Log in / Register
Home arrow Computer Science arrow The InfoSec Handbook
< Prev   CONTENTS   Next >

Importance of an Effective Application Design and Development Life Cycle

A strong, well-defined Software Application Design and Development Life Cycle is essential in any organization that develops critical applications like medical applications, nuclear plant control applications, missile control applications, gas / oil pipeline control applications, electricity control applications, banking applications, and rail network control applications.

Effective time has to be spent during the initial phases of the development life cycle: Requirements Gathering and Analysis and Architecture & Design to understand thoroughly the expectations or requirements of the application.

These should also focus on non-functional requirements like processing time, response time, integrity requirements, availability requirements, scalability requirements, flexibility requirements, usability requirements, reliability requirements, and security requirements. Integrity of the data and security of the data are very crucial to be considered at each phase of the design and development life cycle. Sufficient consideration for all the applicable functional and non-functional requirements should be provided for at the design stage by according adequate thinking.

At each phase, strong risk assessment focus should be provided which should bring out what can go wrong.

Based on the risk assessment results, necessary risk mitigation or risk control steps have to be built into the applications or into the procedures governing those applications like segregation of duties among the employees, and multiple checks. Some of these controls are possible to be built through the application itself, such as a transaction that is routed for second check before it is debited to the account.

Programming languages and the code itself may bring out security issues. Secure coding standards are emerging.

Application architects, designers and developers are learning from various issues they have encountered,

technical / technological loop holes or deficiencies they have observed, or those which were reported in the media, and so on. Deficiencies of the third party tools used, deficiencies of the underlying platforms including those of the operating system, and the database systems have to be considered.

Strong testing at various phases of development right from Unit Testing to System Testing to Integrated Testing has to be ensured. When changes are carried out to the existing products, Regression Testing has to be ensured. These tests complement each other and have to be done without fail. The test cases and the corresponding test data have to be well thought out and included as part of the Test Case Design. Similarly, testing should not only focus on what is expected to be done by the application but also what it should not do.

Unfortunately, “thinking” consumes (as per my knowledge of our brain's working) lots of energy. Hence, as human beings, we hesitate to carry out adequate thinking. In order to ensure that the applications are effective i.e. they do only what is expected and not do what is not expected of them, adequate and sufficient thinking has to be carefully provided during each and every phase of the Application Design and Development life cycle. This pro-activeness on our part can lead to effective, strong, and robust applications which are capable of protecting the users / end-users and their interests.

Important Guidelines for Secure Design and Development

Any software design and development team typically adheres to the following generic guidelines, which are illustrated in Figure 6-2:

• Understand the Security Requirements of the application (functionality and data related) and document them as part of the Requirements Specifications Document.

• Ensure that the Security Requirements are considered during Architecture and Design

• Follow Secure Coding Standards

• Validate all the inputs including the boundary checks, check against allowed values, and format.

• Ensure strong login mechanisms (including the need for strong passwords)

• Ensure encrypted transmission of data (where the confidentiality of the data has to be maintained and integrity is of prime importance) – like in case of banking applications, medical software involving patient health and safety, aviation, nuclear safety, military systems and weaponry, satellite systems, and such other critical domains / systems

• Ensure periodic mandatory change of passwords

• Appropriate privileges / access rights to various processes of the applications and various roles

– work on Least Privilege Principle

• Appropriate handling of errors (including customized error messages which do not give out unnecessary information)

• Appropriate exception handling mechanisms built into the application

• Appropriate configuration – All settings have to be appropriately made

• Use of vetted algorithms

• Counter checks to ensure complete and accurate processing of critical processing

• Eliminate all unwanted / unused functions and routines

• Ensure proper log out mechanisms

• Use secure protocols

• Ensure proper logging and auditing mechanisms

• Have strong configuration management during development

• Have strong testing

• Have strong control over software releases

Figure 6-2. Software Design & Development Life Cycle Discipline

Some of the important secure coding practices that an application design and development team are required to follow are illustrated n Figure 6-3.

Figure 6-3. Secure Coding Considerations

Found a mistake? Please highlight the word and press Shift + Enter  
< Prev   CONTENTS   Next >
Business & Finance
Computer Science
Language & Literature
Political science