Suggested/Recommended Audit Points in the Software Lifecycle (From thought to sunset)

Similar documents
SDLC- Key Areas to Audit in IT Projects ISACA Geek Week /21/2013. PwC

Software Security Engineering: A Key Discipline for Project Managers

Software Development Life Cycle (SDLC)

A Capability Maturity Model (CMM)

Cutting Edge Practices for Secure Software Engineering

Essentials of the Quality Assurance Practice Principles of Testing Test Documentation Techniques. Target Audience: Prerequisites:

The Software Development Life Cycle (SDLC)

SEEM4570 System Design and Implementation Lecture 10 Software Development Process

Software Test Plan (STP) Template

In the IEEE Standard Glossary of Software Engineering Terminology the Software Life Cycle is:

10/4/2013. Sharif University of Technology. Session # 3. Contents. Systems Analysis and Design

How To Write A Contract For Software Quality Assurance

SWEBOK Certification Program. Software Engineering Management

Application of software product quality international standards through software development life cycle

System Development Life Cycle Guide

A Survey of Software Development Process Models in Software Engineering

Process Methodology. Wegmans Deli Kiosk. for. Version 1.0. Prepared by DELI-cious Developers. Rochester Institute of Technology

Validating Enterprise Systems: A Practical Guide

SOFTWARE ASSURANCE STANDARD

Software Security Engineering: A Guide for Project Managers

Next-Generation Performance Testing with Service Virtualization and Application Performance Management

Software Configuration Management Plan

NOTICE: This publication is available at:

IA Metrics Why And How To Measure Goodness Of Information Assurance

Applications in Business. Embedded Systems. FIGURE 1-17 Application Types and Decision Types

INTERNATIONAL JOURNAL OF ADVANCES IN COMPUTING AND INFORMATION TECHNOLOGY An International online open access peer reviewed journal

Configuration Management - The Big Picture

Software Project Models

Software Engineering Introduction & Background. Complaints. General Problems. Department of Computer Science Kent State University

Program Lifecycle Methodology Version 1.7

Intel Security Software / Product Security Practices

How To Integrate Software And Systems

Independent Verification and Validation of SAPHIRE 8 Software Quality Assurance Plan

The Final Quality Gate: Software Release Readiness. Nancy Kastl, CSQA Kaslen Group, Inc. (630)

A. Waterfall Model - Requirement Analysis. System & Software Design. Implementation & Unit Testing. Integration & System Testing.

Your Software Quality is Our Business. INDEPENDENT VERIFICATION AND VALIDATION (IV&V) WHITE PAPER Prepared by Adnet, Inc.

Selecting a Software Development Methodology based on. Organizational Characteristics. Adrienne Farrell

TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION

Software Engineering 1

How To Model Software Development Life Cycle Models

STS Federal Government Consulting Practice IV&V Offering

THE AGILE WATERFALL MIX DELIVERING SUCCESSFUL PROGRAMS INVOLVING MULTIPLE ORGANIZATIONS

ABHINAV NATIONAL MONTHLY REFEREED JOURNAL OF RESEARCH IN SCIENCE & TECHNOLOGY

GAMP 4 to GAMP 5 Summary

Medical Device Software Standards for Safety and Regulatory Compliance

Information Technology Services Project Management Office Operations Guide

Certified Identity and Access Manager (CIAM) Overview & Curriculum

fs viewpoint

Effective Software Security Management

Building Assurance Into Software Development Life- Cycle (SDLC)

CONTENTS. List of Tables List of Figures

Quality Management. Lecture 12 Software quality management

How To Understand Software Engineering

Effective Methods for Software and Systems Integration

What is a life cycle model?

Requirement Management with the Rational Unified Process RUP practices to support Business Analyst s activities and links with BABoK

How To Improve Your Business

PROJECT MANAGEMENT PLAN Outline VERSION 0.0 STATUS: OUTLINE DATE:

8. Master Test Plan (MTP)

Software Quality Testing Course Material

Best-Practice Software Engineering: Software Processes to Support Project Success. Dietmar Winkler

Achieving Business Analysis Excellence

Managing TM1 Projects

The Role of CM in Agile Development of Safety-Critical Software

MNLARS Project Audit Checklist

Business Systems Analyst Job Family

Design Document Version 0.0

CREDENTIALS & CERTIFICATIONS 2015

Building Security into the Software Life Cycle

R214 SPECIFIC REQUIREMENTS: INFORMATION TECHNOLOGY TESTING LABORATORY ACCREDITATION PROGRAM

HPE PC120 ALM Performance Center 12.0 Essentials

STATE BOARD OF ELECTIONS P.O. BOX 6486, ANNAPOLIS, MD PHONE (410)

