Help with developing an Software Development Life Cycle Assessment?

User Generated




Your team is focused on preventing future incursions into the network and developing a business continuity plan to be deployed in case a breach occurs. As a member of my team I have been given the responsibility of preparing the Software Development Life Cycle Assessment including references. I have also included the info for highlighted links. I have included as much info to help with completion. I am dealing with the United States/Federal Government Sector for CYB 670 Cybersecurity Capstone. Please read all info carefully, and only use USA sources if possible for references.

Unformatted Attachment Preview

Your team is focused on preventing future incursions into the network and developing a business continuity plan to be deployed in case a breach occurs. Read the scenario below. Project 3 Scenario Transcript Before the summit, each nation set up its own secure comms network. As summit events began, your team responded to anomalous network activity that was detected on your agency's server. Now, to make matters worse, the next day you awaken to the news that summit attendees are unable to get access to the confidential summit data needed for the conference. All of the computer screens show a pop-up message that says: "Your Computer has been involved in Child Porn Activity!!! and has been locked down by the FBI and the Justice Department. Unless you pay the sum of $500 (FIVE HUNDRED DOLLARS)—in Bitcoin you will be arrested immediately! You have 48 hours to pay up via email -" Your CISO has called an emergency meeting with your team. She begins to speak to the group. "We've just been hit with the Reveton ransom attack, which pretends to be a warning from a country's law enforcement agency. It locks you out of your PC and threatens criminal proceedings within 48 hours based upon very serious offenses. The message informs you that you can avoid prosecution by paying a fine to the attackers via Bitcoin. Based on the time of the incident, we believe that a single threat actor or group is responsible. This person or group is still unidentified." The CISO continues to brief you on the attack, confirming that no further information is known about the file, permissions, or tools used. Currently, systems show no signs of infection or additional malicious indicators. The attendees at the summit are divided on what should be done. Some of them want to pay the money—it's a small sum to be holding up the proceedings. However, cyber insiders know that once you pay a ransom, you set a precedent for further attacks since you appear vulnerable. In addition, you want to know how the attackers were able to infiltrate the system and plant the malware. What current protections are in place for systems at the summit? What methods and procedures are your team employing in response to the current attack? What is the plan if protections fall short? These are the questions pouring in from leadership, down to your CISO— and now, to you. Your CISO continues: "I need your team to provide a series of reports that will track this incident from start to recovery. Risk management briefings. Forensic reports. Situational reports. I need it all. They'll all come in handy when it's time to debrief our nation's leaders." I am responsible for part 4 and 5. I have also included the info for the underlined in red. Part 4: Now that the first SITREP is complete, it's time to take a step back and take a look at all the processes that led to the ransomware attack. How did the malware get here? Is the supply chain safe? Who was the vendor and how was the vendor vetted? As a cyber professional, you know that high-profile cyberattacks that cripple the supply chains of prominent companies show that the point of entry for hackers is often through the weakest link in the supply chain. That's why it's important to take a look at your team's software, the supply chain, and the development processes—all components in a business continuity plan (BCP). Ensuring appropriate security controls are implemented and integrated in the system development life cycle and included in the comprehensive BCP is a critical step in finding out what happened, why it happened, and how you can keep it from happening again. This BCP will be used to help the CISO identify current systems and timelines that will be used to bring systems back online and review the sequence of events that occur during BCP operations. Begin this step by identifying the specific software assurance needs and expectations of the organization. The needs and expectations that you identify in this step will be used in the Software Development Life Cycle Assessment. For a refresher, refer to this information on software development security. In this step, you will research and analyze issues in supply chain risk management(SCRM) in order to make informed decisions in the future regarding the selection of products. Identify the supply chain risks and challenges for your organization. Next, conduct research to determine other options that are available for consideration. The vulnerabilities and alternatives that you identify in this step will be used in the Software Development Life Cycle Assessment, which you will submit in the next step. Research and analyze the processes used by your organization's software development life cycle (SDLC). After you identify the existing processes, research alternatives that could be considered for optimization of security and efficiency. The processes and alternatives that you identify in this step will also be used in the Software Development Life Cycle Assessment, which will be part of the BCP that you will submit in a future step. You will assess the life cycle of software development in the next step. Part 5: Your research and analysis during the previous step should have prepared your team to evaluate and develop a five-page Software Development Life Cycle Assessment in this step. You will consider the organization's software development life cycle, from sourcing through implementation. Discuss risks identified in the supply chain and life cycle. Evaluate alternative processes and products. Conclude with recommendations for improving the security, efficiency, and cost-effectiveness of the SDLC with a look at avoiding future breaches. Be sure to do the following: • • • • • Describe basic models and methodologies of the software development life cycle. Identify a development methodology that fits your organization and explain why. Describe the phases of the software life cycle. List and discuss the security principles you would need to consider and explain how you would apply them throughout the software life cycle. Describe the elements of a maturity model. Your designated team member should submit the software development life cycle assessment for review and feedback. This assessment will be included in your Cyber Operations and Risk Management Briefing, which you will develop later in the project. You will also use this work to create a software development matrix, which you will complete in the next step as part of the BCP. Software Assurance Software assurance seeks to reduce or remove vulnerabilities in order to increase confidence that software can be used securely and effectively. With the rapid technological advances that have made computers a commodity and specialized software the norm, there is an increasing need to ensure that software performs as expected and is not violated with malicious code or unauthorized actions. Software assurance involves every element that has the potential to touch the software and to be effective must take a holistic approach to both understanding the environment in which the software is developed and used as well as the requirements for software performance. Software assurance objectives must be developed and assessed at all levels, as they determine an organization’s exposure to risk. Software Development Security When organizations develop custom system and software solutions, they must also consider the need to ensure data and application integrity, security, and availability. Therefore, security controls must be included within their custom solutions, and their inclusion planned as part of the system development life cycle (SDLC) methodology used to implement these solutions. Regardless of the model selected (e.g., waterfall, spiral, rapid application development, agile), all implemented systems should be traceable, allowing process and resulting conditions to be verified and outcomes to be validated against the initial system requirements. To that