SDLC and Security Requirements

Software Development Lifecycle (SDLC)

• Requirements gathering Determine why to create this software, what the software will do, and for whom the software will be created. Security/Privacy risk assessment, Risk-level acceptance, Informational, functional, and behavioral requirements
• Design Deals with how the software will accomplish the goals identified, which are encapsulated into a functional design. Attack surface analysis, Threat modeling
• Development Programming software code to meet specifications laid out in the design phase and integrating that code with existing systems and/or libraries. Automated CASE tools, Static analysis
• Testing/validation Verifying and validating software to ensure that the software works as planned and that goals are met. Dynamic analysis, Fuzzing, Manual, Unit, integration, acceptance, regression
• Release/maintenance Deploying the software and then ensuring that it is properly configured, patched, and monitored. Final security review.

Software Security Requirements Gathering

Security should be integrated at the earliest stage of the lifecycle instead of trying to do it later, which will increase costs and risks and may result in redesign or rework. It is much easier to identify potential security issues in the very beginning than to try and fix them later. Therefore, requirement gathering phase is the most important in ensuring security in SDLC process.

Software security requirements fall into two categories. 

• Requirements for the software's security functions (such as cryptographic and user authentication functions)
• Requirements for the software's properties and behaviors

Types of Security Requirements:

CIA triad and the AAA model, are the core foundational concepts in security requirements

• Confidentiality: how the system prevents the disclosure of information.
• Integrity: how the system protects data from unauthorized access.
• Availability: access to the system by authorized personnel.
• Authentication: process of determining the identity of a user. Three methods can be used to authenticate a user: Something you know (ex: password, pin code). Something you have (ex: token, card). Something you are (ex: biometrics mechanisms).
• Authorization: process of applying access control rules to a user process to determine if a particular user process can access an object.
• Accounting (auditing): records historical events on a system.

These core software security concepts are used to build out a security requirements matrix that includes general, operational, and other security requirements.

• General:
• Session management: design and implementation of controls to ensure that the communications channels are secured from unauthorized access and disruption of communications.
• Exception management: the process of handling any errors that could appear during the system execution.
• Configuration management: identification and management of the configuration items (initialization parameters, connection strings, paths, keys).
• Operational:
• Deployment Environment: Identify and capture pertinent requirements about the environment in which the software will be deployed. -
• Archiving: Identify the regulatory and business requirement for business continuity
• Anti-piracy: Identify requirements for code obfuscation, code signing, anti-tampering, and IP protection mechanisms.
• Other:
• Sequencing and Timing: Identify sequencing and timing requirements to protect against race conditions of Time of Check/Time of Use (TOC/TOU) attacks.
• International: Factor in any international requirements that include both legal and technological requirements
• Procurement: Evaluate and communicate requirements if purchased.

Reference: Mike Chapel, (ISC)2 Official CISSP Guide, 8th Edition