White Paper Security in Software Development Life Cycle
|
|
- Amie McDonald
- 8 years ago
- Views:
Transcription
1 White Paper Security in Software Development Life Cycle Trojan Horses: Emmanuel Franklin Jonathan Newland Showanda Smith Anh Cao Information Systems and Technology (IS&T) has become an essential part of everyday life. Today people perform daily activities and transactions through Internet, ATM, and mobile devices for multi-purposes. Because people use software bearing in mind that it is reliable and can be trust upon and the operation they perform is secured. It is a very important to continue to keep these people feel safe and secured when using IS&T and to prevent any exploitable security holes... G e o r g i a S t a t e U n i v e r s i t y
2 Table of Contents Executive Summary... 3 I. Introduction... 3 II. Security in Software Development Life Cycle... 5 Traditional Waterfall SDLC... 5 Agile Methodology SLDC SecSDLC Certifications and Credibility: III. Conclusion White Paper: SecSDLC 2
3 Executive Summary Information Systems and Technology (IS&T) has become an essential part of everyday life. Today people perform daily activities and transactions through Internet, ATM, and mobile devices for multi-purposes. Because people use software bearing in mind that it is reliable and can be trust upon and the operation they perform is secured. It is a very important to continue to keep these people feel safe and secured when using IS&T and to prevent any exploitable security holes. Now, security brings value to software in terms of peoples trust. The value provided by secure software is vital because many critical functions are entirely dependent on the software. That is why security in software development is a serious topic, which should be given proper attention during the entire SDLC, right from the beginning. In this White Paper, we would like to discuss a few following topics respectively: an introduction of software development life cycle, security in software development lifecycle, including the traditional waterfall model and the agile methodology. Then we will quickly talk about the different roles and responsibilities, and certifications in Information Security & Technology. Finally, we will conclude with the industry recommendations and best practices for software developers. I. Introduction History of term SDLC: Information Systems and Technology (IS&T) are used by many organizations to make themselves more efficient and run more smoothly. But to manage IS&T is not an easy task. If they are not managed properly, the organization is prone to losses of information. In the 1960s, information systems depended heavily on data processing and mathematical routines. These processes would take lots of time and were not very reliable. There were many mistakes when developing these large systems, and maintaining them was even more difficult. These lethargic processes affected the most important individuals, the end users. They were in need for more, better, and cheaper software and wanted it as fast as they could possibly White Paper: SecSDLC 3
4 get it. Then a Software Development Life Cycle (SDLC) was introduced and was defined as a methodology for the design and implementation of the information systems. With this methodology, organizations can feel secure knowing that the system they have in place will protect them from any negative situations while also increasing their rate of success with projects. Purpose: With the introduction of the Software Development Life Cycle, it has created a better structure and organization. Software development life cycle was used to identify stakeholders and requirements for implementation of Information Systems. Problems in 1960s: Before software development life cycles companies would hire individuals to write code. This was substantial at first because the programs were not complex and it was the only method that was available at the time. Coders would write code and test the result; afterwards, they would modify code to fix bugs. Not to mention the unprecedented rate of change in business and technology almost made it impossible for software team to determine user requirements and adapt to their changes. More importantly, security neglect has been one of the main factors of why the majority of software projects have failed. For a really long time, security has always been secondary priority in SDLC. Critical security flaws are often recognized before software deployment. And even more unfortunate flaws are recognized after the iteration has been released. Organizations need to incorporate security governance to SDLC methodology of waterfall and agile. This incorporation of security will efficiently reduce potential costs associated with the risk of after employment. An effective security governance regime in the SDLC requires careful security planning, risk assessments, cost benefits analysis, and remediation. Security planning is the most important aspect in security governance. The main objective is to plan ahead and plan well before the incidents occur. White Paper: SecSDLC 4
5 II. Security in Software Development Life Cycle Traditional Waterfall SDLC Today we will focus on the traditional waterfall software development life cycle with an integration of security to improve the complete outcome of a software development lifecycle. A regular life cycle can consist of seven or more phases. These phases may increase or be broken down when implementing security in the life cycle. There are key drivers to integrating security into the Software Development Life Cycle: Security can decrease the high cost of fixing vulnerabilities. If the vulnerabilities are identified after deployment the cost is higher to resolve the issue. Therefore identifying the vulnerabilities before deployment can be less expensive for the business at large. The consequence a business may face if the system is compromised because of security. A business may lose customer if the system is compromised and their users personal data could be stolen. After a system is deployed and security was not an integrating factor, the business may have to hire a third party vendor to secure the software because the business did not hire skill software designer that were security conscious at the beginning. The outsourcing can become expensive. The lack of security will not have the full view of access required (e.g. internet). The company will lack the resources for the increasing demand of workers and customer to their network. Last but not least as the government increase security requirement and guidelines. It becomes difficult to ensure compliance when the companies do not plan for it. Each phase must be followed in sequence by the developer or software designer. The chart below shows how a traditional waterfall software development life cycle usually works. This cycle has five different stages. We will discus a seven stage traditional SDLC with an integration of security. White Paper: SecSDLC 5
6 Figure 1: Waterfall phases and Risk Profile How to plan a successful integration of security in a software development life cycle: During a SDLC planning for security will be essential. Security should be incorporated at the beginning of the software development life cycle. Through the use of risk management, the security requirements can be defined from business objectives. The business should ensure all the appropriate securities are implemented in the business requirements. These securities should be in the first phase of the design to ensure they also satisfy the business requirements. Business should ensure the development team and their managers are skilled in the art of developing software that is secure. The technology and processes should all meet the required security standard during implementation. Review of the deployed system should be ongoing to ensure appropriate levels of security are satisfied. Vulnerabilities should be evaluated using risk processes and then the vulnerabilities should be prioritized across software releases. White Paper: SecSDLC 6
