CISSP考试指南笔记：8.2 软件开发生命周期

血狼debugeeker

发布于 2021-09-10 10:43:07

3390

发布于 2021-09-10 10:43:07

There have been several software development life cycle (SDLC) models developed over the years, the crux of each model deals with the following phases:

Requirements gathering
Design
Development
Testing
Operations and maintenance

Project Management

Project management is an important part of product development, and security management is an important part of project management.

A security plan should be drawn up at the beginning of a development project and integrated into the functional plan to ensure that security is not overlooked.

The security plan and project management activities may likely be audited so security-related decisions can be understood.

If a software product is being developed for a specific customer, it is common for a Statement of Work (SOW) to be developed, which describes the product and customer requirements.

Sticking to what is outlined in the SOW is important so that scope creep does not take place.

A work breakdown structure (WBS) is a project management tool used to define and group a project’s individual work elements in an organized manner.

Requirements Gathering Phase

As it pertains to security, the following items should be accomplished in this phase:

Security requirements
Security risk assessment
Privacy risk assessment
Risk-level acceptance

The security requirements of the product should be defined in the categories of availability, integrity, and confidentiality.

An initial security risk assessment should be carried out to identify the potential threats and their associated consequences.

After a privacy risk assessment, a Privacy Impact Rating can be assigned, which indicates the sensitivity level of the data that will be processed or accessible. Some software vendors incorporate the following Privacy Impact Ratings in their software development assessment processes: