StudyDaddy Computer Science I need an 3-4 page software assurance guidelines document . It is a continuation of week 4. I would like to preview the answer before I pay. Thank you.

I need an 3-4 page software assurance guidelines document . It is a continuation of week 4. I would like to preview the answer before I pay. Thank you.

22







Software Assurance CSS321

Software Assurance Process – Management’s Role

John Doe Jr.

22 March 2017















Contents

Background 3

Product Overview 4

Departmental Organization 4

System Design Life Cycle 5

Desktop applications 6

Web Application and Database Application 8

Security in Nontraditional Development Models 9

Summary of the major steps and potential threats 10

Policies and processes that reduce threats 12

Software Assurance Policies and Processes 15

Static Code Analysis Tools 18

Bibliography 22


Background


ABC is a software development company. It is a medium enterprise that has a wide range of clients from all over the country. The company has its headquarters in Miami, Florida and branches in the United States. The company is making plans to expand out of the United States beginning with Mexico and Canada. ABC focuses on the development of customer made application software. This means that most of the software created in the firm is specifically requested by the clients. However, some generic software is also created which can later be purchased by a client and re-engineered to fit their specific needs. The software assurance guidelines used by the company are specific to the type of software made. Desktop applications have different assurance specifications from web applications. The guidelines specified will be implemented from development all the way to the client organization. The software guidelines can only be efficient when both the developers and the users adhere to them.

Product Overview


The company does provide a number of software applications for the government. These applications include Account Pro, which is accounting software. It is desktop software and it is very optimal. The company also provides the government with a police record system. This application is web based and it relies heavily on the internet and the local area networks of the police stations. The application is optimized by a database that stores all of the information.

Departmental Organization


The firm is organized into four different departments. The first department deals with installation and maintenance of software. This is the after sale services department. This department is vital in the company since software often require patchwork and maintenance. The second department is the specifications research department. This department work hand in hand with the clients to determine the software that the clients require most and they communicate these requirements to the development department that is made up of developers who code and test the applications. The marketing and sales department ensures that the company has good public relations and stays relevant among the clients.

System Design Life Cycle


The system design life cycle that is used in the organization is quite traditional and standard. The first phase is planning and information gathering. In this phase the system requirements are gathered and information is gathered from the users. In the next phase, this information is organized and the system is proposed that will be able to solve the problems. Next is the design phase where the coding is done to develop the system. After coding, the system is taken into testing and debugging. If it is optimal, it is taken into the implementation phase where it is introduced to the clients. Maintenance is the last phase that requires updates and patches which leads us back to the first stage and it becomes a cycle (Avison and Shah, 2007).



Software Assurance Techniques


The guidelines are applied in the phases by ensuring that the specifications gathered are exactly what the client wants. The system design and coding is optimized by debugging and testing and the people who will be in contact with the system are supposed to be trained in the implementation phase so that they are able to use the system optimally and avoid performing tasks that may be detrimental to the application.

ABC Company produces software that is consumed by the United States government. The company produces desktop, web and database applications. The software that the company produces will be analyzed in this section to determine the security and performance risks associated with all of these applications as well as the possible implications that these risks may have to the clients. For each risk, techniques for software assurance will be proposed and how these techniques can be applied to ensure that the application is optimized at all times.

Desktop applications


ABC Company offers a wide range of desktop applications. However, the most robust of all these applications that have been sold to the government is the Account Pro application. This is software that is installed to a workstation computer and it enables the user to be able to perform complex accounting functions rather easily. However, the person manipulating it must have both accounting and information technology knowledge so that he or she can be able to manipulate the software well. The software does not do all the accounting independently and it requires the expertise of an accountant to be able to function best. This accountant must also be conversant with information technology knowledge in order to operate the application.

The application has all the characteristics of a desktop application. This means that it is at a lower risk of intrusion from the internet and other forms of attacks. However, it is still cumbersome to install and maintain. This is why maintenance and installation has to be done independently on every workstation. The ease of access is also reduced since the user has to move to the physical location of the computer with the application in order to access it (Lee et.al, 2008). This makes the use of desktop applications unfavorable due to the cumbersome nature.