Software Development Life Cycle Models- Comparison, Consequences

TRADITIONAL VS MODERN SOFTWARE ENGINEERING MODELS: A REVIEW

How to Write a Software Process Procedures and Policy Manual for YOUR COMPANY

Overview of the System Engineering Process. Prepared by

TD Bank N.A. s Enterprise-Wide PMO Monitors Projects and Maintains Focus on Strategic Goals

Professional Services Overview

CS4507 Advanced Software Engineering

Qualification Guideline

Enterprise Data Governance

Achieving Business Analysis Excellence

!!!!! White Paper. Understanding The Role of Data Governance To Support A Self-Service Environment. Sponsored by

Approach to Information Security Architecture. Kaapro Kanto Chief Architect, Security and Privacy TeliaSonera

From Chaos to Clarity: Embedding Security into the SDLC

Secure Code Development

Security Touchpoints When Acquiring Software. Dr Carsten Huth Nadim Barsoum Dawid Sroka

CRISC Glossary. Scope Note: Risk: Can also refer to the verification of the correctness of a piece of data

Securing the Microsoft Cloud

Corporate Overview. MindPoint Group, LLC 8078 Edinburgh Drive, Springfield, VA Office: Fax:

MIS Systems & Infrastructure Lifecycle Management 1. Week 13 April 14, 2016

Foundations of Project Management. Presented by: Kelly Baumer, MBA, PMP Mindy Rings, MBA, PMP

G-Cloud Service Description. Atos: Cloud Professional Services: Requirements Specification

Transcription:

Suggested/Recommended Audit Points in the Software Lifecycle (From thought to sunset) Mr. Rick Brunner, CISSP Assistant Vice President, Security Strategy and Architecture GM Financial

Disclaimer The views, thoughts, claims or opinions in this presentation are solely those of the presenter. Nothing in this presentation represents the views, thoughts, claims or opinions of GM Financial, Collin College, United States Air Force, the Air Force Reserves, the Department of Defense or the Intelligence Community.

Overview Define and gain an understanding into software and software lifecycle terms Describe various software development models, with emphasis on identifying similar phases within the various models Identify suggested/recommended Audit Points within the identified similar phases Provide some thoughts on Software as a Service Provide references for additional support or for conducting individual research

TERMS

Internal Auditing Is an independent, objective assurance and consulting activity designed to add value and improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes. http://www.theiia.org/guidance/standards-and-guidance/ippf/definition-of-internal-auditing/?search%c2%bcdefinition

Information Technology Audit, or Information Systems Audit Is an examination of the management controls within an Information technology (IT) infrastructure. The evaluation of obtained evidence determines if the information systems are safeguarding assets, maintaining data integrity, and operating effectively to achieve the organization's goals or objectives. These reviews may be performed in conjunction with a financial statement audit, internal audit, or other form of attestation engagement. Source: http://en.wikipedia.org/wiki/information_technology_audit

Software Computer programs, procedures, and possibly associated documentation and data pertaining to the operation of a computer system. Source: IEEE Standard Glossary of Software Engineering Terminology

Software Life Cycle The period of time that begins when a software product is conceived and ends when the software is no longer available for use. The software life cycle typically includes a concept phase, requirements phase, design phase, implementation phase, test phase, installation and checkout phase, operation and maintenance phase, and, sometimes, retirement phase. Note: These phases may overlap or be performed iteratively. Source: IEEE Standard Glossary of Software Engineering Terminology

Software Life Cycle Another View Source: Jayesh Buwa, Software Development Life Cycle (SDLC), GlobalTech Solutions, Nashik

Software Development Cycle The period of time that begins with the decision to develop a software product and ends when the software is delivered. This cycle typically includes a requirements phase, design phase, implementation phase, test phase, and sometimes, installation and checkout phase. Source: IEEE Standard Glossary of Software Engineering Terminology

Software Development Life Cycle Is a structure imposed on the development of a software product. Similar terms include software life cycle and software process. It is often considered a subset of systems development life cycle. There are several models for such processes, each describing approaches to a variety of tasks or activities that take place during the process. Some people consider a life-cycle model a more general term and a software development process a more specific term. For example, there are many specific software development processes that 'fit' the spiral life-cycle model. ISO/IEC 12207 is an international standard for software life-cycle processes. It aims to be the standard that defines all the tasks required for developing and maintaining software Source: http://en.wikipedia.org/wiki/software_development_process

You ve got to be very careful if you don t know where you re going, because you might not get there. Yogi Berra SOFTWARE DEVELOPMENT MODELS

