1. Cyber Operations and Risk Management Briefing
Using the Software Development Life Cycle Assessment and Software Development Matrix you create during the project, you will develop a Cyber Operations and Risk Management Briefing for your nation's CISO and other stakeholders. The
iefing will consist of a written evaluation and 10 page PPT with notes. The
iefing should include each of the following items:
· identification of the software assurance needs and expectations of the organization
· description of the key attributes of the cu
ent software development life cycle (SDLC)
· identification of any known supply chain risks
· identification of vulnerabilities in the existing software used
· identification of software options that could meet the organization's needs
· evaluation of software options and recommendation(s) for your organization, with each supported by a rationale
· evaluation of supply chain options and recommendation(s) for your organization, with each supported by a rationale
· explanation of the costs involved in your recommendations
· recommendations for contract language that would be used to ensure that supply chain, system, network, and operational security were met
Software Development Lifecycle
Page | 2
SOFTWARE DEVELOPMENT LIFECYCLE
Overview
A software development lifecycle (SDLC) “is a set of steps used to create software applications” (Jevtic, XXXXXXXXXXThe number of steps in this process is determined by the leadership in which elements of the planning should be combined and which need to be separated to track individual goals, in the article reviewed there are cu
ently 7 phases (Jevtic, XXXXXXXXXXTo remain vigilant in software security there are steps that must be taken throughout the development cycle of software creation. A primary goal for most engineers is program efficiency, as a program progresses through its lifecycle there will be several changes throughout its lifecycle such as resource requirement reductions, additional support for other systems, and security processes added to programs with identified vulnerabilities. Each software development team has a unique approach to completing the challenges of new software requirements, processes may vary if a newer procedure, process, or technology can be implemented into the software that improves performance based on customer inputs, and new design layouts such as new CPU or OS versions. The foundational performance of these tasks can be established by following the common phases of the SDLC models.
SDLC Phases
Though there are many software development models, most follow similar phases that allow for the development, design, and creation of a software product. Each phase is important and must be understood and well-planned to successfully launch a product and maintain usability for the length of the contract. The seven phases are:
Project planning
The initial stage of development of software is due to its ties with the cost estimations for the entirety of the project. The requirement of the software is outlined, roles are set, and potential timelines can be discussed if the software sounds feasible to create (Thampy, 2021).
Gathering Requirements and Analysis
Engineers and developers will work with the customer to determine specifically the purpose of the software to be developed, it is uncommon for the customer’s needs to completely align with another company. This can be attributed to factors such as the age of systems, OS in use, or virtualization or bare-metal systems for resource management. This process creates what is known as the “requirements document” (Ru
ight, n.d.) that outlines the functionality of the product, and interoperability with systems. This provides the engineers the guidance needed to identify potential issues with their solution to the software development. Careful consideration for communication is required during this phase as misinterpreting can lead to unsatisfactory results.
Design
The design and prototype phase begins whenever the requirements have been agreed upon by the customer and developer. Considerations for best courses of action for requirement fulfillment are discussed and workflow to determine steps can begin. This will include the possibility to design within the company or outsource pieces of the project. Storyboards, timelines, and programming languages are discussed, and the project creation process begins (Thampy, 2021).
Coding and Implementing
Writing the actual program is the beginning of this phase. At this point all the requirements should be known and how the layout of the project with completed software requirements agreed upon. Knowledge of the systems the customers use or intended use for the functionality of the program to select the programming language that will work with the system. This may be one of the longest phases depending on the complexity of the program, if there is no previous code that is similar or familiar everything will be new.
Testing
After the code has been written it is ready to begin testing to determine if it functions as it was designed and eliminate any e
ors in the code that can cause issues. This process is known by most people as an alpha test, when a product is released for testing by the customer it is known as beta-testing. This is prior to its final stage of software completion to have users help determine shortfalls in the program or any operational issues or conflicts with other programs on the system. This is very important due to the possibility that some requirements or the intentions of the program were misunderstood in the requirements document.