7 Stages of traditional life Cycle: 1. Planning: The purpose of planning is to determine the scope of the project. This process may require studies to be undertaken before setting goals. During the planning the company performs feasible studies. The questions that are ask during these studies: They must ask the economical question. Should we build it? They must ask the operational question. If we build it, will they use it? They must ask the schedule question. Will it be ready in a timely manner? They must ask the technical question. Do they know how to build it? It is critical that security considerations be incorporated into the planning at the earliest stage of any project. 2. Defining Requirements: Defining requirements are the process, when the analyst receives feedback from stakeholders (e.g. end users). The feedback will allow for the creation of clear functions from the specific project goals. This phase allows a look from the end users view for the specific needs in the information systems. During this phase it is critical to consider a security plan to also integrate with the objective. The process will allow the business to ensure that the security policies will align with the objectives. These objectives would include: Creating requirements for access control list and the type of authentications and identity requirement, which are needed, and the different role bases. Business will identify and define the different levels of privacy for the data associated with the system and project. Business should create the criteria for abuse case. The criteria should outline the situation, which constitutes to a misuse of the system. 3. Designing System: Designing the system is when the features and the technical specification are described in detail. To assist with designing a system developers uses various (e.g. process diagram and use cases). Developers may also create prototypes to ensure all the requirements are met. In the designing White Paper: SecSDLC 7
8 stage there are logical and physical views. The logical view is an abstract view of how the system is suppose to work. The physical view is the actual physical components of the system. This is the second phase of integrating the security aspects into the software development life cycle. At this phase the requirement has been transformed into an actual architecture design and design decision. It allows the specific security controls to be implemented by the design team. Various security mechanisms are inserted at this point such as communication protocols. Security testing scenarios will be designed during this phase for identifying abuse cases that were developed during the planning phase. 4. Implementation: Implementation is to put into action for testing of the information systems. It can be costly if the information systems do not meet all the required needs of the users. Therefore during designing phase of the information systems all requirements and specification must be clearly defined to have a successful implementation. During this third phase of building for security, the system should always be built with security in mind, and software team should ensure needed security technologies and processes are properly in place and ready for integrating and testing. 5. Integrate and Test: During the integration and testing phase, all components are integrated and tested for bugs. Many corporate underfund this phase of the software development life cycle. The actual line of codes should ensure the integrity of the system. The coders should be well trained and have various auditing tool at their use to ensure the security and integrity of their data during the integrating and testing phase of the software development life cycle. 6. Deployment: The deployment phase is when the customer has accepted the information system and using the system for its needed purpose. A company has various ways to commence a deployment of software they are: phase, pilot, direct, and parallel. Phase: Phase is the process where part of the software switch over in phases. With phasing company is able to go back to the original system. Phasing allow nature take it course. The setback with phasing is when the original may become old and inefficient. White Paper: SecSDLC 8
9 Pilot: Pilot is an executable model of the system with all the function. The pilot is great way of getting and verifying the requirements. Direct: Direct is the most dangerous one because a company cannot go back. Direct forces a company to commit to the switch over. Parallel: Parallel is when a company is running the original system and the new at the same time. Parallel give the company a chance to go back if the new system fails. The setbacks with parallel are it s expensive to run two systems. The future for the administrators of the original is unknown. 7. Maintenance: During the maintenance phase of the software development life cycle is when future maintenance is completed on the information systems. The maintenance consist of three different types of maintenance they are corrective, adaptive, and perfective. Corrective maintenance is when the bugs fixed. Adaptive maintenance is the when the system need new coding compatibility issues. Perfective maintenance is when the company tries to improve the software. During the final stage of deployment of the system, maintenance is the most important part of the lifecycle because security threats are constantly evolving and been vigilant is the most important factor. Constant monitoring and various intrusion prevention systems are essential for the integrity of the system and the data, which is processed on the system. The maintenance team should continuously run penetration test and review logs and reports. Advantages and Disadvantage: The advantages with a traditional waterfall software development life cycle with the integration of security are the project is well defined with detail steps to ensure the integrity of the system and the data. There are standard development and designs. Project will be able to adjust to a change in the staff. The time is controlled and there is greater ability to monitor large projects. The disadvantages of traditional software development are there is an increase of time needed for the project. The system must be clearly defined at the beginning because the project is very difficult to make changes. Early errors can cause the project to overrun due to rework on early stages. There is little interaction with the end-users. Per Russell Kay of Computer World White Paper: SecSDLC 9