SDLC Model A framework that describes the activities performed at each stage of a software development project. There are various software development approaches defined and designed that are used/employed during the software development process, these approaches are also referred as "Software Development Process Models." Source: Jayesh Buwa, Software Development Life Cycle (SDLC), GlobalTech Solutions, Nashik

Source: Jayesh Buwa, Software Development Life Cycle (SDLC), GlobalTech Solutions, Nashik

Waterfall V-Shaped Incremental Spiral Source: condor.depaul.edu/jpetlick/extra/394/session2.ppt

Agile Model Source: Riant Soft a Software Development Company, Different Types of Software Development Model Prepared By: RiantSoft a Software Development Company

Six Phases of Software Development Life Cycle for Software Development Requirements Gathering and Analysis Design Development Testing Implementation Maintenance Source: Angelin, Software Development Lifecycle (SDLC)

SDLC Phases Source: Angelin, Software Development Lifecycle (SDLC)

PMO Project Phases Initiate Plan Execute Close Source: http://weill.cornell.edu/its/consultation/planning/pmo/pmo-process.html

Source: http://weill.cornell.edu/its/consultation/planning/pmo/pmo-process.html

SUGGESTED/RECOMMENDED AUDIT POINTS

How can audit add value? Source: Coke and PwC, SDLC- Key Areas to Audit in IT Projects, ISACA Geek Week 2013 8/21/2013

Source: Coke and PwC, SDLC- Key Areas to Audit in IT Projects, ISACA Geek Week 2013 8/21/2013

Source: Coke and PwC, SDLC- Key Areas to Audit in IT Projects, ISACA Geek Week 2013 8/21/2013

Key events for a successful Project Audit Stakeholder buy-in & tone at the top, understanding and acceptance of engagement Staffing, proper technical skills, qualifications and capabilities allowing the team to quickly establish credibility Understanding project needs and expectations, as well as the level of comfort desired Scoping appropriately, leveraging a risk-based approach and delivering upon the agreed scope Up-front communication regarding scope of review, extent of review, timing of review and level of details to be provided in reporting Source: Coke and PwC, SDLC- Key Areas to Audit in IT Projects, ISACA Geek Week 2013 8/21/2013

Key events for a successful Project Audit Execution and completion of work within defined budget and schedule Change agility, being able to change with the project needs (adjust timeline, etc.) but avoiding scope creep Communication to all parties Relevance, providing actionable, useful and timely deliverables (reporting) consider requirements of the audience (i.e. Audit Committee, Sponsor, Project Manager, etc.) Monitoring project progress between checkpoint reviews to minimize ramp-up time required at each checkpoint Source: Coke and PwC, SDLC- Key Areas to Audit in IT Projects, ISACA Geek Week 2013 8/21/2013

Software Configuration Management Operation Aurora http://en.wikipedia.org/wiki/file:illegalflowertribute1.jpg

Software Task Scheduling Rule of Thumb 1/3 planning 1/6 coding 1/4 component test and early system test 1/4 system test, all components in hand Conventional scheduling The fraction devoted to planning is larger than normal. Even so, it is barely enough to produce a detailed and solid specification, and not enough to include research or exploration of totally new techniques Half of the schedule devoted to debugging completed code is much larger than normal The part that is easy to estimate (i.e., coding) is given only one-sixth of the schedule. Source: Brooks Jr., Frederick P. (1995-08-02). The Mythical Man-Month, Anniversary Edition: Essays On Software Engineering (2nd Edition). Pearson Education. Kindle Edition

Software Costs 60 percent of cost is spent on maintenance 60 percent of software maintenance costs is spent on enhancements 40 percent on actual maintenance 17 percent on corrections 18 percent on adaptive maintenance, making it work in its environment 5 percent on other, preventive maintenance The 60/60 rule: 60 percent of software s dollar is spent on maintenance, and 60 percent of that maintenance is enhancement. Enhancing old software is, therefore, a big deal. Source: Glass, Robert L. (2002-10-28). Facts and Fallacies of Software Engineering. Pearson Education. Kindle Edition.