end, there are security considerations during each phase of the SDLC, from identifying the information classification and protection levels during the initiation phase to determining strategies for sanitizing media and preserving information during the disposition phase. As with other organizational assets, threats to the integrity, security, and availability of software applications exist. Vulnerabilities may take the form of code weaknesses that allow hackers to compromise information or an information system (e.g., buffer overflow). Defects may exist as a result of a design flaw or an implementation weakness (e.g., hard-coded backdoors). Bugs may exist at the implementation level, resulting in unintended results or performance. In order to mitigate these risks as much as possible, organizations should not only audit their development practices and perform multiple types and layers of testing (e.g., unit, system, security, acceptance) but also define processes and procedures for assessing the security of any acquired software. Click on each of the following links for topics related to the Certified Information Systems Security Personnel (CISSP) Common Body of Knowledge to help you better understand the subject area. Supply Chain Risk Management Supply chain risk management (SCRM) is the process by which risks associated with the acquisition and provisioning of components (e.g., hardware, software, infrastructure) are regularly reviewed and addressed. Such efforts are applied in order to minimize the impact of risks on business operations and the security of the infrastructures and data. SCRM acknowledges that the origin of system components cannot always be controlled and that as such, vulnerabilities can occur that threaten the security of the system. Such vulnerabilities in the supply chain can occur naturally (i.e., as a result of changes in technology or use cases) or intentionally (i.e., due to the intent to create weaknesses to enable exploitation). All organizations that are dependent on a supply chain must consider the need for resilience and build processes that assure continued business operations even in spite of malicious acts. Software Development Life Cycle The software development life cycle (SDLC) defines the steps needed to develop and maintain software through its usefulness. This process is initiated during the software design phase and focuses on quality development standards that result in timely and cost-effective delivery against requirements. Security analysis and testing is an important component of the development cycle and should be considered through every step of the SDLC, which includes the following phases: analysis, requirements document, design and prototype, implementation (coding), testing and release, and maintenance. While SDLCs historically were focused on satisfying functional requirements through software development processes, the increase in cyberattacks has resulted in adding the integration of security into each phase of the SDLC. Maturity Model Maturity models are used to standardize development to ensure consistency. In cybersecurity, a software assurance maturity model assists organizations with the development and implementation of a software security strategy. This process involves an assessment of the organization's needs, resources, and risk tolerance as well as benchmarking against comparable organizations. A maturity model has a set of structured levels to describe the reliability and sustainability of the outcomes of an organization's practices, behaviors, and processes. Thus, maturity models facilitate the assessment of an organization's processes and methods, promote consistency, and provide an independent review. Capability Maturity Model: An Introduction In addition to using international standards to evaluate their information technology (IT) products, organizations also follow international standards to manage and improve their own performance and capabilities. The Capability Maturity Model (CMM) comprises five levels through which each organization must progress to achieve optimum performance or capability when developing secure software (International Quality Management Systems, n.d.): • • • • • Level 1: Initial. Apply workforce practices without analyzing their impact. Level 2: Managed. Get managers to take responsibility for managing and developing their employees. Level 3: Defined. Develop workforce competencies and workgroups and align with business strategies. Level 4: Predictable. Empower and integrate workforce competencies. Manage progress through a defined set of metrics. Level 5: Optimizing. Continuously monitor and improve performance. CMM is the benchmark for comparing the software development processes of two or more organizations. Working Through Capability Maturity Model Levels What follows is how a typical medium-sized company might strive to accomplish the CMM Level 5 certification. Level 1: Initial At this level, the organization has not started any formalized methodology. When it decides on a formalized methodology for developing secure software, such as CMM, it moves to the second level. Level 2: Managed At this level, the organization ramps up the training, working environment, and personnel needed to begin the secure software development life cycle. For example, the organization might initiate training on secure coding practices and training for auditors to show them how to document and evaluate information assets. Managers then create working environments, in which breakout groups are asked to work on individual aspects of the formalized methodology. For example, an organization might create an auditing group, a secure coding group, a project management group, and departmental leadership groups. Level 3: Defined In this level, the organization further defines its methodology by breaking out its personnel into more focused and specific working groups, developing best practices and creating a culture in which the staff participates in the program to increase their investment in the outcome. The secure coding group, for example, could be further divided into secure coding for databases, secure coding for web servers, and secure coding for network administrators. The groups then develop best practices for how they will communicate among each other and share/report information, along with best practices for securely coding customer databases and web servers at the subgroup level. Level 4: Predictable At this level, the organization's processes are stable and established in ensuring secure coding. Leaders mentor the staff, and the individual working groups—which now have a deep knowledge of the processes and in-depth frontline experience—are empowered to make their own decisions, such as deciding whether to use a different coding protocol on a customer database based on several small issues on the database. Performance management is also put into place. The organization identifies a benchmark and establishes metrics to measure progress toward reaching that goal. These metrics are also used to monitor the progress of all teams in the organization. Level 5: Optimizing At this level, the organization finally optimizes its process, adapting it to new challenges and continuing to monitor and improve it regularly to ensure continued excellence. Review Of the following tasks, consider what level of the Capability Maturity Model (CMM) each would be performed by an organization. • • • • Monitor progress through established metrics Create best practices and workgroups Formalize a methodology to improve processes Organize the personnel needed to establish workgroups Monitor Progress Through Established Metrics The organization puts performance management policies in place that allow it to monitor progress at CMM Level 4. Create Best Practices and Workgroups At CMM Level 3, the organization further defines its methodology by developing best practices, breaking out personnel into more focused and specific working groups, and creating a culture in which the staff participates in the program to increase their investment in the outcome. Formalize a Methodology to Improve Processes The organization starts to formalize a methodology to move to Level 2 during CMM Level 1. Organize the Personnel Needed to Establish Workgroups At CMM Level 2, the organization ramps up the training, working environment, and personnel needed to begin the secure software development life cycle.
Purchase answer to see full attachment
User generated content is uploaded by users for the purposes of learning and should be used following Studypool's honor code & terms of service.