10 Another problem is that the waterfall model assumes that the only role for users is in specifying requirements, and that all requirements can be specified in advance. Unfortunately, requirements grow and change throughout the process and beyond, calling for considerable feedback and iterative consultation. Thus many other SDLC models have been developed. Most developers recommend using more than one methodology for a success implementation of an information system. Therefore project that is forever changing use a methodology called agile software development life cycle. Agile Methodology SLDC Security in SDLC does more than just to make end users feel safe and secured when using the software. Security in Agile methodology is to prevent the exploitable security holes as early as possible and to cut down the maintenance cost later after the system had been deployed. This is a critical aspect of agile methodology. Software teams can feel safer when introduce frequently new releases because at each small releases security governance should had been implemented. And, the security governance integrated into the agile is no different than the waterfall model, except it is integrated during every early small iteration time-box releases. Software engineers can implement agile in many different ways. But, iterations are the heartbeat of agile methodology. As mentioned, waterfall failed because of its inflexibility and subject to change. Organizations, who exercised waterfall model, were not inclined to change, to adapt with the evolving stakeholders requirements. In contrast, agile does a great job on focusing on iterations, frequent consultation with the customer, small and frequent releases, and rigorously tested code that directly responded to the stakeholders feedbacks. To further distinguish agile from other software development methodologies, it is important to recognize these two elements that shaped agility dimensions: response extensiveness and response efficiency. Response extensiveness relates to the scope, range, extent, and variety of software team responses. On the other hand, response efficiency relates to resources such as time, cost, and effort associated with software team responses. We had mentioned the differences between agile and waterfall model. But, what is agile methodology really? Where does it come from? And why do we use it? White Paper: SecSDLC 10
11 Figure 2: Agile Methodology with iteration time-box releases What is Agile? Agile methodology is the conceptual framework to introduce the more effective and efficient ways and best practices to develop software. For decades, the traditional waterfall software development life cycle had been the primary model for software development. However, the traditional waterfall has numerous problems such as maintenance cost, inflexibility, and subject to change. These causes are to slow down the industry s potential growth. Then, agile software development life cycle was introduced largely to address the weaknesses of the planed-based method such as the traditional waterfall software development. Where did agile come? Agile philosophy came from the different ideas of the 17 software engineers, who gathered together in 2001 to write the agile manifesto included with the 12 agile guideline principles, which was today widely known and used in the industry. Here are 12 agile guideline principles we shall follow: 1. Our highest priority is to satisfy the customer through early and continuous delivery of valuable software. 2. Welcome changing requirements, even late in development. Agile processes harness change for the customer's competitive advantage. White Paper: SecSDLC 11
12 3. Deliver working software frequently, from a couple of weeks to a couple of months, with a preference to the shorter timescale. 4. Business people and developers must work together daily throughout the project. 5. Build projects around motivated individuals. Give them the environment and support they need, and trust them to get the job done. 6. The most efficient and effective method of conveying information to and within a development team is face-to-face conversation. 7. Working software is the primary measure of progress. 8. Agile processes promote sustainable development. The sponsors, developers, and users should be able to maintain a constant pace indefinitely. 9. Continuous attention to technical excellence and good design enhances agility. 10. Simplicity--the art of maximizing the amount of work not done--is essential. 11. The best architectures, requirements, and designs emerge from self-organizing teams. 12. At regular intervals, the team reflects on how to become more effective, then tunes and adjusts its behavior accordingly. Agile methodology was a cooperative common on interests formed by the 17 individual contributions. While these engineers had different point of views in software developments, they possessed greatly magnifying similar goal of improving software development. The two wellknown methods that was used by different individuals at the time and now formally formed into agile framework were Extreme programming (XP) and Scrum. The managerial aspect of software development is the major difference between the two methodologies. EP focuses on hard coding or development process itself by using such technique, pair programming, two programmers sitting at the same desk and coding on the same screen while scrum focuses both management aspects and development processes. Why do we use agile? Furthermore, agile software development life cycle is more than just a set of standard rules, but agile is a philosophy. Agile philosophy was introduced to improve the traditional waterfall software development life cycle and to transform entire software industry as the whole. What make Agile different from the traditional waterfall SDLC are the rapid iterations of small and White Paper: SecSDLC 12
13 frequent releases to meet the evolving requirements. Agile focuses on direct user involvements during the development process, which explain the evolving requirements. Small and frequent iteration releases ensure security had been taken placed as early; hence to reduce the potential maintenance cost afterward. SecSDLC Certifications and Credibility: Security in SDLC requires a team. Like a software development teams, security team has different roles and responsibilities. Because software security has always been changing, it is important to keep track of these updates and reorganizations for those who keep up-to-date to enhance security policy and guideline to keep safe systems in place and to prevent the security threats such as polymorphic threat a threat that changes its apparent shape overtime, to become a new threat not detectable by techniques looking for a preconfigured signature; or man-in-themiddle threat- which seems to be the most difficult threat to recognize because it performs its attacks behind both end side objects of the attack. There are so many other new threats that security professionals need to keep up with such as the infamous Flame virus or the DNSChanger that shake the entire news world of internet. Imagine that the good guys have to discover and remedy ALL of the exploitable security holes why all the bad guys have to do is to discover ONE and exploit it. This is surely not an easy job for the security professionals. Roles and Responsibilities: A security team of key leadership positions within Information Security includes Chief Information Security Officer (definers), Security Manager, and Security Technician (administers). Chief Information Security Officer (CISO) may or may be not be included as top-level executives. CISO manages and directs an organization s computer information systems security program, implements information security policies, and supervises related Information Technology employees. The typical duties of the CISO are ensure compliance with local, state, White Paper: SecSDLC 13