Quality the degree to which the software satisfies stated and implied requirements Absence of system crashes Correspondence between the software and the users expectations Performance to specified requirements Quality must be controlled because it lowers production speed, increases maintenance costs and can adversely affect business Source: condor.depaul.edu/jpetlick/extra/394/session2.ppt

Quality v Development Time Higher quality (in the form of lower defect rates) and reduced development time go hand in hand Source: Software Security Engineering: A Guide for Project Managers, By Julia H. Allen, Sean J. Barnum, Robert J. Ellison, Gary McGraw, Nancy R. Mead

Quality Assurance Plan The plan for quality assurance activities should be in writing Decide if a separate group should perform the quality assurance activities Some elements that should be considered by the plan are: defect tracking, unit testing, source-code tracking, technical reviews, integration testing and system testing. Source: condor.depaul.edu/jpetlick/extra/394/session2.ppt

Quality Assurance Plan Defect tracking keeps track of each defect found, its source, when it was detected, when it was resolved, how it was resolved, etc. Unit testing each individual module is tested Source code tracing step through source code line by line Technical reviews completed work is reviewed by peers Integration testing exercise new code in combination with code that already has been integrated System testing execution of the software for the purpose of finding defects Source: condor.depaul.edu/jpetlick/extra/394/session2.ppt

Are you sure you built it right, are you sure you built the right thing Source: Jayesh Buwa, Software Development Life Cycle (SDLC), GlobalTech Solutions, Nashik

Verification and Validation Verification The process of evaluating a system or component to determine whether the products of a given development phase satisfy the conditions imposed at the start of that phase Validation The process of evaluating a system or component during or at the end of the development process to determine whether it satisfies specified requirements Source: IEEE Standard Glossary of Software Engineering Terminology

Another Look at the Definitions Validation was the right system built? Verification was the system built right? Quality Assurance was the system built the right way? 36

Requirements One of the two most common causes of runaway projects is unstable requirements Requirements errors are the most expensive to fix when found during production but the cheapest to fix early in development Missing requirements are the hardest requirement errors to correct The most persistent software errors those that escape the testing process and persist into the production version of the software are errors of omitted logic. Missing requirements result in omitted logic When moving from requirements to design, there is an explosion of derived requirements (the requirements for a particular design solution) caused by the complexity of the solution process. The list of these design requirements is often 50 times longer than the list of original requirements Source: Glass, Robert L. (2002-10-28). Facts and Fallacies of Software Engineering. Pearson Education. Kindle Edition.

Cost of Correcting Defects by Lifecycle Phase As a rule of thumb, every hour an organization spends on defect prevention reduces repair time for a system in production by three to ten hours. In the worst case, reworking a software requirements problem once the software is in operation typically costs 50 to 200 times what it would take to rework the same problem during the requirements phase Source: Software Security Engineering: A Guide for Project Managers, By Julia H. Allen, Sean J. Barnum, Robert J. Ellison, Gary McGraw, Nancy R. Mead

Configuration Management - First Part A management process for establishing and maintaining consistency of a product s performance, functional and physical attributes with its requirements, design and operational information throughout its life ANSI/EIA 649 1998 National Consensus for Configuration Management 5

Configuration Management - Second Part A process intended to ensure that the system performs as intended, and is documented to a level of detail sufficient to meet needs for operation, maintenance, repair and replacement ANSI/EIA 649 1998 National Consensus for Configuration Management

In other words. The primary goals of configuration management are: 1) Establish System and project/product integrity 2) Maintain this integrity throughout the lifecycle

Configuration Management Principle Information Assurance supports Configuration Management A system or capability that does not have sound Configuration Management process and procedures in place and positively acted upon has little to no Information Assurance The Information Assurance posture of a system or capability cannot be maintained or determined without sound Configuration Management process and procedures in place and positively acted upon Source: Anonymous

Source: Coke and PwC, SDLC- Key Areas to Audit in IT Projects, ISACA Geek Week 2013 8/21/2013

Software as a Service Some Thoughts Transparency Privacy Compliance Transborder Information Flow Certification Other key items Events The service provider should regularly document and communicate changes and other factors that have affected SaaS system availability Logs A service provider should provide comprehensive information about an enterprise s SaaS application and runtime environment Monitoring Any such surveillance should not be intrusive and must be limited to what the cloud provider reasonably needs in order to run its facility Source: Moeller, Robert (2010-10-12). IT Audit, Control, and Security. Wiley Publishing. Kindle Edition

Cloud Computing Security and Privacy Challenges Privileged user Regulatory compliance Data location Data segregation Recovery Investigative support Long-term viability

Books References Moeller, Robert (2010-10-12). IT Audit, Control, and Security. Wiley Publishing. Glass, Robert L. (2002-10-28). Facts and Fallacies of Software Engineering. Pearson Education. Software Security Engineering: A Guide for Project Managers, By Julia H. Allen, Sean J. Barnum, Robert J. Ellison, Gary McGraw, Nancy R. Mead Brooks Jr., Frederick P. (1995-08-02). The Mythical Man- Month, Anniversary Edition: Essays On Software Engineering (2nd Edition). Pearson Education

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information