M4D1
I. Why do you think it is much more expensive to fix a security vulnerability late in the software life cycle, compared to early?
It is almost always more costly to redo or rework something than to do it correctly in the first place. Years ago when I got my first Solaris system administration job, the Navy had the view that any job the Navy did not have official schools for could be learned via OJT (on the job training). So for my first year, I learned everything I could about Solaris system administration and felt I did quite a good job. However, the Navy finally authorized me for me to take the official Sun Microsystem Solaris course. I went to this course with an entire laundry list of questions about odd things that were not quite right and wanted to find out the solutions for. The solutions that were located, were never simple or easy to correct on installed systems and would have been no issue at all if they had be installed at build time with the correct parameters. …show more content…
The S-SDLC again starts with getting the requirements, but adds security requirements, the setting up phase gates (dividing into stages or phases) and a risk assessment. The design phase identifies requirement from security viewpoint, after which there are architecture/design reviews and then threat modeling is conducted. As in the standard SDLC, the coding is where the meat of the work will be done using coding best practices and static analysis performed. The final and most essential phases are the software testing via vulnerability assessment and fuzzing (testing technique used to uncover coding mistakes and security gaps in software, operating systems or networks by entering enormous amounts of random data (Stallings & Brown, 2015)), and then the software is deployed with server/network configuration with a final
I. Why do you think it is much more expensive to fix a security vulnerability late in the software life cycle, compared to early?
It is almost always more costly to redo or rework something than to do it correctly in the first place. Years ago when I got my first Solaris system administration job, the Navy had the view that any job the Navy did not have official schools for could be learned via OJT (on the job training). So for my first year, I learned everything I could about Solaris system administration and felt I did quite a good job. However, the Navy finally authorized me for me to take the official Sun Microsystem Solaris course. I went to this course with an entire laundry list of questions about odd things that were not quite right and wanted to find out the solutions for. The solutions that were located, were never simple or easy to correct on installed systems and would have been no issue at all if they had be installed at build time with the correct parameters. …show more content…
The S-SDLC again starts with getting the requirements, but adds security requirements, the setting up phase gates (dividing into stages or phases) and a risk assessment. The design phase identifies requirement from security viewpoint, after which there are architecture/design reviews and then threat modeling is conducted. As in the standard SDLC, the coding is where the meat of the work will be done using coding best practices and static analysis performed. The final and most essential phases are the software testing via vulnerability assessment and fuzzing (testing technique used to uncover coding mistakes and security gaps in software, operating systems or networks by entering enormous amounts of random data (Stallings & Brown, 2015)), and then the software is deployed with server/network configuration with a final