Domain 8: – Software Development Security (Weightage 10%)

Domain 8: - Software Development Security (Weightage 10%) Software Development Security deals with developing software that is secure and robust .It covers the basic principles behind securely designing, testing and building enterprise applications. Closed-source software is software that is typically released in executable form, though the source code is kept confidential. Freeware software, which is free of charge to use. Shareware is fully functional proprietary software that may be initially used free of charge. Crippleware is partially functioning proprietary software, often with key features disabled.

The application development is based on different models such as Waterfall model which is a linear application development model that uses rigid phases where when one phase ends, the next begins. The sashimi model has highly overlapping steps; it can be thought of as a real-world successor to the waterfall model and is sometimes called the sashimi waterfall model. Agile software development evolved as a reaction to rigid software development models that includes scrum & XP. The spiral model repeats steps of a project, starting with modest goals, and expanding outwards in ever-wider spirals called rounds. Rapid application development (RAD) rapidly develops software via the use of prototypes, dummy GUIs, back-end databases, and more. The systems development life cycle focuses on security and is used in the IT industry.

Software escrow describes the process of having a third-party store an archive of computer software. The security of private/internal code repositories largely falls under other corporate security controls discussed previously: defense in depth, secure authentication, firewalls, version control, etc. The security of private/internal code repositories largely falls under other corporate security controls discussed previously: defense in depth, secure authentication, firewalls, version control, etc. Software change and configuration management provide a framework for managing changes to software as it is developed, maintained, and eventually retired. DevOps is a more agile development and support model, echoing the Agile programming methods.

This module also covers about database which is a structured collection of related data. The relational database contains two dimensional tables, or relations, of related data. Tables have rows and columns; a row is a database record, called a tuple, and a column is called an attribute. Database normalization seeks to make the data in a database table logically concise, organized, and consistent. Database query languages allow the creation of database tables, read/write access to those tables, and many other functions. Database replication mirrors a live database, allowing simultaneous reads and writes to multiple replicated databases by clients. A shadow database is similar to a replicated database with one key difference: a shadow database mirrors all changes made to a primary database, but clients do not access the shadow. A data warehouse is a large collection of data whereas data mining is used to search for patterns.

Next it covers about Object Oriented Programming (OOP) which uses an object metaphor to design and write computer programs and provides Data encapsulation, Inheritance, Polymorphism. The common application vulnerabilities include Buffer Overflow, Hard-coded credentials, SQL Injection, Directory Path Traversal, Cross Site Scripting, Backdoors. The Software Capability Maturity Model (CMM) is a maturity framework for evaluating and improving the software development process. Acceptance testing examines whether software meets various end-state requirements, whether from a user or customer, contract, or compliance perspective.