CySA+
  • CySA+ CS0-002 Exam Objectives
  • Threat Intelligence Cycle
  • Intelligence Sources
  • Security Intelligence Sharing
  • Threat Classification and Threat Actors
  • Threat Research and Indicators of Compromise
  • Attack Frameworks and The Cyber Kill Chain
  • Defining Threat Modeling and Threat Hunting
  • Vulnerability Identification and Validation
  • Vulnerability Scan Results and CVSS Scores
  • Nmap and Enumeration
  • Security Controls
  • Defense in Depth Security Baselines
  • Security Trend Analysis
  • Remediation Issues
  • Asset, Change, and Configuration Management
  • Software Development Lifecycle & Development Models
  • Software Assessment and Code Review
  • Mitigating Attack Types Part 1
  • Mitigating Attack Types Part 2
  • Mitigating Attack Types Part 3
  • Password Cracking and Hashing
  • Privilege Escalation & Man-in-the-Middle
  • Network Based IoCs
  • Host Based IoCs
  • Network Architecture and Segmentation
  • Network Traffic, Packet, and Protocol Analysis
  • Pentesting and Active Defense
  • Firewalls
  • URL Analysis & DNS in Malware
  • Network Access Control and Port Security
  • Identity and Access Management (IAM)
  • Web Application Scanners
  • SSL/TLS Digital Certificate Management
  • Mobile Threats
  • Email Threats and Mitigation
  • Data Loss Prevention (DLP)
  • Endpoint Security and Behavior Analysis
  • Hardware Assurance
  • Blackholes and Sinkholes
  • IoT, Embedded Systems & ICS/SCADA Threats
  • Log Analysis & Continuous Security Monitoring
  • SIEM and Event Correlation
  • Malware Analysis
  • Cloud Models and Service Threats
  • Cloud Automation and Other Cloud Threats
  • VDI, Containers, and Microservices
  • CI/CD, IaC, DevOps
  • AI and Machine Learning
  • Digital Forensics
  • Technical Controls for Securing Data
  • Non-Technical Controls for Securing Data
  • Security Policies and Procedures
  • Continuity Planning and Risk Assessment
  • Incident Response Phases and Communication
Powered by GitBook
On this page

Software Development Lifecycle & Development Models

PreviousAsset, Change, and Configuration ManagementNextSoftware Assessment and Code Review

Last updated 2 years ago

  • Who is involved during the SDLC?

    • Developers

    • Testers

    • Software Architects

    • Security Architects

    • Project managers

    • Clients

    • Planning – Market to ship software, training, incorporate security.

    • Business requirements and analysis – Including security, but other features needed. A way to measure results.

      • Software requirements

        • Internal (libraries, storage)

        • External (connections)

        • Hardware

        • Users

    • Design

      • Devs involved

      • Risk analysis

      • Legacy or new code?

      • Functional requirements

      • Security requirements

      • Audit and debug methods

    • Implementation

      • Dev phase

      • Actual coding happens

      • Code review

      • Unit testing

      • Security: white box testing. See whole source code.

    • Testing

      • Functionality tests

      • Static analysis

      • Dynamic analysis

      • Security testing

        • Gray box

        • Black box

      • You will break your code

    • Deployment

      • Pushing the code out

      • Delivery vs deployment

      • Secure distribution

        • Code signing

        • DRM

        • Licensing

    • Maintenance

      • Ongoing monitoring

      • Break and fix

      • Patching

        • Functionality

        • Security

      • Monitor external dependencies

    • Retirement, End Of Life

      • End of maintenance

      • Purchased?

      • Retiring the software

        • External services

        • Active user accounts

      • Use the docs if you have them!

  • OWAS Software Security Assurance Process

  • Microsoft Secure Development Lifecycle

  • SANS on secure coding

  • Software development methods

    • Chaos

      • Just code

      • Fix when possible

      • Not really documented

      • Not measurable

      • Not thoroughly tested

      • Pros: good for small projects

      • Cons: everything else

    • Waterfall

      • You have a plan

      • A very strict plan

      • Focus on one phase at a time

      • Advance when only one phase is 100%

      • Pros:

        • Simple to understand

        • Works if perfectly planned

      • Cons:

        • Difficult to implement

        • Works only if perfectly planned

    • Agile

      • Values and principles

        • People and interactions

        • Working software is most important

        • MVP – Minimum viable product

        • Welcome change

        • Rapid response to change

      • Pros:

        • Teamwork

        • Realistic

        • Flexible

      • Cons

        • Not so good for complexity

        • Goals not very clear

        • High dependency on individuals

    • Iterative

      • Not full specs, just a part

      • Advance between iterations

      • Pros:

        • Good when reqs are well-defined

        • But some functionality is requested later

        • Easy to measure progress

      • Cons:

        • Requires more resources

        • Not so good for changing requirements

        • Not useful for small projects

    • Spiral

      • Waterfall + Iterative

      • Incremental releases

      • No linear path

      • Pros:

        • Good for long term projects

        • Changing requirements

        • smaller iterations, smaller risk

      • Cons:

        • Hard to manage

        • Many in-between phases

Diagram Description automatically generated