Chapter 10

10.1 Software development security

Usual trend of dealing with security: releasing software, finding weakness in software, posting weaknesses, developing and post patch, adding new patch and network administrators test and install them.

10.2 Software development life cycle

Initiationèacquisition/developmentèimplementationèoperation/maintenanceèdisposal

Initiation: need? Link between mission and performance; budget; security, and risk analysis.

Acquisition/ development: market search; feasibility; require analysis; cost and benefit analysis; cost analysis; RM plan; software conversion study; acquisition plan; risk analysis; security requirement analysis; evaluation.

Implementation: Installation and training how to use is; software check and test; security certification and accreditation.

Operation/maintenance: performance evaluation; operations and maintenance; contract modification; configuration and control.

Disposition: appropriateness of disposal; exchange and sale; internal screening; transfer and donation; contract closeout; information protect; media sanitization; hardware and software disposal.

10.3 Software development models and Capability maturity model integration

Build and fix model: no real plan, build and fix at same time.

Waterfall model: feasibilityè analysisè designè implementè test è maintain è feasibility.

V-shaped model: requirementsè high-level designèlow-level design è implementation è unit testing è integration testing è system testing. Requirements and system testing are system test planning; high-level design and integration testing are integration test planning; low-level design and uniting are unit test planning.

Prototyping: creating a sample or model of the code for proof-of concept purposes.

Incremental: multiple development cycle are carried out on a piece of software throughout its development stages. Each phase provides a usable version of software.

Spiral: Iterative approach that emphasizes risk analysis per iteration. Allows for customer feedback to be integrated through a flexible evolutionary.

Rapid application development: combines prototyping and iterative development procedures with the goal of accelerating the software.

Agile: iterative and incremental development process that encourage team-based collaboration. Flexibility and adaptability are used instead of a strict process structure.

Initial è repeatable è defined è managed è optimizing.

10.4 Mobile code and web security

Mobile code = the code can transport in network.

Information gathering: collection information, it always is first step in an attacker’s methodology..

SSI: server side includes is an interpreted server-side scripting language used almost exclusively for web-based communication.

Client-side validation: Input validation at client before sent to server.

Parameter validation: before accept data from server, checking values first.

10.5 Database Management:

Management’s job: decision making

Data analyst: presentation of data, data mining, exploitation of data.

Programmer, database administrator’s job: data warehouses, data marts, data sources.

Database: a place where data stored in.

DBMS: system which manage and control database.

Relational database model: using attributes and tuples to contain and organize information.

Hierarchical data model: combines records and fields that are related in a logical tree structure.

Object-oriented database: better than original database, it can process images, audio, documents and video.

ORD: object-relational database is a relational database with a software front end that is written in an object-oriented programming language.

Schema: using to describe how data will be organized.

Data dictionary: defined elements.

Primary key: the key of relational databases.

10.6 Expert system, artificial neural network (ANN), and malware

Expert systems: an expert system is a computer program containing a knowledge base and aa set of algorithms and rules used to infer new facts from data and incoming requests.

ANN: a mathematical or computational model based on the neural structure of the brain.

Virus: it is a segment of code that searches out hosts and infects them by embedding a copy of themselves.

Malware components: insertion(install itself), avoidance(avoid system checking), eradication(remove itself), replication(copy and spread to others), trigger(uses an event to initiate its payload execution), payload(processing its function).