Many organizations find themselves developing software, whether for their own internal use or developed as a product for their customers. Security concerns should be taken into account at every phase of the software development process to ensure that the end result is safe, secure code that meets the organization's business requirements. In this video, learn about the development of software requirements and the use of different software development methodologies.
- [Instructor] Many organizations find themselves developing software, whether for their own internal use or developed as a product for their customers. Security concerns should be taken into account at every phase of the software development process to ensure that the end result is safe, secure code that meets the organization's business requirements. Every software project should begin with a solid set of requirements. Developers should work hand in hand with their customers to outline the specific purpose of the software and the details of the business goals that it will achieve.
This process is known as requirements definition and it's crucial to developing software that meets the organization's needs. After developing business requirements, developers then move on and translate those business requirements into a technical design. This is where technical experts lay out the roadmap for software development and determine the interfaces between software components that will ensure everything fits together properly in the end. Software development is a sophisticated engineering process that is every bit as complex as a major construction project.
Software engineers who set off on the development process without carefully designed requirements are acting similarly to construction workers who begin building a home without a set of blueprints. The finished product is not likely to match the customer's vision and there's a good chance that it will fall apart. Once they have a set of requirements in hand, developers may begin the process of creating software. Depending upon their organization's approach and the details of the specific project, they may choose one of several different software development methodologies.
The classic approach to software development is a methodology known as the Waterfall approach. This model, developed by Winston Royce, back in the 1970s, approaches software development as a very linear process. It follows a fairly rigid series of steps that begin with developing system requirements, move on to developing software requirements, then produce a preliminary design from those requirements that is used as the basis for a detailed design. Once that design is complete, developers begin the coding and debugging process where they create software.
When they finish coding, the software is tested rigorously and, if it passes those tests, it's moved into operations and maintenance mode. This approach does allow for movement back to an earlier step, but only once phase at a time. For example, if software fails the testing process, it moves back into coding and debugging before being submitted for additional testing. This process is very rigid and doesn't allow for many changes to the software while development is in progress.
For example, if a business unit identifies a desirable new feature half way through the coding process, there's no opportunity to modify the design. Because of this, there aren't many modern software development shops that embrace the Waterfall model. In the 1980s, Barry Boehm of TRW introduced the Spiral model, a software development approach designed to mitigate some of the disadvantages associated with the Waterfall model. Boehm viewed software development as an iterative process that has four phases.
In the first phase, developers determine objectives, alternatives and constraints. Then they move on to evaluating alternatives and identifying and resolving risks. From there, they develop and test the code and then they begin the planning phase for future development work. While this may sound similar to the Waterfall model, the major difference is that developers move through these phases in an iterative fashion, following a Spiral motion. They begin in the first phase and then move through each of the phases, multiple times, until they have a satisfactory finished product.
More recently, developers around the world have come to embrace the Agile approach to software development. This approach values rapidly moving to the creation of software and is quite popular. The creators of the Agile approach authored a document called the Agile Manifesto that discusses their approach in detail. There are four core concepts that the writers of the manifesto come to value. The value individuals and interactions over processes and tools. They value working software over comprehensive documentation.
They value customer collaboration over contract negotiation. And they value responding to change over following a plan. They went on to write the 12 Principles of Agile Software. They say that we follow these principles. Our highest priority is to satisfy the customer through early and continuous delivery of valuable software. We welcome changing requirements, even late in development. Agile processes harness change for the customer's competitive advantage.
We deliver working software frequently, from a couple of weeks to a couple of months, with a preference to the shorter timescale. Business people and developers must work together daily throughout the project. We build projects around motivated individuals. We give them the environment and support they need and trust them to get the job done. The most efficient and effective method of conveying information to and within a development team is face to face conversation.
Working software is the primary measure of progress. Agile processes promote sustainable development. The sponsors, developers and users should be able to maintain a constant pace, indefinitely. Continuous attention to technical excellence and good design enhances agility. Simplicity is essential. The best architectures, requirements and designs emerge from self-organizing teams. And finally, at regular intervals, the team reflects on how to become more effective, then tunes and adjusts it's behavior accordingly.
Every organization needs to select software development methodologies that are appropriate to their own environment and comfortable for business leaders and developers alike.
This course—along with the others in this nine-part series—prepare you for the CISSP exam and provide you with a solid foundation for a career in information security.
Find the companion study books at the Sybex test prep site and review the complete CISSP Body of Knowledge at https://www.isc2.org/cissp-domains/default.aspx.
- Software development methodologies
- Operation, maintenance, and change management
- Cross-site scripting
- Preventing SQL injection
- Overflow attacks
- Malicious add-ons
- Secure coding practices
- Code signing
- Risk analysis and mitigation
- Software testing
- Acquired software