Secure development methodologies in Software Development Life Cycle (SDLC) models,
such as Agile and TOGAF.
Lessons learnt and key outcomes
By the units mentioned below, I understood the fundamentals of secure software development and critically assess its components and learn from case studies involving cryptographic failures to design secure, purpose-built, industry-grade, successful software systems adopting security-related principles, best practices, and methodologies. These techniques involved appropriate gathering of requirements, analysis, design, software implementation and testing for secure software development. Thereafter, I learnt to appreciate related achitectural principles and leverage them in traditional and contemporary Software Development Life Cycle (SDLC) models, such as TOGAF and Agile, to build a secure, CRUD-functional internet forensics-related command line interface (CLI)-based application. Throughout these endeavours, I learnt how to design and develop secure software systems to streamline and inform business decisions involving handling personal data whilst adhering to data privacy regulations, such as the European Union (EU)’s General Data Protection Regulations (GDPR).
Unit 1: Introduction to Secure Software Development
Management methodologies, such as Agile, and a risk-aware organisational culture were reviewed and considered to support modern software development, which are more suitable than waterfall for large-scale, dynamic, and user-centred development. The Unified Modelling Language (UML) was studied and leveraged to design software systems, starting with a UML flowchart, which I created as a part of the first collaborative discussion. You can access it by clicking 'LEARN MORE' below.
Unit 2: UML Modelling to Support Secure System Planning
UML modelling was studied in further detail and, along with relevant software security standards, such as the ISO/IEC ones, applied to support the design stage of the SDLC and create use case diagrams involving the high-level industry-relevant application considered, sequence diagrams to summarise the key steps involved in a workflow to be aided via software, activity diagrams detailing the main activities executed by a user, class diagrams displaying which classes are involved in the software system, along with their relationships and details on their attributes and methods. I also provided the following two peer responses on the collaborative discussion started in unit 1: the first peer response and the second peer response. Furthermore, I wrote a blog post in response to the seminar question on the selection of five terms from the ISO/IEC Standard 27,000 Section 3 Terms and Definitions and how people can be managed to overcome cybersecurity attacks from the inside. You can access it by clicking ‘LEARN MORE’ below.
Unit 3: Programming Languages: History, Concepts & Design
In this unit, I studied the history, concepts, and design that led to the contemporary programming languages, such as Python, and the best practices and methods to overcome common security issues. Key programming languages-related concepts, in particular those focused on object-oriented programming (OOP), such as inheritance, polymorphism and abstraction, were investigated, along with their purposes and how to leverage these principles in Python. Common security challenges were reviewed and recommendations to mitigate them were provided. Relevant design patterns were reviewed, focusing on how they can help to design and implement more secure software systems. I provided my contribution to the team discussion on what a secure programming language is, with focus on Python programming and its comparison with C for creating operating systems, as per this post. Programming-related activities were carried out in Codio, including the evaluation of buffer overflows and leveraging linting tools, such as ‘pylint’, for automating code quality checks and building more standardised and secure software. I also wrote a summary post on the collaborative discussion started in unit 1, which can be accessed by clicking ‘LEARN MORE’ below.
Unit 4: Exploring Programming Language Concepts
This unit allowed me to assess pros and cons, and the impact of key programming concepts, such as regular expressions (RegEx) and recursion, on software systems’ functionality and security, as well as suggest the most suitable method tailored to the specific security requirements considered. I also had the chance to contribute to a discussion on RegEx, with focus on ReDOS and Evil RegEx, including the issues associated with the use of RegEx and appropriate strategies to mitigate them, as well as how RegEx can be leveraged as a part of a security solution. You can read my contribution by clicking ‘LEARN MORE’ below.
Unit 5: An Introduction to Testing
This unit enabled me to learn and understand how to test software comprehensively, considering both its overall quality and security. The main industry-standard testing processes were leveraged, such as the OWASP and the ISO/IEC/IEEE ones. Tools in Python were explored and used for automating the testing process, including logical and stylistic linters, with focus on the security-related aspects. As a part of this unit and week, I had the opportunity to explore and discuss the relevance of cyclomatic complexity nowadays, which is considered in modules on testing the validity of the design of codes. You can access my post by clicking ‘LEARN MORE’ below.