However, the application is very robust and optimized as far as security is concerned. Guidelines such as the use of user authentication have been put in place to make sure that unauthorized users don't get access to the application. The main threat that the clients face while using this application is however, not from third party intrusion but rather from it becoming out-dated (Lee et.al, 2008). This can reduce the general productivity of the application making it harder for it to be used to solve most if not all of the accounting problems of the client. This will make it inefficient.

The application can become out-dated and after five to 10 years, it will no longer satisfy the organization needs that had been identified. Thus, to mitigate this threat, regular maintenance is done on the application and any new requirements are added to the application. This maintenance and patchwork is an aftersales service that the government is happy to pay for.

Web Application and Database Application


The web applications sold by the company are often optimized by a database thus making them two in one. The developers prefer php platform to develop these web based applications and the database server most used is SQL. The two platforms work well together once linked to create an optimal application. The company sold a web based application to the police department in south Miami that has been able to help them keep records of the statements made by the public and the arrests that have been made on these statements. This system has also helped them keep record of the development of these cases.

Such a system is easier to use than a desktop application since you can be able to access it from anywhere as long as you have internet connection and access the police local area network. It is also easier to install and maintain since the installation is done on a central server and all the users access it in a client-server architecture. This means that the users access it through a web browser (Meier et.al, 2013).

However, this application comes with a high risk of third party intrusion. This means that the application can be accessed by an unauthorized third party. Such access can cause the organization of the client to be vulnerable and their records to be tampered with. This can cause unprecedented losses. To handle this, the application does have user authentication and user accounts with logs to help monitor the activities of each user and identify unusual activity. However, the LAN in the police department also needs to be optimized with firewalls and honeypots (Meier et.al, 2013) to ensure that any third party that tries to access the network and thus the application through hacking or cracking is not able to do so.

Another threat that the clients may experience is the need for scaling. The records will increase in number and with time, the department will require a larger database with a larger capacity so as to be able to hold all the records available. This scaling is done through maintenance by slowly expanding the database as the requirements of the user increase. The functionality of the application is also updated regularly.



Security in Nontraditional Development Models


Software security involves combining several strategies to develop integrity, privacy, availability, usability and confidentiality. There are various non-traditional development models that can be used to achieve these objectives and various ways to reduce security threats using agile development models such as Scrum. ABC Corporation will use the scrum methodology. Scrum provides a firm with freedom to execute most operations. One of its most important aspects is the elimination of a regular manager. The following is the overview of the important concepts involved in the model (Avison and Shah, 2007).

Summary of the major steps and potential threats

The Scrum team has three roles. The first one is the Product Owner that represents the stakeholders and clients. The Scrum master, on the other hand, helps in eliminating problems, while the Developers have the skills to transport products within the system. Stories are the needs that are stated from the perspective of the clients. Product Backlog is a list of requirements, stories, and objects that need completion so that they can provide end- product. Tasks and subtasks represent steps created based on backlog items. In the sprint planning, the members of the team select objects that need to be finished in the subsequent sprint from backlog (Lee et.al, 2008). Sprint works as the platform in which tasks are completed. It is during the sprints where items are redefined, deleted or added.

The Daily Scrum is where team members meet and discuss the previous achievements and focus on the upcoming activities. The definition of done is a criterion to examine whether items are ready after a test is performed. The sprint review occurs at the final stage; the teams check for any issues that emerged after completion of every sprint (Avison and Shah, 2007). The sprint retrospective is where the members of the team look at the final product and do reviews. It is at this point where members can reflect on the activities and make suggestions for further developments.

This is a summary of the steps involved in the Scrum operation. First, product own develops a wish list known as a product backlog. Secondly, in the sprint planning, the team takes the top priorities from the wish list and describes the ways of implementing the pieces. Thirdly, the team takes some time like four weeks to ensure completion of the task. It is important to understand that the team will have daily meetings to ensure there is satisfactory progress. The Scrum master has the function of making sure the team focuses on the primary goal (Meier et.al, 2013). During the end of the sprint, the task will be completed and can be transported to the clients or presented to the stakeholders for assessment. In the end, there will be sprint review and a retrospective.

