SECURITY SYSTEMS
DEVELOPMENT LIFE CYCLE
(secSDLC)
1
�The Systems Development Life Cycle
• Systems Development Life Cycle (SDLC):
methodology for design and implementation of
information system within an organization
• Methodology: formal approach to problem solving
based on structured sequence of procedures
• Using a methodology:
– Ensures a rigorous process
– Increases probability of success
• Traditional SDLC consists of six general phases
2
� The Security Systems Development
Life Cycle
• The same phases used in traditional SDLC may be
adapted to support specialized implementation of
an IS project
• Identification of specific threats and creating
controls to counter them
• SecSDLC is a coherent program rather than a
series of random, seemingly unconnected actions
3
� SDLC SecSDLC
Investigation
SDLC Investigation
SecSDLC
& Analysis
•What problem Investigation
to be solved? Investigation
•Document project process & goal in
•Objective,
Outline the Constraints
project scopeand
andScope
goals of Security
•ManagementPolicydefines
as defined by the
project
project management
processes and goals and documents
•Estimate costs
••Primarily Cost Benefit Analysis - •these
Security
in theCategorization
program security policy.
Evaluate existing resources
evaluates prescribed benefits vs. appropriate o Define 3 levels (low,
•level
Analyze feasibility
of cost moderate & high) of potential
•Feasibility Analysis – Assess economical, impact Analysis
on organization/
technical, behavioral Analysis
feasibility of process. •Analyzeindividual in case of security
existing security policy and
(try to measure breach.
•Assess Currentwhether
System implementation
against plan is program
worthy
developed in the context of time
in Investigation and effort)
phase. o It is useful for organization in
•Analyze current Threats and
Analysis making the appropriate
•Develop preliminary system requirements Controls
selection of security controls.
••Primarily assessment of the organization
Study integration of new system with •Examine legal issues
•Primary Risk Assessment
•existing system
Understand Current System •Perform Risk Analysis
o Identify basic Security Need
Documentstofindings
•Capability supportand updateSystem
Proposed feasibility
of the System.
analysis
•What new system is expected to do? o Defines the threat
•How the new solution interact with existing environment where the
system? system operates.
4
� SDLC SecSDLC
Logical Design
Logical Design Logical & Physical
Logical DesignDesign
•Create
Assess System Solution as
current business per Business
needs against •Risk Assessment
Develop – Identify the
security blueprint
Requirement.
plan developed in Analysis phase protection requirement through a
•Plan incident response actions
••Applications are selected
Select application, to provide
data support and formal risk assessment process.
o Service
structure •Plan business
Security response
Functional to disaster
Requirement
o Data Support Analysis
•Determine feasibility of continuing
•Generate multiple solution for o System security environment
o Needed input
consideration and/or out sourcing the project.
o Security functional requirement
••No references
Document for specific
finding technology,
and update feasibility •Security Assurance Requirement –
vendor
analysis& product. Development activity require and
•Alternative solution proposed with its assure that the information security will
o Strengths & Weaknesses work correctly and effectively by
o Cost & Benefits produce evidence.
•Another Feasibility performed. •Cost consideration and reporting –
How much cost can be attributed to
information security
5
� SDLC SecSDLC
Physical Design
Physical Design Logical & Physical
Physical Design
Design
•Select specific technology
technology forsolution
to support •Security Plan – Ensure
Select technologies neededthatto
agreed
implementation
developed in Logical Design phase upon security
support controls
security are properly
blueprint
•Decide make
Select best or buy
solution planned or in place and fully
•Develop definition of successful
•Perform
Decide toanother
make orfeasibility analysis
buy components documented.
solution
••Present
Documentthefinding
designand
to the higher
update feasibility •Security Control Development –
•Design physical security measures to
management
analysis for approval Ensure security controls are designed,
support technological solution
developed and implemented as per
security
•Review plan.
and approve project
•Developmental security test and
evaluation.
6
� SDLC SecSDLC
SDLC
Implementation SecSDLC
Implementation
Implementation •Inspection &Implementation
Acceptance –
•Software developed/ ordered &
•Develop or buy software
received •Buy or develop
Organization security
validates andsolutions
verifies the
functionality described
•At the end of in specification.
the phase, present tested
••Tested
Order components
in test environment
•package to management for approval
System integration
••Conduct
Document thetraining
user System o Ensure system is integrated in
••Create
Train users
supporting documents operational site
••Implement
Update theinfeasibility analysis
live environment o Vendor guideline followed for
••Conduct Setting Security Controls
Present system to analysis
feasibility users on
Enabling Switches
•Testo the system andreview
Performance review •Security Certificate
performance
o Acceptance test o Ensure controls are effectively
implemented through established
verification technique.
o Describe remaining vulnerabilities.
•Security Accreditation – Provide
necessary security authorization (from
Senior Management) of an Information
System to process, store or transmit that
is required.
7
� SDLC SecSDLC
Maintenance & Change Maintenance & Change
SDLC tasks
•Consists of the following •Configuration ManagementSecSDLC & Control –
Consideration of potential security impact due to
Maintenance
o Support & Change
the system Maintenance & Change
specific changes in Information system.
o Modify
•Support the system
and modify as during its
system •Constantly
•Continuous monitor, test, modify,
Monitoring
required until the useful
useful life update and
o Conduct repair
security to meet
control changing
monitoring
life of the system. threats security status
o Prepare
•Test periodically for compliance with
o Upgrade, o Submit the status to the appropriate
business needs update, patch
management. personnel for necessary action
•Upgrade and patch as necessary •
o Test the system Information Preservation
o Ensure retention of Information as
periodically for
compliance. necessary to confirm legal requirement
o Accommodate future technology for
o Feasibility of continuance
information retrieval.
vs. discontinuance is •Media Sanitization – Ensures that data is
evaluated. deleted erased, and written over as necessary
•Hardware and software disposal – Ensure
HW & SW is disposed of as directed by the
Information System Security Officer.
8
� Summary
• Information security must be managed similarly to
any major system implemented in an organization
using a methodology like SecSDLC