14 and federal laws, implements controls to reduce fraud and other vulnerabilities, and train IT and non-it personnel on security and privacy issue. Security Manager oversees daily security operations for the business. The typically include developing and enforcing security policies to ensure a safe environment for employees and visitors. Security managers accomplish objectives identified by the CISO and issues identified by the technicians. They may also guard against property damage. Like CISOs, Security Managers are typically certified in CISSP, CISM, and/or GIAC. I will discuss these certifications, later. Security Technician tasked to configure firewalls, deploy Intrusion Detection and Prevention Systems (IDPSs) implement security software, diagnose and troubleshoot problems, and coordinate with systems and network administrators to ensure that an organization s security technology is properly implemented. Certifications: There are many certifications Information Technology professionals may obtain. The top certifications that we seek are Certified Information Systems Security Professional (CISSP), Certified Information Security Manager (CISM), and Global Information Assurance Certificate (GIAC). A CISSP is an information assurance professional who defines the architecture, design, management and/or controls that assure the security of business environments. The professionals credentials must meet at least two or more of the ten (ISO) 2 CISSP domains listed below: Access Control List (ACL) Telecommunications and Network Security Information Security Governance and Risk Management Software development Security Cryptography Security Architecture and Design White Paper: SecSDLC 14
15 Operations Security Business Continuity and Disaster Recovery Planning Legal, Regulations, Investigations and Compliance Physical (Environmental) Security This certification requires that an individual have at least five years minimum professional working experience. This exam price ranges from $250 to $600. A CISM must provide evidence of five years of professional experience in the field of information security, at least two years of education, or previous certification, and pass 200- question multiple-choice exam. The exam has critical sections: Information security governance (23 percent) Information risk management (22 percent) Information security program development (17 percent) Information security program management (24 percent) Information management and response (14 percent) These certifications range from $395 to $645. GIAC certifications require the applicant to complete a written practical assignment that tests the applicant s ability to apply skills and knowledge. These assignments are submitted to the SANS for review. Only when the practical assignment is complete can the candidate who wishes to take the exam online. The GIAC certificates are organized into six areas: Forensics Security Administration Management Audit Software Security Legal White Paper: SecSDLC 15
16 These certifications range from $500 to $700. III. Conclusion In SDLC, both plan-based waterfall and agile methodologies can be effective ways to develop software. Each method has strengths and weaknesses. An examination of project interdependencies and volatility allows managers to determine the best type of methodology for a given situation. Most importantly, security governance is critical in software development. While using either methodologies to develop the software, it is a very important to plan and implement a security governance to prevent any exploitable security holes. Because software security brings value to software in terms of peoples trust, the value provided by secure software is vital because many critical functions are entirely dependent on the software. White Paper: SecSDLC 16
17 References Barlow, Jordan B.Keith, Mark JeffreyWilson, David W.Schuetzler, Ryan M.Lowry, Paul BenjaminVance, AnthonyGiboney, Justin Scott. "Overview And Guidance On Agile Development In Large Organizations." Communications Of AIS (2011): Computer Source. Web. 11 July Banerjee, C., and S. K. Pandey. "Software Security Rules, SDLC Perspective." (2009): arxiv. Web. 11 July < Danahy, Jack. "The Phasing-In Of Security Governance In The SDLC." Network Security (2008): Business Source Complete. Web. 12 July Dorsey, Paul. "Top 10 Reasons Why Systems Projects Fail." Top 10 Reasons Why Systems Projects Fail. Web. 25 May < Drewry, Tony. "UWE-CSM - IT System Development Lifecycles." UWE-CSM - IT System Development Lifecycles. N.p., n.d. Web. 3 July < Hanny, Jonathan. "Building An Application Security Program." Information Security Journal: A Global Perspective 19.6 (2010): Computer Source. Web. 14 July Jack, Danahy. "Security & SDLC: The Phasing-In Of Security Governance In The SDLC." Network Security 2008.(n.d.): ScienceDirect. Web. 11 July < Kay, Russell. "QuickStudy: System Development Life Cycle." Computerworld. 14 May Web. 24 May < Stephen de, Vries. "Testing: Software Testing For Security." Network Security (n.d.): ScienceDirect. Web. 11 July < McLean, Ephraim R. "The Traditional System Development Life Cycle." CIS Georgia State University, Atlanta. 24 May Lecture. Waterfall Model. "SDLC." Waterfall Model. WordPress, 2 June Web. 3 July < "What Agile Teams Think Of Agile Principles." Communications Of The ACM 55.4 (2012): Business Source Complete. Web. 11 July White Paper: SecSDLC 17
Manifesto for Agile Software Development
Rocky Mountain Information Management Association Manifesto for Agile Software Development We are uncovering better ways of developing software by doing it and helping others do it. Through this work we
More informationAgile Overview. 30,000 perspective. Juha Salenius CSPO CSM PMI-ACP PMP SCGMIS Workshop January 23 rd, 2013
Agile Overview 30,000 perspective Juha Salenius CSPO CSM PMI-ACP PMP SCGMIS Workshop January 23 rd, 2013 Agenda 30,000 Perspective The Players Initiating a Project Agile Estimating Agile Communications
More informationAgile Project Management with Scrum
Agile Project Management with Scrum Resource links http://www.agilealliance.org/ http://www.agilemanifesto.org/ http://www.scrum-master.com/ 1 Manifesto for Agile Software Development Individuals and interactions
More informationHow To Understand The Limitations Of An Agile Software Development
A Cynical View on Agile Software Development from the Perspective of a new Small-Scale Software Industry Apoorva Mishra Computer Science & Engineering C.S.I.T, Durg, India Deepty Dubey Computer Science
More informationThe Next Generation of Security Leaders
The Next Generation of Security Leaders In an increasingly complex cyber world, there is a growing need for information security leaders who possess the breadth and depth of expertise necessary to establish
More informationCISM ITEM DEVELOPMENT GUIDE
CISM ITEM DEVELOPMENT GUIDE TABLE OF CONTENTS CISM ITEM DEVELOPMENT GUIDE Content Page Purpose of the CISM Item Development Guide 2 CISM Exam Structure 2 Item Writing Campaigns 2 Why Participate as a CISM
More informationINFORMATION TECHNOLOGY ENGINEER V
1464 INFORMATION TECHNOLOGY ENGINEER V NATURE AND VARIETY OF WORK This is senior level lead administrative, professional and technical engineering work creating, implementing, and maintaining the County
More informationSoftware Processes. Agile Methods
Software Processes Agile Methods Roadmap Agile Methods Agile Manifesto Agile Principles Agile Methods Agile Processes Scrum, Crystall,... Integrating Agile with Non-Agile Processes 2 Agile Development
More informationCOMP 354 Introduction to Software Engineering
COMP 354 Introduction to Software Engineering Greg Butler Office: EV 3.219 Computer Science and Software Engineering Concordia University, Montreal, Canada Email: gregb@cs.concordia.ca Winter 2015 Course
More informationNeglecting Agile Principles and Practices: A Case Study
Neglecting Agile Principles and Practices: A Case Study Patrícia Vilain Departament de Informatics and Statistics (INE) Federal University of Santa Catarina Florianópolis, Brazil vilain@inf.ufsc.br Alexandre