Deployment
Upon completion of alpha and beta-testing, the product is ready for initial roll-out. The developers will provide documentation for software installation, user guides, and troubleshooting support during this phase (Thawpy, XXXXXXXXXXThe expectation of customers to request additional help during this phase is common but the level of support varies depending on the IT staff of the customer.
Maintenance
Once a product has been completed there is a typical upkeep time that is required known as the maintenance and product end of life timeline. This is when any issues with the product can be addressed so long as the end of life of the product has not been reached or the product is superseded by another version or contractual obligation. While the phases are generic across the SDLC the general focus, development style concentrations, and timelines vary depending on which software development model is used.
SDLC Models
Waterfall Model
Sequential completion of one aspect of a project prior to beginning the next. It is the most simple and logical order to follow in theory. The advantages of this method are a focused effort in the development phase that is cu
ently being worked on. Pacing is consistent with all developers allowing input in each step. The shortfalls are the inability to piecemeal the work to meet a projected deadline if the beginning of the schedule is inte
upted. The loss of a developer or environmental disasters is a few possible issues that can completely derail timelines.
V Model
Known as the Verification and Validation method, this model follows the same step completion to progress method that the waterfall model follows, the exception is the testing and validation process prior to the initiation of the next step (Trunkett, XXXXXXXXXXThis greatly slows down the process due to the amount of testing and the validation of each portion of the previous step is completed in accordance with software requirements. The pros of this method are the assurance that the software performs as required throughout the building and development of the program. The cons of this method are that great care in planning must be performed at the outset of the project to determine where pitfalls and obstacles may arise.
Iterative Model
This model is used when there is not a definitive outcome of the requirements for the completed product. It begins with a simple idea and when the functionality is checked and verified it is then greenlit for the next iteration (Trunkett, XXXXXXXXXXThis focuses on speed of completion and improvement on the previous version. A functionality check is performed and improvements are requested from the development team. Functionality, visual layout, and compatibility changes may take place in accordance with new requirements, and the cycle repeats until the software is developed. The advantage is simplicity. The disadvantage with communications issues can render the product completely outside the bounds of the project, poorly defined goals, and time wasted in trial and e
or. The Agile model falls under the Iterative category. A great benefit to this process is the cost association, development only continues until a satisfactory product is delivered.
Identifying an SDLC
Our requirements for communication security, for the summit, should be the major requirement. To fulfill any software needs we may have the V-model would be the best fit for its constant verification processes, it would ensure that security is considered in each step and properly set. Identifying our cu
ent needs are as follows:
· Information from the databases needs protection from external threats, implementing compatibility with multi-factor authentication systems
· Removal of any secondary accesses to the software, this includes developer backdoors in the application that can become a vulnerability leveraged against the system for access
· Operation within the network environment used
These basic requirements of functionality are in alignment with the confidentiality, integrity, and availability triad. It will allow for a higher level of security while allowing access to all personnel with proper clearances.
Maturity Model
The development of software whether designed by external or internal designers should follow the Capability Maturity Model. “CMM is used as a benchmark to measure the maturity of an organization’s software process” (Martin, XXXXXXXXXXThis is also used to help identify the reliability of the program and how it functions overall. Feedback in this portion is very important, developers need to have insights into how the program functions, how it is presented to the intended users, and whether it can be improved. Terms like improved functionality are tied in with the maturity model, where the focus is on the maturity of the product itself. Here it answers the following:
· Can it become more refined or robust?
· What additional functions would be complementary to the immediate functions it provides?
The Capability Maturity Model is
oken into five stages:
1. Initial
2. Repeatable
3. Defined
4. Managed
5. Optimizing
This should be tied into the SDLC during the entire process. The initial stage of the CMM would begin when the design and prototype phase began it is the start point of monitoring the software and setting the baseline for project progression. This stage would progress through the repeatable and defined stages to the point where the last portion of the implementation phase would be completed and begin the testing and release phases, this would be the managed stage. Once a product has been issued to the customer to begin the maintenance phase it would then be in the optimization stage, where feedback is incorporated, and the requirements are met and improved.
Software Security
The new software must integrate with our cu
ent databases and must adhere to security guidelines for all countries involved. As the American team, guidance will come from NIST standards. This is best performed by understanding which databases the software will interact with