Secure Software Development

Introduction to Secure Software Development

Unit 1

Welcome to Week 1. The content we will examine this week will underpin a number of the important concepts that will be used throughout the module. This begins with an examination of the management approaches to supporting software development, in recognition of the weaknesses of the more traditional approaches such as waterfall, and the strategies which are applicable to the more modern approaches such as agile. The Unified Modelling Language (UML) will be investigated in Week 1, with knowledge gained being applicable throughout the module in relation to the modelling of software deployments from their design phase. From a practical perspective, UML is explored through the creation of a flow chart. Awareness is also brought in Week 1 to the concept of having a risk-aware culture in an organisation; while it is important to develop software that is secure, this is only one aspect to responding to the security challenge. It is critical that the people who are internal to the organisation, who are responsible for developing and maintaining the software, have a security-responsible attitude..

Navigation

Outcomes

  • Summary of the learning outcomes

This unit aims to:

  • Identify relevant academic literature which discusses the ways in which secure software may be developed using an agile process
  • Decompose an activity into a set of tasks which can be represented using a flow chart from the UML portfolio of modelling techniques
  • Describe the importance of creating a culture of risk awareness in an organisation, in addition to the creation of secure software
  • Appreciate the importance of developing a risk-aware culture within an organisation

  • Artefacts

    The projects of the unit to achieve those learning outcomes:

    Collaborative Discussion 1: UML Flowchart
  • Broken Acces Control

    • Team Project and assessments
  • Team Contract

  • Reflection

What exactly have I learnt and how?

This unit introduced me to the secure software development lifecycle and the team project. I am excited about the process of developing a software together with a team. I also learned about Scrum agile software development and why it is much better than the waterfall method. In contrast to the waterfall method, with the agile method, you can make changes within the development because there is a review by the customer every 3-4 weeks. Through software development in the last module, I have already learned the benefits of UML diagrams and why they are essential for the design phase in the development lifecycle. In addition, the collaborative discussion gave me an initial overview of security risks. The discussion of the Open Web Application Security Project's (OWASP) top 10 security risks has given my approach to software development in terms of security a much clearer meaning than before. I look forward to furthering approaches to mitigating these risks.

  • Notes

Notes from the elaboration of the unit, various meetings, and feedback from team members and tutors

Feedback from a student to my initial post "Broken Access Control" on the collaborative discussion "UML Flowchart"
Dear Gianluca,
Indeed, the broken access control is one of the most important issues facing us today, and as you pointed out in your post, it is gaining prominence over the other risks in the recent years.
From my point of view, authentication and authorization go hand in hand and the vulnerability in one has inevitably an impact on the other. The most basic mitigation to this risk is the documenting the authorization scheme and the user privileges at the earliest phase and build the project on top of that. Because, as you suggest, after the initial release, as the project grows the risks associated with authentication and authorization might increase as the access controls get scattered all over the project. Even though the project grows out of its initially intended scale, the initial documentation should be taken as basis and should be revised as necessary in order to keep access control code in a central place.
One other mitigation to this risk might also be to switch from traditional approaches to modern ones. For instance, as pointed out by Slusky (2020), blockchain technology allows to handle authentication and authorization using public-key cryptography (Cresitello-Dittmar, 2016).
To summarize, I strongly believe that with the help of modern approaches, this risk can be mitigated to a great extent.
References
Cresitello-Dittmar, D. (2016) Application of the Blockchain For Authentication and Verification of Identity. Available from: http://www.cs.tufts.edu/comp/116/archive/fall2016/bcresitellodittmar.pdf [Accessed: 29 September 2022]
Slusky, L. (2020) Cybersecurity of Online Proctoring Systems. Journal of International Technology and Information Management 29(1): 56-83.
- Reply to student from Gianluca Cannone:
Thank you for your feedback! I agree with you that authentication and authorization go hand in hand. That is right, proper documentation is the key to more security and especially to more security in access control.
As for your second argument, blockchain increases trust, security, transparency and traceability of data. Hence, it is a powerful modern technology to mitigate risk and eliminate access by third parties (IBM, 20220)
References:
IBM (2022) Benefits of blockchain. Available from: https://www.ibm.com/topics/benefits-of-blockchain. [Accessed 30 September 2022].

Feedback from the tutor to my initial post "Broken Access Control" on the collaborative discussion "UML Flowchart"
Thanks very much for providing this post, Gianluca. It is interesting to hear your viewpoints on the ineffectiveness of plugging access control into a system at a later stage of the process, and this is certainly something we try to promote in this module - the fact of integrating security mechanisms from the requirements gathering phase.
In relation to your UML model, I do not completely understand what is being captured here relative to broken access control. I would like to see if it is possible to expand this model to depict the reason or reasons why broken access control does not exist in the system. You may also wish to present the activity from top down, as activity diagrams are more commonly presented in this way.
Careful attention to detail in this post, Gianluca, well done, particularly from the perspective of referencing and inline citation. Please note that we want to see you writing in UK English as opposed to American English, given that this work is being assessed by an institution based in the UK - 'unauthorised' instead of 'unauthorized'.
Best wishes,
Tutor

Feedback from the tutor to my initial post "Broken Access Control" on the collaborative discussion "UML Flowchart"
Thank you so much for the post. That was interesting to read. I think by default all users should have their default access to any page on a web application to be denied unless stated otherwise. On top of that adding a monitoring and alerting system and logging and flagging who accessed what and when will defiantly help figure out what is going on in the system. Enforcing 2FA and IP whitelisting will defiantly help protect sensitive data being accessed from outside the network.
A lot of web frameworks help you set all of these up. According to Django documentation, you are easily able to set permissions for users across the entire application. Furthermore, you are able to add group permissions which is excellent!
Automated testing can help figure out whether access levels and permissions have become broken for particular pages or not. Django allows developers to create their own unit testing. Running these unit tests every single build and tracking whether they succeeded or not is an essential part of software development and should not be skipped, no matter what. Creating secure software that is late for delivery is better than creating a none secure software on time.
In the end, no software is ever fully secure, and the battle between white and black hackers will always exist. However, as developers, we must try our best to write secure software and stay up to date with industry trends and news.
References
https://docs.djangoproject.com/en/4.1/topics/auth/default/
https://docs.djangoproject.com/en/4.1/topics/testing/overview/

Contact Me