More informationAgile Project Management By Mark C. Layton
Agile Project Management By Mark C. Layton Agile project management focuses on continuous improvement, scope flexibility, team input, and delivering essential quality products. Agile project management
More informationBuild (develop) and document Acceptance Transition to production (installation) Operations and maintenance support (postinstallation)
It is a well-known fact in computer security that security problems are very often a direct result of software bugs. That leads security researches to pay lots of attention to software engineering. The
More informationNew Developments in an Agile World: Drafting Software Development Agreements. By: Paul H. Arne 1,2
New Developments in an Agile World: Drafting Software Development Agreements By: Paul H. Arne 1,2 A few months before this article was prepared, a group of senior IT professionals from some of the largest
More informationExternal Supplier Control Requirements
External Supplier Control s Cyber Security For Suppliers Categorised as Low Cyber Risk 1. Asset Protection and System Configuration Barclays Data and the assets or systems storing or processing it must
More informationHistory of Agile Methods
Agile Development Methods: Philosophy and Practice CPSC 315 Programming Studio Fall 2010 History of Agile Methods Particularly in 1990s, some developers reacted against traditional heavyweight software
More informationAgile Development with C#
Agile Development with C# Paweł Jarosz, pjarosz@pk.edu.pl Cracow University of Technology, Poland Jyvaskyla University of Applied Sciences, February 2009 Paweł Jarosz who am I? M.Sc. of Applied Physics
More informationSPSP Phase III Recruiting, Selecting, and Developing Secure Power Systems Professionals: Job Profiles
PNNL-24138 SPSP Phase III Recruiting, Selecting, and Developing Secure Power Systems Professionals: Job Profiles March 2015 LR O Neil TJ Conway DH Tobey FL Greitzer AC Dalton PK Pusey Prepared for the
More informationProcesses in Software Development. Presented 11.3.2008 by Lars Yde, M.Sc., at Selected Topics in Software Development, DIKU spring semester 2008
Processes in Software Development Presented 11.3.2008 by Lars Yde, M.Sc., at Selected Topics in Software Development, DIKU spring semester 2008 Software hall of shame Classic mistakes ACM Code of Ethics
More informationInformation Security Specialist Training on the Basis of ISO/IEC 27002
Information Security Specialist Training on the Basis of ISO/IEC 27002 Natalia Miloslavskaya, Alexander Tolstoy Moscow Engineering Physics Institute (State University), Russia, {milmur, ait}@mephi.edu
More informationAGILE METHODOLOGY IN SOFTWARE DEVELOPMENT
AGILE METHODOLOGY IN SOFTWARE DEVELOPMENT Shivangi Shandilya, Surekha Sangwan, Ritu Yadav Dept. of Computer Science Engineering Dronacharya College Of Engineering, Gurgaon Abstract- Looking at the software
More informationwerteorientierte Unternehmenskultur
Echte Agilität erfordert eine werteorientierte Unternehmenskultur Jutta Eckstein Thomas Walker, CMC Seite 1 Goals of Today The main question of the day: The role of software development in relation with
More informationSoftware Development with Agile Methods
Case Study Software Development with Agile Methods Introduction: Web application development is a much studied, heavily practiced activity. That is, capturing and validating user requirements, estimating
More informationUniversity of Central Florida Class Specification Administrative and Professional. Information Security Officer
Information Security Officer Job Code: 2534 Serve as the information security officer for the University. Develop and computer security system standards, policies, and procedures. Serve as technical team
More informationBottlenecks in Agile Software Development Identified Using Theory of Constraints (TOC) Principles
Master thesis in Applied Information Technology REPORT NO. 2008:014 ISSN: 1651-4769 Department of Applied Information Technology or Department of Computer Science Bottlenecks in Agile Software Development
More informationAgile Development Overview
Presented by Jennifer Bleen, PMP Project Services Practice of Cardinal Solutions Group, Inc. Contact: Agile Manifesto We are uncovering better ways of developing software by doing it and helping others
More informationManaging TM1 Projects
White Paper Managing TM1 Projects What You ll Learn in This White Paper: Traditional approaches to project management A more agile approach Prototyping Achieving the ideal outcome Assessing project teams
More informationAgile Projects 7. Agile Project Management 21
Contents Contents 1 2 3 Agile Projects 7 Introduction 8 About the Book 9 The Problems 10 The Agile Manifesto 12 Agile Approach 14 The Benefits 16 Project Components 18 Summary 20 Agile Project Management
More informationTERMS OF REFERENCE (TORs) OF CONSULTANTS - (EAG) 1. Reporting Function. The Applications Consultant reports directly to the CIO
TERMS OF REFERENCE (TORs) OF CONSULTANTS - (EAG) Consultant - Enterprise Systems & Applications 1. Reporting Function. The Applications Consultant reports directly to the CIO 2. Qualification and Experience
More informationAgile Requirements Generation Model: A Soft-structured Approach to Agile Requirements Engineering. Shvetha Soundararajan
Agile Requirements Generation Model: A Soft-structured Approach to Agile Requirements Engineering Shvetha Soundararajan Thesis submitted to the faculty of the Virginia Polytechnic Institute and State University
More informationCISM ITEM DEVELOPMENT GUIDE
CISM ITEM DEVELOPMENT GUIDE Updated January 2015 TABLE OF CONTENTS Content Page Purpose of the CISM Item Development Guide 3 CISM Exam Structure 3 Writing Quality Items 3 Multiple-Choice Items 4 Steps
More informationAgile Beyond The Team 1
Agile Beyond The Team 1 Dilbert Agile 2 What Does Your Organization Value? Projects over Teams? Do new teams spools up for new projects? On-Time/On-Budget Delivery over Zero Maintenance Products Deliver
More informationDirector, IT Security District Office Kern Community College District JOB DESCRIPTION
Director, IT Security District Office Kern Community College District JOB DESCRIPTION Definition Reporting to the Chief Information Officer, the Director of IT Security develops and implements procedures,
More informationPage 1 of 5. IS 335: Information Technology in Business Lecture Outline Computer Technology: Your Need to Know
Lecture Outline Computer Technology: Your Need to Know Objectives In this discussion, you will learn to: Describe the activities of information systems professionals Describe the technical knowledge of
More informationA Strategic Approach to Web Application Security The importance of a secure software development lifecycle
A Strategic Approach to Web Application Security The importance of a secure software development lifecycle Rachna Goel Technical Lead Enterprise Technology Web application security is clearly the new frontier
More informationAGILE vs. WATERFALL METHODOLOGIES
AGILE vs. WATERFALL METHODOLOGIES Introduction Agile and waterfall are two major methodologies that software developers and project managers have the option of using. Some of the goals of developers and
More informationDomain 1 The Process of Auditing Information Systems
Certified Information Systems Auditor (CISA ) Certification Course Description Our 5-day ISACA Certified Information Systems Auditor (CISA) training course equips information professionals with the knowledge
More informationWhat Does Large Mean? Copyright 2003 by N. Josuttis and J. Eckstein 3. Why is Large an Issue?
