top of page

Secure Software

Design and Development

Secure Software Design and Development

Introduction

The summary of this course is applicable for any engineer, technical leader, or future leader at an organization of any size that may go through a need a set of investments that have the objective of evolving culture, automating processes, unifying tools, improving engineering productivity, delivering secure compliant more reliable services faster with consistent experiences.

The great highlight of the course summary is to cover the different frameworks of software development. Briefly, I want to highlight the agile development strongly values the continuous addition of incrementally useful functionality. This is in contrast to the current development model, where entire features are expected to be complete before check-in.

A crucial part of this principle is that delivery of those incremental features should be made to customers, primarily to gather feedback. Whether this works with the Office model will depend on how we introduce new features and our flighting [need ref] strategy. But irrespective of whether incremental feature additions are released to actual customers, we can add new additional features internally to unblock feature dependencies and allow dogfood testing and feedback.

The Software Development Life Cycle (SDLC) is a process in how to build secure software. The approach of the SDLC is part of the broader asset and liability management assessment, uses this model to provide a framework that allows achieving a vision and sustainable strategy to prioritizing IT security investments that fuel high-quality software.

The Software Development Life Cycle (SDLC) focuses on assessing the current full application development lifecycle, including:

•            Project Planning, Initiation, and Tracking

•            Requirements Engineering

•            Architecture

•            Development

•            Testing and Quality Assurance

•            Source Configuration Management

•            Build and Release Management

 

Reflection, Ethics and Professional Responsibilities

The purpose of this software engineering is to plan and to lay out the requirements to go through a secure software development process entirely.

Throughout the content, we have identified the key features that must test the user-functionality and system operations. We will be leveraging critical standards from the National Institute for Standards and Technology to ensure best practices are employed and the application is secure as well as functional.

It is vital to highlight the importance of releasing secure software that meets the requirements ensuring the quality and accuracy of tests, in this process at the organization we will be leveraging an agile or scrum review process wherein features and sections of the application are assigned to teams who will test them, review code, and leverage automatic software.

As tests are conducted, misconfigurations, issues, or potential improvements will be logged as tickets in our ticketing system assigned to developers of the respective team. From there, development follows standard processes for code reviews, dynamic scanning, and approvals.

All changes will be made to the development environment assigned to the development team in question. At the end of the testing, the code will be merged with the master branch. As code is promoted through the differing environments, independent Quality Assurance team members will review and perform additional tests.

In the artifact shared, it covers all the aspects to address these current challenges of innovation and software engineering and achieve an organization's vision should make the following investments on the next leading practices:

  • Tools – provide guidance on test frameworks to use, training, and metrics to evaluate progress & quality.

  • Designing for testability - Make product design and implementation choices to support testability.

  • Test code is product code - Test code must follow the same standards and workflow as product code.

  • Focus on performance - Performance testing and monitoring will be integrated into the CI/CD workflow.

  • Track and report on Service Health.

  • Build a Modern Engineering Pipeline.

  • Ongoing engineering skill development.

  • Code scanning for secrets

  • Application Security Review

  • Red Teaming

  • Secrets distribution via secure way using Key-vault

  • Threat Vulnerability Management

This plan has been reviewed and approved by the Development Lead for the Traxer application after review and approval by the Senior Leadership Team.

From the ethics standpoint, software engineers, leads, and managers have a more comprehensive range of responsibilities than merely the application of technical skills. All the roles involved in software development must behave in an honest and ethically responsible way if they are to be respected as professionals. Ethical behavior is more than simply upholding the law but involves following a set of morally correct principles, and this is area that I have a major focus on my team practices in my current role. 

From the responsibility standpoint that we can highlight two areas:

  • Confidentientiality – Engineers should generally respect the confidentiality of their employers or clients irrespective of whether or not a formal confidentiality agreement has been signed.

  • Competence -  Engineers should not misrepresent their level of expertise. They should not knowingly accept work which is outwith their ability.

 

Artifacts

           Software Release (Complete Test Plan) - Final Assignment 

Resources

Books References

  • Axelrod, C. W. (2012). Engineering Safe and Secure Software Systems. Artech House.

  • Sommerville, I. (2017). Software Engineering. 10th Edition. Pearson.

  • Wright, H. Manshreck , T. Winters , T. (2020). Software Engineering at Google. O'Reilly Media.

 

Related Links

bottom of page