Security should be introduced into the SDLC in each stage of development to save time and money because security costs will only increase in SDLC, so any vulnerabilities discovered early in the cycle is beneficial to the organization.
Planning -The organizations' core security concepts, principles, and strategies should be written and taken into consideration alongside the planning phase. Employees training and awareness on core concepts, common threats, policies, and procedures should be organized so they are able to evaluate security risks and keep the SDLC secure.
Analysis -Security requirements and goals should be gathered and potential threats and security breaches should be identified from both internal and external sources. This should be both a manual and technical analysis.
Design -Perform an
…show more content…
Security training can be provided to project managers and architects in this stage to perform these tasks.
Development - A risk assessment should be done and use the results as a baseline for security controls to review coding standard, libraries, and practices. Developers should be trained to identify coding vulnerabilities in this stage.
Testing- Test plans that show how to verify each security requirement. Prioritize a list of vulnerabilities from the automated and manual analysis.
Implementation -Implement procedures for existing authentication, access, controls, encryption, and backup. Security features should be configured enabled and verified. A final security review should be performed and engineer staff should test functionality and watch for any errors in configuration at this stage. A monitoring response plan can be put in place so IT knows the procedures when dealing with security breaches.
Maintenance - Systems and products should be monitored and periodic maintenance performed to evaluate that the system and security are up to
During SDLC phase one, the initiation phase, “the need for a system is expressed and the purpose of the system is documented” (NIST, 2008). Some of the expected outcomes from this phase would be a project plan and schedule; system performance specifications outlining the operational requirements, system design documents, and a document that defines roles and responsibilities. The corresponding RMF step, security categorization, establishes the foundation for security standardization among information systems and provides a vital step towards integrating security into the information system (NIST, 2008). During this step, the type(s) of information processed by the information system are identified and the information system is categorized to determine the level of protection requirements to put in place. Some of the expected outputs of this step include a security project plan and schedule, documented system boundary, the system categorization, and the security roles and responsibilities. These two process steps are very similar except the focus of RMF is on information security related functions. In some cases, SDLC produces the expected outputs that RMF requires, and the security professionals only require a copy of the documentation for their records. For example, the system design document often depicts the system boundary. The reason this step is so critical is that it
Differentiate between key security ideas, perceive the parts, reference screen, and security portion in ensuring the application security.
Identify at least 3-5 potential information security risks that the lab may be exposed to and propose counter measures for addressing those risks. Identify security technology and products that could be used to protect the lab environment from these risks. Use
Another step involves security checks upon implementation and describes agency-level threat to the business scenario or the mission. It similarly entails sanctioning the information system for processing and lastly constant monitoring of the security controls. FISMA and NIST's standards are aimed at offering the ways for agencies to achieve their identified missions with safety commensurate with the threat (United States Department of Agriculture, 2015). Together with guidelines from the Office of Management and Budget (OMB), FISMA and NIST create a framework for advancing and growing an information security scheme (SecureIT, 2008). Such framework includes control descriptions and evaluation, program development, and system certification and accreditation. The final objective involves conducting daily functioning of the agency and achieving the agency's articulated objectives with sufficient security commensurate with risk.
Operations and Structure- to enable the security professional to carry out effective planning on the
An important part of this training will involve communicating key parts of the security policy so that employees will have an adequate understanding of potential threats and their remedy.
This paper serves to direct the development team along a pathway of security, with the intent to share information about the most secured manner to implement this project. It must first be acknowledged that for information to be secured, information security must be integrated into the SDLC from system inception. The early integration of security in the
Phase 6 - conduct a vulnerability assessment according to NIST SP 800-115: Technical Guide to Information Security Testing;
The Risk assessment will be a vital part of the whole security plan which is a document which basically covers the whole
Miller Inc. which is in the business of providing data collection and analytics services relies majorly on network security to keep its competitive advantage. This is because the customers that rely on the company's system trust that since there are sufficient security measures that have been ensured, they can store their data securely. Each of the functional models of the system should have sufficient security measures to ensure that complete security of the whole system architecture is achieved. The three functional modules are the backend module, services or operation module and customer access module. The major relationship between infrastructure and security comes in the role they play to ensure that the end user gets the data that they need when they need it and in the best way possible. Therefore for the three modules, there is a need to balance security with the right infrastructure.
Application of context to scan results – to determine which infrastructure vulnerabilities should be targeted first and most aggressively.
In the three maintained products the threats and risks are to be identified. Such as the data base securing, user identification, authorizing proper managers, protections from hackers and updated firewalls and less vulnerable software.
Security professionals are involved in the development life cycle. The date owner with the help of the senior management and the security team lead the projects.
Security development lifecycle are the steps that software development goes through in a bid to come up with software that is able to withstand cyber security concerns such as worms and viruses, cyber-attacks, and loss of data. There are various steps outlined that can assist in the development of secure software (Dahal, 2012).
Designing a working plan for securing the organization s information assets begins by creating or validating an existing security blueprint for the implementation of needed security controls to protect the information assets. A framework is the outline from which a more detailed blueprint evolves. The blueprint is the basis for the design, selection, and implementation of all subsequent security policies, education and training programs, and technologies. The blueprint provides scaleable, upgradeable, and comprehensive security for the coming years. The blueprint is used to plan the tasks to be accomplished and the order in which