Skalierung von agilen Prozessen Ein Erfahrungsbericht OOP 2003 Jutta Eckstein Nicolai Josuttis This Talk is About Agility Large Experience Success Copyright 2003 by N. Josuttis and J. Eckstein 2 1 What
More informationUC Santa Barbara. CS189A - Capstone. Christopher Kruegel Department of Computer Science UC Santa Barbara http://www.cs.ucsb.
CS189A - Capstone Christopher Kruegel Department of Computer Science http://www.cs.ucsb.edu/~chris/ How Should We Build Software? Let s look at an example Assume we asked our IT folks if they can do the
More informationAlternative Development Methodologies
Alternative Development Methodologies The Software Development Process described in the course notes and lecture is a generalized process that been in use for decades. Over this time, scholars in the IT
More informationBuilding Software in an Agile Manner
Building Software in an Agile Manner Abstract The technology industry continues to evolve with new products and category innovations defining and then redefining this sector's shifting landscape. Over
More informationCisco Advanced Services for Network Security
Data Sheet Cisco Advanced Services for Network Security IP Communications networking the convergence of data, voice, and video onto a single network offers opportunities for reducing communication costs
More informationIntroduction to Agile Software Development. EECS 690 Agile Software Development
Introduction to Agile Software Development EECS 690 Agile Software Development Agenda Research Consent Forms Problem with Software Engineering Motivation for Agile Methods Agile Manifesto Principles into
More informationDevelopment. Lecture 3
Software Process in Modern Software Development Lecture 3 Software Engineering i Practice Software engineering practice is a broad array of principles, concepts, methods, and tools that must be considered
More informationAgile on huge banking mainframe legacy systems. Is it possible?
EuroSTAR 2011 Agile on huge banking mainframe legacy systems. Is it possible? Christian Bendix Kjær Hansen Test Manager November 22, 2011 What is this presentation about? Goal Inspire others working with
More informationComparative Study of Agile Methods and Their Comparison with Heavyweight Methods in Indian Organizations
International Journal of Recent Research and Review, Vol. VI, June 2013 Comparative Study of Agile Methods and Their Comparison with Heavyweight Methods in Indian Organizations Uma Kumari 1, Abhay Upadhyaya
More informationLECTURE 1. SYSTEMS DEVELOPMENT
LECTURE 1. SYSTEMS DEVELOPMENT 1.1 INFORMATION SYSTEMS System A system is an interrelated set of business procedures used within one business unit working together for a purpose A system has nine characteristics
More informationCisco Security Optimization Service
Cisco Security Optimization Service Proactively strengthen your network to better respond to evolving security threats and planned and unplanned events. Service Overview Optimize Your Network for Borderless
More informationThis handbook is meant to be a quick-starter guide to Agile Project Management. It is meant for the following people:
AGILE HANDBOOK OVERVIEW WHAT IS THIS? This handbook is meant to be a quick-starter guide to Agile Project Management. It is meant for the following people: Someone who is looking for a quick overview on
More informationProcess Methodology. Wegmans Deli Kiosk. for. Version 1.0. Prepared by DELI-cious Developers. Rochester Institute of Technology
Process Methodology for Wegmans Deli Kiosk Version 1.0 Prepared by DELI-cious Developers Rochester Institute of Technology September 15, 2013 1 Table of Contents 1. Process... 3 1.1 Choice... 3 1.2 Description...
More informationKevin Savoy, CPA, CISA, CISSP Director of Information Technology Audits Brian Daniels, CISA, GCFA Senior IT Auditor
IT Audit/Security Certifications Kevin Savoy, CPA, CISA, CISSP Director of Information Technology Audits Brian Daniels, CISA, GCFA Senior IT Auditor Certs Anyone? There are many certifications out there
More informationIT Risk & Security Specialist Position Description
Specialist Position Description February 9, 2015 Specialist Position Description February 9, 2015 Page i Table of Contents General Characteristics... 1 Career Path... 2 Explanation of Proficiency Level
More informationIntroduction to Agile Software Development
Introduction to Agile Software Development Word Association Write down the first word or phrase that pops in your head when you hear: Extreme Programming (XP) Team (or Personal) Software Process (TSP/PSP)
More informationScaling Scrum. Colin Bird & Rachel Davies Scrum Gathering London 2007. conchango 2007 www.conchango.com
Scaling Scrum Colin Bird & Rachel Davies Scrum Gathering London 2007 Scrum on a Slide Does Scrum Scale? Ok, so Scrum is great for a small team but what happens when you have to work on a big project? Large
More informationInfoSec Academy Application & Secure Code Track
Fundamental Courses Foundational Courses InfoSec Academy Specialized Courses Advanced Courses Certification Preparation Courses Certified Information Systems Security Professional (CISSP) Texas Security
More informationA. Waterfall Model - Requirement Analysis. System & Software Design. Implementation & Unit Testing. Integration & System Testing.
