Dr. Aly, O.
Computer Science
Introduction
The purpose of this discussion is to discuss and analyze methods to improve the quality of software development to reduce the number of the error, to include security in the development cycle.
Security Implication of Compiled Code vs. Interpreted Code
Software is a core building block in the Information Technology infrastructure, and the applications are the outcome of software development. The applications provide a way to achieve tasks which are related to the input, processing, and the output of data. Moreover, the applications are used to store, retrieve, process, transmit or destroy data. Thus, the applications are critical with respect to a security (Srinivasan, 2016).
Security should be considered at every stage of the system development including software development process. Software developers exert efforts to develop security into every application they develop, with higher levels of security for critical applications and those which process sensitive information. Security consideration at an early stage of the software development should be implemented because it is much easier to develop security into the system than to add it to an existing system (Abernathy & McMillan, 2016; Srinivasan, 2016; Stewart, Chapple, & Gibson, 2015).
Software development languages can use either compilation or interpretation to execute the programs. Languages such as C, Java, and Fortran are compiled languages which use a compiler to convert the higher-level language into an executable file designed for use on a specific operating system. The executable file is then distributed to end users. It is not possible to modify an executable file. Other languages such as JavaScript and VBScript are interpreted languages. The developers distribute the source code when using these interpreted languages, which contains instructions in the higher-level language. The end users use an interpreter to execute that source code to their systems and can view the original instructions written by the developers (Abernathy & McMillan, 2016; Srinivasan, 2016; Stewart et al., 2015).
Each approach has security advantages and disadvantages the compiled code is less prone to manipulation by a third party. However, it is also easier for malicious developers or unskilled developers to embed backdoors and other security flaws in the code and escape detection because the end users can not view the original instructions. The interpreted code is less prone to the insertion of malicious code by the original developer because the end users may view the code and check it for accuracy. However, the original version of the development can be modified to embed malicious code in the interpreted software (Abernathy & McMillan, 2016; Srinivasan, 2016; Stewart et al., 2015)
Security Controls in Software Development
The process of software development involves four significant phases; the design, development, testing, and integration. The development, test, and operational facilities must be separated. Thus, controlled access to the operating systems to developers and quality assurance engineers should be implemented and limited to prevent inappropriate developers access to the production system. The separation of development, test and operational facilities should be implemented to prevent unintended operational system changes.
Changes in the software or application should be implemented formally using change control process and procedures to ensure that the changes in the development processes and implementation are done in a controlled manner. Change control process can help prevent the corruption of data or programming. When there is a change in the system or application, risk assessment on the impact of the proposed change must be implemented. The appropriate security controls based on this risk assessment should also be implemented. A technical review of the security of the application should be implemented due to any changes in the operating system. The integrity procedures should be implemented to ensure any changes either at the application level or operating system level should be reflected in the risk assessment and the application of the proper security measures. Moreover, change control process and procedures should consider the business continuity security requirement and include the required tests for the business continuity plan (BCP) (Srinivasan, 2016).
In case of vendor-supplied software packages, any changes to the software by internal developers should be avoided. If there is a requirement for changes, these changes can be implemented at the vendor side or through the internal developers after obtaining consent from the vendor. This process can ensure the validity of the warranty. Moreover, any patches from the vendor should be tested first in the test environment which is separated from the development and production environment. The test environment should be capable of rolling back the patch in case of failure or any security hole issues. Moreover, convert channels should be avoided as developers with malicious intent can provide a path for information leak, or circumventing security control. Thus, covert channel analysis required to ensure data confidentiality (Srinivasan, 2016).
Software Development Security Best Practices
In an effort to support the goal of ensuring that the software is soundly developed with regard to security and functionality, various organizations developed a set of software development best practice. The Web Application Security Consortium (WASC) is an organization which provides best practices for web-based applications along with a variety of resources, tools, and information for developing web applications. The continuous monitoring of attacks is one of the functions undertaken by WASC leading to the development of a list of top attack methods in use. This list can assist in ensuring that organizations are not only aware of the latest attack methods and how widespread these attacks are but also can help them in make the proper changes to their web applications to mitigate these attack types (Abernathy & McMillan, 2016).
The Open Web Application Security Project (OWASP) is another group which monitors attacks, specifically web attacks. It maintains a list of top 10 attacks on an ongoing basis. This group meets regularly worldwide, providing resources and tools including test procedures, code review steps, and development guidelines. The Build Security In (BSI) is an initiative by Department of Homeland Security (DHS), which promotes a process-agnostic approach to make security recommendation with respect to architectures, testing methods, code reviews, and management processes. The DHS Software Assurance program addresses methods to reduce vulnerabilities, mitigate exploitations, and improve the routine development and delivery of software solutions. Moreover, the International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC) created the 27034 standard, which is part of a more substantial body of standards called the ISO/IEC 27000 series. These standards guide organizations in integrating security into the development and maintenance of software applications (Abernathy & McMillan, 2016).
References
Abernathy, R., & McMillan, T. (2016). CISSP Cert Guide: Pearson IT Certification.
Srinivasan, M. (2016). CISSP in 21 Days: Packt Publishing Ltd.
Stewart, J., Chapple, M., & Gibson, D. (2015). ISC Official Study Guide. CISSP Security Professional Official Study Guide (7th ed.): Wiley.
Think and Knowledge Tank 