CISSP Domain 8 Study Guide – Software Development Life cycle

Software Development Lifecycle

The software development lifecycle (SDLC) is a framework that development teams use to produce high-quality software in a systematic and cost-effective way. 

Systems development life cycle Project Lifecycle

SDLC may stand for either the System Development Life Cycle or the Software Development Life Cycle. 

System Development Lifecycle

1. Initiation
2. Aquisition Development
3. Implementation Assesment
4. Operations Maintenance
5. Disposal

Software Development Lifecycle

1. Planning
2. Analysis
3. Design
4. Development
5. Testing
6. Maintenance

The System/ Software development Life Cycle is a rough guide and can include extra steps. It is important to note that for the exam you will not be asked that you know specific steps. As long as you know roughly the flow and where activities will sit. eg. Beginning, Middle and end of the cycle.

This is a more detailed SDLC, containing 13 phases:

1. Planning Initiation: problems are identified and a project is created which includes scope, budget/cost, objectives, strategies, and schedules. This is also a Preliminary analysis phase. This can include activities like performing a preliminary analysis, propose alternative solutions, describe costs and benefits, and submit a preliminary plan with recommendations.
2. Functional requirements definition/ Systems analysis, requirements: define project goals into defined functions and operations of the intended application. This involves the process of gathering and interpreting facts, diagnosing problems, and recommending improvements to the system. Project goals will be further aided by analysis of end-user information needs and the removal of any inconsistencies and incompleteness in these requirements. 
3. Systems design: The Designing phase is where is you take your product requirements and software specifications and turn them into an actual design plan, often called a design specification document. This design plan is then used during the next phase to guide the actual development and implementation of your application. Desired features and operations are described in detail, including screen layouts, business rules, data flows, process diagrams, pseudocode, and other documentation.
4. Development: the real code is written in this step. During this phase, developers should conduct peer reviews of each other’s code to check for flaws, and each individual module should be unit tested to verify its functionality prior to being rolled into the larger project.
5. Documentation and common program control: the way data is handled in the system, the logs are generated, and etc. This is also documented.
6. Integration and testing: Once the code is fully developed, the application enters the Testing phase. During this phase, application testers seek to verify whether the application functions as desired and according to the documented requirements; the ultimate goal here is to uncover all flaws within the application and report those flaws to the developers for patching. 
7. Acceptance: the system is tested by a third party. The testing includes functionality tests and security tests.
8. Testing and evaluation controls: create guidelines to determine how the system can be tested.
9. Certification: the system is compared to functional security standards to ensure the system complies with those standards.
10. Accreditation: the system is approved for implementation. A certified system might not be accredited and an accredited system might not be certified.
11. Installation, deployment, implementation: final stage of initial development, where the software is put into production and runs actual business.
12. Maintenance: during the maintenance stage of the SDLC, the system is assessed/evaluated to ensure it does not become obsolete. This is also where changes are made to initial software.
13. Disposal: plans are developed for discontinuing the use of system information, hardware, and software and making the transition to a new system. The purpose here is to properly move, archive, discard, or destroy information, hardware, and software that is being replaced, in a manner that prevents any possibility of unauthorized disclosure of sensitive data.
    • The disposal activities ensure proper migration to a new system. Particular emphasis is given to proper preservation and archiving of data processed by the previous system. All of this should be done in accordance with the organization’s security requirements.

Security Testing

While code review focus on functionality, security testing checks how vulnerable is the new product to attacks. Some of the testing activities include:

• Static Analysis—identifies the exact location of weaknesses by analyzing the software without executing it.
• Dynamic Analysis—identifies weaknesses by running the software, helping find infrastructure flaws and patch errors.
• Vulnerability Scanning—injects malicious inputs against running software to check how the program reacts. Mostly used to scan applications with a web interface.
• Fuzzing—involves giving invalid, random data to a program, to check for access protocols and file formats. The test helps find bugs that humans often miss by generating random input and try all possible variations.
• Third-party penetration testing—the tester simulates an attack to discover coding or system configuration flaws, and discover vulnerabilities a real attacker can exploit. It is required that the tester is an external party not connected to the team.