Secure Software Design and Development
Introduction to Secure Software Design & Development
The Secure Software Design & Development course was quite interesting and challenging at the same time in that the concepts introduced were largely new to me. This course was unique in that the assignments were fewer than normal and larger in scope. The three main assignment deliverables were as follows: a real-world medical wearable security assessment using Microsoft’s STRIDE methodology and software tool, a static application security testing (SAST) assignment, and a dynamic application security testing (DAST) assignment. All three of these assignments were executed against a live software system and code with either a known or unknown vulnerability set. GitHub’s code scanning tool was used for SAST testing against the OpenEMR (Electronic Medical Record) codebase. The open-source ZA Proxy (ZAP) tool was used for dynamic testing against the known-vulnerable WebGoat Java 2 Enterprise Edition (J2EE) app. I enjoyed all three major assignments along with the course reading and discussions but chose to include the final DAST assignment in this portfolio, given the interesting and interactive nature of the assessment.
Reflection
The Secure Software Design & Development course was fascinating in that it covered an area of cybersecurity that I see in operation frequently through my work as a software-as-a-service (SaaS) company but am not involved with directly. As was my hope in pursuing a master’s degree, the content was directly related to my day to day and allowed me to expand my scope of knowledge and practice.
Some of the early module topics that were most interesting were those related to the design and structure of software development. There are always tradeoffs when developing software, and sometimes security is one of the items that gets overlooked in favor of functionality and minimum viable product (MVP). It is helpful for the cybersecurity professional to understand the software design and development lifecycle in order to help steer these processes toward more security-focused outcomes. It is certainly better and more economical to build a software system with security properties and best practices from the start than it is to later retrofit security into established systems.
Organizations should avoid custom software development unless it is in their specific line of business, and commercial off-the-shelf (COTS) software doesn’t exist for their application. The reason for this is that many small to mid-sized organizations simply don’t have the resources to manage and maintain a secure software development life cycle (SSDLC). The cybersecurity professional can help manage these types of tradeoffs and evaluate the security risks associated with customizing COTS software vs. developing and securing proprietary in-house software solutions.
In larger organizations and organizations for whom software development is a part of the companies offering software security becomes a mandatory discipline. Given the digital transformation companies are undergoing, it appears that almost all companies will ultimately be involved in software security efforts. In these cases, implementing SSDLC processes are mandatory. The extent to which a team can focus on software security will be constrained by size and funding, but this course introduced many of the tools that would be used by any organization. For example, the Open Web Application Security Project (OWASP) and Microsoft STRIDE frameworks provide useful tools for evaluating software security and managing risk. Building SAST and DAST into development practices are of paramount importance as each provides an important lens in the security of the software being developed. Mandatory security checks before software is deployed help engineers catch issues before they go into production.
I am thankful for this course as it helped me become more familiar with the language of cybersecurity for software, along with the associated risks and vulnerabilities. This knowledge is critical for the cybersecurity professional pursuing a leadership role and will become increasingly important as companies undergo their own digital transformation with secure software solutions.
The Secure Software Design & Development course was quite interesting and challenging at the same time in that the concepts introduced were largely new to me. This course was unique in that the assignments were fewer than normal and larger in scope. The three main assignment deliverables were as follows: a real-world medical wearable security assessment using Microsoft’s STRIDE methodology and software tool, a static application security testing (SAST) assignment, and a dynamic application security testing (DAST) assignment. All three of these assignments were executed against a live software system and code with either a known or unknown vulnerability set. GitHub’s code scanning tool was used for SAST testing against the OpenEMR (Electronic Medical Record) codebase. The open-source ZA Proxy (ZAP) tool was used for dynamic testing against the known-vulnerable WebGoat Java 2 Enterprise Edition (J2EE) app. I enjoyed all three major assignments along with the course reading and discussions but chose to include the final DAST assignment in this portfolio, given the interesting and interactive nature of the assessment.
Reflection
The Secure Software Design & Development course was fascinating in that it covered an area of cybersecurity that I see in operation frequently through my work as a software-as-a-service (SaaS) company but am not involved with directly. As was my hope in pursuing a master’s degree, the content was directly related to my day to day and allowed me to expand my scope of knowledge and practice.
Some of the early module topics that were most interesting were those related to the design and structure of software development. There are always tradeoffs when developing software, and sometimes security is one of the items that gets overlooked in favor of functionality and minimum viable product (MVP). It is helpful for the cybersecurity professional to understand the software design and development lifecycle in order to help steer these processes toward more security-focused outcomes. It is certainly better and more economical to build a software system with security properties and best practices from the start than it is to later retrofit security into established systems.
Organizations should avoid custom software development unless it is in their specific line of business, and commercial off-the-shelf (COTS) software doesn’t exist for their application. The reason for this is that many small to mid-sized organizations simply don’t have the resources to manage and maintain a secure software development life cycle (SSDLC). The cybersecurity professional can help manage these types of tradeoffs and evaluate the security risks associated with customizing COTS software vs. developing and securing proprietary in-house software solutions.
In larger organizations and organizations for whom software development is a part of the companies offering software security becomes a mandatory discipline. Given the digital transformation companies are undergoing, it appears that almost all companies will ultimately be involved in software security efforts. In these cases, implementing SSDLC processes are mandatory. The extent to which a team can focus on software security will be constrained by size and funding, but this course introduced many of the tools that would be used by any organization. For example, the Open Web Application Security Project (OWASP) and Microsoft STRIDE frameworks provide useful tools for evaluating software security and managing risk. Building SAST and DAST into development practices are of paramount importance as each provides an important lens in the security of the software being developed. Mandatory security checks before software is deployed help engineers catch issues before they go into production.
I am thankful for this course as it helped me become more familiar with the language of cybersecurity for software, along with the associated risks and vulnerabilities. This knowledge is critical for the cybersecurity professional pursuing a leadership role and will become increasingly important as companies undergo their own digital transformation with secure software solutions.