Integrating security activities into the software development life cycle and the software quality assurance process |
| |
| Affiliation: | 1. Business School, Yangzhou University, Yangzhou, 225000, PR. China;2. School of Economics and Management, Nanjing Technology University, Nanjing, 210000, PR. China;3. Department of Computer Science and Engineering, School of Sciences, European University Cyprus, Nicosia 1516, Cyprus;4. Positive Computing Research Group, Institute of Autonomous Systems, Department of Computer & Information Sciences, Universiti Teknologi Petronas, 32610, Bandar Seri Iskandar, Perak, Malaysia;5. Institute of IR4.0 (IIR4.0), Universiti Kebangsaan Malaysia, 43600, Bangi, Selangor, Malaysia;1. Department of Manufacturing and Indsutrial Engineering, The University of Texas Rio Grande Valley Texas, 78520, United States;2. Department of Electrical and Computer Engineering, The University of Texas Rio Grande Valley Texas, 78520, United States;3. Complex Engineering System Laboratory, The University of Texas Rio Grande Valley Texas, 78520, United States |
| |
| Abstract: | Security concerns should be an integral part of the entire planning, development, and operation of a computer application. Inadequacies in the design and operation of computer applications are very frequent source of security vulnerabilities associated with computers. In most cases, the effort to improve security should concentrate on the application software. The system development life cycle (SDLC) technique provides the structure to assure that security safeguards are planned, designed, developed and tested in a manner that is consistent with the sensitivity of the data and/or the application. The software quality assurance process provides the reviews and audits to assure that the activities accomplished during the SDLC produce operationally effective safeguards.This paper addresses two issues of concern to those responsible for ensuring that the safeguards incorporated into application software are adequate and appropriate. The first issue addresses the integration of specific security activities into the SDLC. The discussion of this issue addresses the following security activities in the SDLC; determination of the sensitivity of the application and data; determination of security objectives; assessment of the security risks; conduct of the security feasibility study; definition of security requirements; development of the security test plan; design of the security specifications; development of the security test procedures; writing of the security-relevant code; writing of the security-relevant documentation; conduct of the security test and evaluation; writing on the security test analysis report; and, preparation of the security certification report.The second security issue addresses the security reviews and audits that should be integrated into the software quality assurance process to ensure that the security activities in the SDLC are accomplished. The security reviews and audits discussed include: the security requirements review; the security design review; the security specifications review; the security test readiness review; and the security test and evaluation review. Also addressed is how quality software is defined and achieved and why and how the concept of quality should be applied to application software security safeguards. |
| |
| Keywords: | |
| 本文献已被 ScienceDirect 等数据库收录! |
|