Processing Models Of SDLC Mrs. Nalkar Sanjivani Baban Asst. Professor, IT/CS Dept, JVM s Mehta College,Sector 19, Airoli, Navi Mumbai-400708 Nalkar_sanjivani@yahoo.co.in Abstract This paper presents an
More informationAgile Software Development Methodologies and Its Quality Assurance
Agile Software Development Methodologies and Its Quality Assurance Aslin Jenila.P.S Assistant Professor, Hindustan University, Chennai Abstract: Agility, with regard to software development, can be expressed
More informationAgile Software Development in the Large
Agile Software Development in the Large GI-Vortrag Braunschweig Jutta Eckstein Nicolai Josuttis What Does Large Mean? Large in... scope time people money risks We focus on Large Teams which implies everything
More informationSecure Code Development
ISACA South Florida 7th Annual WOW! Event Copyright Elevate Consult LLC. All Rights Reserved 1 Agenda i. Background ii. iii. iv. Building a Business Case for Secure Coding Top-Down Approach to Develop
More informationSecurity Transcends Technology
INTERNATIONAL INFORMATION SYSTEMS SECURITY CERTIFICATION CONSORTIUM, INC. Career Enhancement and Support Strategies for Information Security Professionals Paul Wang, MSc, CISA, CISSP Paul.Wang@ch.pwc.com
More informationAUDIT REPORT 03-11 WEB PORTAL SECURITY REVIEW. 2004 FEBRUARY R. D. MacLEAN CITY AUDITOR
AUDIT REPORT 03-11 WEB PORTAL SECURITY REVIEW 2004 FEBRUARY R. D. MacLEAN CITY AUDITOR Web Portal Security Review Page 2 Audit Report 03-11 Web Portal Security Review INDEX SECTION I EXECUTIVE SUMMARY
More informationInformation Technology Engineers Examination. Information Security Specialist Examination. (Level 4) Syllabus
Information Technology Engineers Examination Information Security Specialist Examination (Level 4) Syllabus Details of Knowledge and Skills Required for the Information Technology Engineers Examination
More informationInformation Systems Security Certificate Program
Information Technologies Programs Information Systems Security Certificate Program Accelerate Your Career extension.uci.edu/infosec University of California, Irvine Extension s professional certificate
More informationWork With Genesis Insurance Company
IN F O R M AT ION TEC HNOLOGY (IT ) SECURIT Y AT GEN ES I S security peace of mind You re covered. Access Control Application Security Business Continuity and Disaster Recovery Planning Cryptography Information
More informationCITY UNIVERSITY OF HONG KONG. Information System Acquisition, PUBLIC Development and Maintenance Standard
CITY UNIVERSITY OF HONG KONG Development and Maintenance Standard (Approved by the Information Strategy and Governance Committee in December 2013; revision 1.1 approved by Chief Information Officer in
More informationDefending Against Data Beaches: Internal Controls for Cybersecurity
Defending Against Data Beaches: Internal Controls for Cybersecurity Presented by: Michael Walter, Managing Director and Chris Manning, Associate Director Protiviti Atlanta Office Agenda Defining Cybersecurity
More informationUSCIS/SPAS: Product Backlog Items and User Stories 4/16/2015. Dr. Patrick McConnell
USCIS/SPAS: Product Backlog Items and User Stories 4/16/2015 Dr. Patrick McConnell July 9, 2015 1 First, an old joke.. I can t identify an original source for this cartoon. As best as I can tell, the art
More informationHow To Write A Thesis On How To Create And Maintain Documentation In An Agile Development Environment
}w!"#$%&'()+,-./012345
More informationAdvanced Software Engineering. Software Development Processes
Agent and Object Technology Lab Dipartimento di Ingegneria dell Informazione Università degli Studi di Parma Advanced Software Engineering Software Development Processes Prof. Agostino Poggi Software Development
More informationStepping Through the Info Security Program. Jennifer Bayuk, CISA, CISM
Stepping Through the Info Security Program Jennifer Bayuk, CISA, CISM Infosec Program How to: compose an InfoSec Program cement a relationship between InfoSec program and IT Governance design roles and
More informationAgile Software Development. Mohsen Afsharchi
Agile Software Development Mohsen Afsharchi I. Agile Software Development Agile software development is a group of software development methods based on iterative and incremental development, where requirements
More informationCS435: Introduction to Software Engineering! " Software Engineering: A Practitioner s Approach, 7/e " by Roger S. Pressman
CS435: Introduction to Software Engineering! " " " " " " " "Dr. M. Zhu! Chapter 3! Agile Development! Slide Set to accompany Software Engineering: A Practitioner s Approach, 7/e " by Roger S. Pressman
More informationNASCIO 2015 State IT Recognition Awards
NASCIO 2015 State IT Recognition Awards Title: State of Georgia Private Security Cloud Implementation Category: Cybersecurity Contact: Mr. Calvin Rhodes CIO, State of Georgia Executive Director, GTA calvin.rhodes@gta.ga.gov
More informationSECURE POWER SYSTEMS PROFESSIONALS (SPSP) PROJECT PHASE 3, FINAL REPORT: RECRUITING, SELECTING, AND DEVELOPING SECURE POWER SYSTEMS PROFESSIONALS
1 SECURE POWER SYSTEMS PROFESSIONALS (SPSP) PROJECT PHASE 3, FINAL REPORT: RECRUITING, SELECTING, AND DEVELOPING SECURE POWER SYSTEMS PROFESSIONALS Synopsis SPSP Project Overview Phase I Summary Phase
More informationAgile So)ware Development
Software Engineering Agile So)ware Development 1 Rapid software development Rapid development and delivery is now often the most important requirement for software systems Businesses operate in a fast
More informationComplete Web Application Security. Phase1-Building Web Application Security into Your Development Process
Complete Web Application Security Phase1-Building Web Application Security into Your Development Process Table of Contents Introduction 3 Thinking of security as a process 4 The Development Life Cycle
More informationBest Practices for Building a Security Operations Center
OPERATIONS SECURITY Best Practices for Building a Security Operations Center Diana Kelley and Ron Moritz If one cannot effectively manage the growing volume of security events flooding the enterprise,
More informationJOB DESCRIPTION CONTRACTUAL POSITION
Ref #: IT/P /01 JOB DESCRIPTION CONTRACTUAL POSITION JOB TITLE: INFORMATION AND COMMUNICATIONS TECHNOLOGY (ICT) SECURITY SPECIALIST JOB SUMMARY: The incumbent is required to provide specialized technical
More informationBelmont Savings Bank. Are there Hackers at the gate? 2013 Wolf & Company, P.C.