Explanation & Answer

here it is buddy! go through it and in case you need any edits, or clarification, feel free to alert me

Surname 1
Student’s Name
Professor’s Name
Software Development Life Cycle Assessment
Software Development Life Cycle (SDLC) is used to design, develop as well as test
software of high quality. There are six basic SDLC methodologies namely agile, lean, waterfall,
iterative, spiral and DevOps. In as much as they vary from each other, their purpose is still the
same; delivering software of high quality as well as cut on cost.
Agile model is about a decade old now, and recently it has been at the forefront of
software development. Failing at first is usually a good sign in agile. This approach produces
cycles of release, and in each period there is always a slight change from the previous one. The
product is tested after every iteration. As a result, the development team can be able to identify
small problems.
Lean is another model used in the development of software. This model follows the
manufacturing principles and practices of lean which are waste elimination, learning
amplification, late decisions, fast delivery, team empowerment, integrity building and seeing the
whole ("6 Basic SDLC Methodologies: Which One Is Best?"). The lean model ensures that
everything that should be worked on at a given time is being worked on, as a result of
discouraging multitasking. There are very slight differences between the agile and the lean model
whenever it comes to SDLC ("6 Basic SDLC Methodologies: Which One Is Best?").
The waterfall is yet another model in as much as it is argued that the model was not
meant to be applied in real projects. However, among the structured SDLC models, the waterfall

Surname 2
model is the oldest of all. Its approach is straightforward in the sense that every stage depends on
data from the prior step and has a unique project plan. The iterative model, on the other hand, is
said to be repetition personified. For instance, project teams do not begin with elaborate
requirements, but instead, they test a set of conditions then evaluate and get into further

I was struggling with this subject, and this helped me a ton!