When dealing with Scrum there are various security threats. For instance, in each Sprint approach, there are issues with security flaws that might allow hackers to access the crucial information of the company. In this case, there is a need to employ experts to help in the management of the risks. Another mitigation strategy is the addition of extra testers to perform regular checkups on the system. Another risk that might occur is the lack of enough time to address potential security threats. An example of a risk is the emergence of viruses that might adversely affect critical information. In such a case the clients will be informed of the occurrence of the issue and look for a way to stop any further destruction by the virus. The firm will also have to input other resources to address the problem (Lee et.al, 2008). In summary, if a threat is critical, there will be a need to carry out an urgent action. The critical issue will have to be dealt with on a daily basis to ensure there are effective measures in place to stop the threat. The organization members will have to notify the senior management of the risk. On the other hand, when the issue is minimal, the review of the system would be carried out quarterly.

Policies and processes that reduce threats

There are various security regulations provided to minimize risks. The first activity is the development of artifacts. They include security architecture, the definition of security threats, risk analysis, and the process of setting guidelines to reduce effects of the risks. ABC Company should have a group of security developers that will be in charge of maintaining security; this is crucial because duties will be delegated to the members of the team and a single individual will not perform many tasks (Meier et.al, 2013). First, there is a need to provide training on particular technologies like database engines, frameworks, and operating systems. Secondly in order to reduce threats is to provide a proper review of the interface, code and test case. Another policy that is critical to the reduction of security threats is to utilize security testing to ensure everything is secure. The other process is the establishment of safety audits at any particular time in the project. Finally, reviews are developed after completion of objects in the backlog and time checks are developed at control points.









Security Static Analysis


System Design

ABC Company has produced a number of electronic medical systems. These medical systems are capable of aiding government hospitals in the keeping of their records and other administrative purposes that help the hospitals give better care to their customers and be more efficient in the giving of health services to their clients. These medical information systems are usually comprehensive systems that may vary in scope depending on the various needs of the hospital.

A generic Medical Information System has the capacity to capture patient information. This means that it has a database to hold patient information from the name, address, date of birth, address and sex. This data is held in a database and it is accessible remotely by the patients. Each patient is able to view the data that the hospital is holding about them and they can request for it to be edited or deleted. This data is also not to be shared without the consent of the patient or her for a purpose that the patient isn't aware of. This is in accordance with federal legislation about the privacy of medical data held by medical institutions. The Health Information Portability and Accountability Act HIPAA is the legislation that the system designers have to have in mind while creating this entity in the database and component within the system (Keyhani et.al, 2008).

The system also requires a component that will hold company information. This will have the data of the employees of the organisation and the roles that they play within the organization. This includes rank and the amount of time they have worked with the hospital as well as other information such as name, date of birth, sex, address and department. This component is key since it will be used to create access levels for the various users so as to improve the security of the information in the system.

There needs to be a component that will capture the physician comments about the patients. This will be a component that will be updated each time the patient visits the hospital. The patient progress will be captured in this component within the system. The company is also connected to other components within the system.

The next component that should be present in an electronic medical system is the laboratory component. This component is able to capture the laboratory results of each patient who is given special tests. These laboratory results need to be held in a different component from the component that capture physician comments since the data is more technical and the fields may cause redundancy in the physician comments component. Thus, it is best to have a relationship to this component instead of combining these components (Keyhani et.al, 2008).

The scan component is able to capture the information regarding the scans that have been performed as well as the comments regarding these scans. This component is also able to store image information of the exact scans. It is going to have a relationship with the physician comments component. This way, the data will be captured without making the data in the physician comments component redundant or having null fields.

The finance component is the final component of most medical systems. This component is able to capture the cost of the services rendered by the hospital and the payments. If the patient is done on the spot, this component's functions end there. Otherwise, the component allows for billing an insurance claim to the insurance provider that covers the patient.


Software Assurance Policies and Processes

The system may have a number of security issues if it isn't optimised. The first component described of patients may be the most difficult component to create with regards to security issues. This is so since it allows for the patients to access it remotely so that they can view the information that the hospital is holding. This makes the system vulnerable since hackers can easily gain access to user information. Therefore, optimising this component will include thorough authentication measures. This includes the use of usernames and passwords and pins. The patients must be advised that they should not share their passwords and pins with any other person. The pins should also expire on a weekly basis so that the clients will be prompted to create another pin or password. This will help reduce the amount of hacking through this portal.

