Integrating security activities into the software development life cycle and the software quality assurance process

Abstract

Security concerns should be an integral part of the entire planning, development, and operation of a computer application. Inadequacies in the design and operation of computer applications are very frequent source of security vulnerabilities associated with computers. In most cases, the effort to improve security should concentrate on the application software. The system development life cycle (SDLC) technique provides the structure to assure that security safeguards are planned, designed, developed and tested in a manner that is consistent with the sensitivity of the data and/or the application. The software quality assurance process provides the reviews and audits to assure that the activities accomplished during the SDLC produce operationally effective safeguards. This paper addresses two issues of concern to those responsible for ensuring that the safeguards incorporated into application software are adequate and appropriate. The first issue addresses the integration of specific security activities into the SDLC. The discussion of this issue addresses the following security activities in the SDLC; determination of the sensitivity of the application and data; determination of security objectives; assessment of the security risks; conduct of the security feasibility study; definition of security requirements; development of the security test plan; design of the security specifications; development of the security test procedures; writing of the security-relevant code; writing of the security-relevant documentation; conduct of the security test and evaluation; writing on the security test analysis report; and, preparation of the security certification report. The second security issue addresses the security reviews and audits that should be integrated into the software quality assurance process to ensure that the security activities in the SDLC are accomplished. The security reviews and audits discussed include: the security requirements review; the security design review; the security specifications review; the security test readiness review; and the security test and evaluation review. Also addressed is how quality software is defined and achieved and why and how the concept of quality should be applied to application software security safeguards.