Belmont Savings Bank Are there Hackers at the gate? 2013 Wolf & Company, P.C. MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS 2013 Wolf & Company, P.C. About Wolf & Company, P.C.
More informationEntire contents 2011 Praetorian. All rights reserved. Information Security Provider and Research Center www.praetorian.com
Entire contents 2011 Praetorian. All rights reserved. Information Security Provider and Research Center www.praetorian.com Threat Modeling "Threat modeling at the design phase is really the only way to
More informationSecurity Management. Keeping the IT Security Administrator Busy
Security Management Keeping the IT Security Administrator Busy Dr. Jane LeClair Chief Operating Officer National Cybersecurity Institute, Excelsior College James L. Antonakos SUNY Distinguished Teaching
More information26 May 2010 CQAA Lunch & Learn Paul I. Pazderski (CSM/CSP, OD-CM, CSQA) spcinc13@yahoo.com Cell: 224-595-8846 AGILE THROUGH SCRUM
26 May 2010 CQAA Lunch & Learn Paul I. Pazderski (CSM/CSP, OD-CM, CSQA) spcinc13@yahoo.com Cell: 224-595-8846 AGILE THROUGH SCRUM 1 AGENDA & LEARNING POINTS 1. Open 2. Agile Overview 3. Scrum Basics Learning
More informationWhite Paper IT Methodology Overview & Context
White Paper IT Methodology Overview & Context IT Methodologies - Delivery Models From the inception of Information Technology (IT), organizations and people have been on a constant quest to optimize the
More informationLEAN AGILE POCKET GUIDE
SATORI CONSULTING LEAN AGILE POCKET GUIDE Software Product Development Methodology Reference Guide PURPOSE This pocket guide serves as a reference to a family of lean agile software development methodologies
More informationComparing Scrum And CMMI
Comparing Scrum And CMMI How Can They Work Together Neil Potter The Process Group help@processgroup.com 1 Agenda Definition of Scrum Agile Principles Definition of CMMI Similarities and Differences CMMI
More informationAppendix A-2 Generic Job Titles for respective categories
Appendix A-2 for respective categories A2.1 Job Category Software Engineering/Software Development Competency Level Master 1. Participate in the strategic management of software development. 2. Provide
More informationAgile Software Development
E Learning Volume 5 Number 1 2008 www.wwwords.co.uk/elea Agile Software Development SOLY MATHEW BIJU University of Wollongong in Dubai, United Arab Emirates ABSTRACT Many software development firms are
More informationData Security Incident Response Plan. [Insert Organization Name]
Data Security Incident Response Plan Dated: [Month] & [Year] [Insert Organization Name] 1 Introduction Purpose This data security incident response plan provides the framework to respond to a security
More informationApplication Security in the Software Development Lifecycle
Application Security in the Software Development Lifecycle Issues, Challenges and Solutions www.quotium.com 1/15 Table of Contents EXECUTIVE SUMMARY... 3 INTRODUCTION... 4 IMPACT OF SECURITY BREACHES TO
More informationThe Agile Manifesto is based on 12 principles:
The Agile Manifesto is based on 12 principles: Customer satisfaction by rapid delivery of a useful product solution Welcome changing requirements, even late in development Working products are delivered
More informationAgile QA s Revolutionary Impact on Project Management
Agile QA s Revolutionary Impact on Project Management Introduction & Agenda Rachele Maurer Agile Coach, Platinum Edge Inc. PMP, CSM, PMI-ACP Agenda A quick overview of agile Current QA practices QA using
More informationData Management Policies. Sage ERP Online
Sage ERP Online Sage ERP Online Table of Contents 1.0 Server Backup and Restore Policy... 3 1.1 Objectives... 3 1.2 Scope... 3 1.3 Responsibilities... 3 1.4 Policy... 4 1.5 Policy Violation... 5 1.6 Communication...
More informationAgile Development for Application Security Managers
Agile Development for Application Security Managers www.quotium.com When examining the agile development methodology many organizations are uncertain whether it is possible to introduce application security
More informationSEEM4570 System Design and Implementation Lecture 10 Software Development Process
SEEM4570 System Design and Implementation Lecture 10 Software Development Process Software Development A software development process: A structure imposed on the development of a software product Also
More informationAgile and lean methods for managing application development process
Agile and lean methods for managing application development process Hannu Markkanen 27.01.2012 1 Lifecycle model To support the planning and management of activities required in the production of e.g.
More informationAgile Security Successful Application Security Testing for Agile Development
WHITE PAPER Agile Security Successful Application Security Testing for Agile Development Software Security Simplified Abstract It is an imperative to include security testing in application development.
More informationCertified Information Systems Auditor (CISA)
Certified Information Systems Auditor (CISA) Course Introduction Course Introduction Module 01 - The Process of Auditing Information Systems Lesson 1: Management of the Audit Function Organization of the
More informationhttp://www.bigvisible.com
Sustainable Pace How can we help our teams achieve it? http://www.bigvisible.com 2011 BigVisible Solutions, Inc. Facilitator Bob Sarni 25 years focused on team development, leadership mentoring and coaching,
More informationLogical Operations CyberSec First Responder: Threat Detection and Response (CFR) Exam CFR-110
Logical Operations CyberSec First Responder: Threat Detection and Response (CFR) Exam CFR-110 Exam Information Candidate Eligibility: The CyberSec First Responder: Threat Detection and Response (CFR) exam
More informationIngegneria del Software Corso di Laurea in Informatica per il Management. Agile software development
Ingegneria del Software Corso di Laurea in Informatica per il Management Agile software development Davide Rossi Dipartimento di Informatica Università di Bologna The problem Efficiency: too much effort
More information