The employee component is also one that will help the rest of the system to be optimised. This component will be able to capture the information of the employees and from this information; user access levels will be created. This means that the employees will only have access to functions and data in the system that are relevant with their job description. This means that depending on the department of the employee and the rank that they have within the hospital, they can access different components and functionality within the system. This helps reduce the amount of unauthorised access to the data in the system.

The integrity of the data in the system is also going to be optimised using keys. The primary key allows for there to be only one such data value within an attribute. This will be used to reduce duplication. Through the use of this primary key, relationships will be established with other components within the system (Evans, 2012). This will create foreign keys. This way, the information in the system will be optimised. It is important that the data in the system be accurate, timely in terms of access and relevant in terms of use.

Another concern that preoccupies the software designers is the relevance of the system with the needs of the clients. It is therefore, important to make the system as specific to the client needs as possible. This means that most of the components are created as tasks. After they have been developed, they are then taken back to the client for approval. This means that the model follows the steps involved in the Scrum operation.

Static Code Analysis Tools

Static Code Analysis is the process of trying to find vulnerabilities in code. These vulnerabilities are often general guidelines that enable you to zero in on the problem. These techniques for analysing source are often derived from compiler technologies. This means that they are similar to the process of debugging code using a compiler. There are a couple of guidelines that have to be put in place while using these techniques.

First, the techniques are likely to give a general guideline on where the vulnerability exists in the code and not the exact place. This means that one has to zero in on the issue manually. Also, the techniques have false positives where they may indicate the presence of a vulnerability where one doesn't exist and false negatives where vulnerabilities may occur yet the tool may not detect it. This means that the tools should not be trusted as the only method of finding errors since this may lead to more errors during compilation.

The tools are also not able to find authentication problems and access control issues. This means that the developers of the system have to be very wise with their use of these tools due to the vast authentication and access needs of the system. The analysts also need to have all the libraries and necessary compilation instructions for them to be able to use these tools optimally.

On the plus side, these tools have a high level of scalability and they can be used with just about any software. They can also be done repetitively like on nightly builds to ensure that all additions to the code have minimal vulnerabilities. They can also find a number of vulnerabilities in code that will be major problems in the compilation (Chess and McGraw, 2014).

Techniques that can be used include data flow analysis, control flow graph and taint analysis. The data flow analysis collects information about data in software as it is running. The control flow graph represents the software in nodes that analyses the paths of the code. The taint analysis is done with user inputs where inputs have to be sanitizer lest they are vulnerabilities.


Sample Code.

PatientAccount.h

Software Assurance Process – Management’s Role (New Content)



















Bibliography


Meier, J. D., Mackman, A., Dunner, M., Vasireddy, S., Escamilla, R., & Murukan, A. (2013). Improving web application security: threats and countermeasures. Microsoft Corporation, 3.

Lee, D. C., Crowley, P. J., Baer, J. L., Anderson, T. E., & Bershad, B. N. (2008, April). Execution characteristics of desktop applications on Windows NT. In ACM SIGARCH Computer Architecture News (Vol. 26, No. 3, pp. 27-38). IEEE Computer Society.

Avison, D. E., & Shah, H. U. (2007). The information systems development life cycle: A first course in information systems. McGraw-Hill.

Evans, J. A. (2012). U.S. Patent No. 6,347,329. Washington, DC: U.S. Patent and Trademark Office.

Keyhani, S., Hebert, P. L., Ross, J. S., Federman, A., Zhu, C. W., & Siu, A. L. (2008). Electronic health record components and the quality of care. Medical care, 46(12), 1267-1272.

Chess, B., & McGraw, G. (2014). Static analysis for security. IEEE Security & Privacy, 2(6), 76-79.


Have a similar question?

Continue to edit or attach image(s).

  • Fast and convenient

    Fast and convenient

    Simply post your question and get it answered by professional tutor within 30 minutes. It's as simple as that!

  • Any topic, any difficulty

    Any topic, any difficulty

    We've got thousands of tutors in different areas of study who are willing to help you with any kind of academic assignment, be it a math homework or an article.

  • 100% Satisfied Students

    100% Satisfied Students

    Join 3,4 million+ members who are already getting homework help from StudyDaddy!