of the release process and not addressed prior to implementation Problems identified –No security plan had been prepared that describes necessary security mechanisms and security procedures that apply to this web-app [Database is TBD] –Security plan did not identify all of the key services of the web-app including the Domain Name System (DNS), firewall, databases, and Internet link [Database is TBD] –A threat and risk assessment had not been performed on the web-app? –No system in place to capture and report illegal, unusual or unexpected input to the web-app –Disaster recovery plan for the web-app had not been prepared and tested –Changes not reviewed and tested from a security perspective before implementation?

18 Glenn Research Center at Lewis Field 18 Summary Results Use of the checklists was effective in identifying problems the project was not aware of Checklists should be used at appropriate times during development – Not at the end

19 Glenn Research Center at Lewis Field 19 Future Activities Roll out Best Practices and Checklists to NASA via the SAWbA website – http://osat-ext.grc.nasa.gov/rmo/sawba http://osat-ext.grc.nasa.gov/rmo/sawba Apply checklist on the other pilot project when it becomes more mature

20 Glenn Research Center at Lewis Field 20

Download ppt "Glenn Research Center at Lewis Field Software Assurance of Web-based Applications SAWbA Tim Kurtz SAIC/GRC Software Assurance Symposium 2004."

Similar presentations

Configuration Management

Configuration Management
Copyright © 2012 Certification Partners, LLC -- All Rights Reserved Lesson 4: Web Browsing.

Copyright © 2012 Certification Partners, LLC -- All Rights Reserved Lesson 4: Web Browsing.
Lesson 4: Web Browsing.

Lesson 4: Web Browsing.
Introduction to the State-Level Mitigation 20/20 TM Software for Management of State-Level Hazard Mitigation Planning and Programming A software program.

Introduction to the State-Level Mitigation 20/20 TM Software for Management of State-Level Hazard Mitigation Planning and Programming A software program.
Introduction to Web Accessibility. What is Web Accessibility Web accessibility means that people with disabilities can use the Web Disabilities including.

Introduction to Web Accessibility. What is Web Accessibility Web accessibility means that people with disabilities can use the Web Disabilities including.
02/12/00 E-Business Architecture

02/12/00 E-Business Architecture
Discovering Computers Fundamentals, 2011 Edition Living in a Digital World.

Discovering Computers Fundamentals, 2011 Edition Living in a Digital World.
Your Interactive Guide to the Digital World Discovering Computers 2012 Chapter 10 Managing a Database.

Your Interactive Guide to the Digital World Discovering Computers 2012 Chapter 10 Managing a Database.
Avra Software CMPUT 770 - Process Quality and Software Assessment Case Study - slide#1©P. Sorenson and Amr Kamel Assessment Plan for Assessment Plan for.

Avra Software CMPUT Process Quality and Software Assessment Case Study - slide#1©P. Sorenson and Amr Kamel Assessment Plan for Assessment Plan for.
Pertemuan 16 Matakuliah: A0214/Audit Sistem Informasi Tahun: 2007.

Pertemuan 16 Matakuliah: A0214/Audit Sistem Informasi Tahun: 2007.
SE 555 Software Requirements & Specification Requirements Management.

SE 555 Software Requirements & Specification Requirements Management.
Living in a Digital World Discovering Computers 2010.

Living in a Digital World Discovering Computers 2010.
Secure System Administration & Certification DITSCAP Manual (Chapter 6) Phase 4 Post Accreditation Stephen I. Khan Ted Chapman University of Tulsa Department.

Secure System Administration & Certification DITSCAP Manual (Chapter 6) Phase 4 Post Accreditation Stephen I. Khan Ted Chapman University of Tulsa Department.
Stephen S. Yau CSE 465-591, Fall 2006 1 Security Strategies.

Stephen S. Yau CSE , Fall Security Strategies.
Chapter 11: Testing The dynamic verification of the behavior of a program on a finite set of test cases, suitable selected from the usually infinite execution.

Chapter 11: Testing The dynamic verification of the behavior of a program on a finite set of test cases, suitable selected from the usually infinite execution.
ESC/EN Engineering Process Compliance Procedures August 2002.

ESC/EN Engineering Process Compliance Procedures August 2002.
Dhananjay Bhole, Coordinator, Accessibility Research Group, Department of Education and Extension, University of Pune.

Dhananjay Bhole, Coordinator, Accessibility Research Group, Department of Education and Extension, University of Pune.
Effective Methods for Software and Systems Integration

Effective Methods for Software and Systems Integration
Web Development Process Description

Web Development Process Description
Copyright © Texas Education Agency, 2011. All rights reserved. 1 Web Technologies Website Development with Dreamweaver.

Copyright © Texas Education Agency, All rights reserved. 1 Web Technologies Website Development with Dreamweaver.

Similar presentations

Ads by Google