Unit 6: Using Linters to Support Python Testing
During this unit, technologies available in Python for linting were explored to support the implementation of high-quality software. The rationale of using these tools was to ensure the development of high-quality and, correspondingly, secure codes. Their relevance to both development and testing was assessed and they were leveraged to aid both processes accordingly, including related programming-related activities carried out on Codio. By the end of this unit, as a part of a team of colleagues/students, a design document was written on the proposed secure CRUD-functional RESTful API to aid the use case of internet forensics for the Dutch Police. You can access my team’s design document by clicking ‘LEARN MORE’ below.
Unit 7: Introduction to Operating Systems
In this unit, I had the chance to appreciate the relationships between operating systems (OS) and programming languages and software system’s security. As these interactions may require the user’s application to connect with and leverage software libraries, relevant security implications were investigated. During this unit’s activity, I had the opportunity to ponder on the meaning and definition of an ontology and how it pertains to a software system. You can read my responses by clicking ‘LEARN MORE’ below.
Unit 8: Cryptography and Its Use in Operating Systems
This unit allowed me to study and evaluate the principles, technology, and use of cryptography, how it is leveraged with operating systems, as well as explore and consume some common cryptographic libraries in Python. I had the chance to participate in the second collaborative discussion of the module, this time on a case study focused on “TrueCrypt”, which you can access by clicking ‘LEARN MORE’ below. This activity also involved the design of its ontology considering the main security vulnerabilities and causes that may lead users to experience attacks exploiting them. Moreover, via this seminar activity, I had the opportunity to discuss how GDPR regulations can be adhered in software by design to mitigate data privacy- and security-related risks.
Unit 9: Developing an API for a Distributed Environment
In this unit, I could learn and practise on how to create an application programming interface (API) via the Python library ‘Flask’ and experiment with creating/reading records into/from a relational, SQL database. In this instance, I had the chance to appreciate how security can be enforced to create software as per programming-related best practices that can be consumed by and is valuable to users. I also had the opportunity to review my peers’ posts on the second collaborative discussion and provide two peer responses accordingly with my feedback, which you can access by clicking ‘LEARN MORE’ below.
Unit 10: From Distributed Computing to Microarchitectures
The main software systems’ architectures, from monolithic deployments to microservices, virtualisation, and containers, were analysed and, considering more distributed ways of operating, further methods to ensure security were explored. Such techniques mainly considered the importance of adequate encryption, such as distributing encryption keys, as well as evaluated the specific attacks to virtualised environments. I also provided a summary post to conclude the second collaborative discussion, which you can read by clicking ‘LEARN MORE’ below. Furthermore, faceted data were considered as an approach to protect systems from data leakage, as well as their pros and cons.
Unit 11: Future trends in Secure Software Development
Trends and advances in secure software development were reviewed within both academic research and industry, such as Fog Computing, the Internet of Things, and Cyber Physical Systems, encompassing several areas, from design to implementation, programming languages and operating systems. The security issues associated with the aforementioned systems were considered and strategies to mitigate them were investigated. The Tanenbaum-Torvalds debate on whether microservices and microkernels are the future was discussed and I provided my views on it in this post. As a part of a team, in the repository that can be accessed by clicking ‘LEARN MORE’ below, I was one of the main contributors developing a secure CRUD-functional CLI-based application, implementing CLI-based entry points to perform CRUD operations, a centralised global logger to ensure full application’s auditability and monitoring, extensive user inputs’ validation along with appropriate exception handling and logging, multi-threading to enable parallelisation of the requests thus allowing two or further concurrent users to consume it, automated code quality checks and linting, unit and integration testing of the main applications’ functionalities, including CRUD operations, encryption, and user inputs’ validation. Furthermore, I had created a conda virtual environment for us to work on the same environment in Python with the same dependencies, as well as scanned them to understand if they had any security vulnerabilities and created a Python package out of our application that can be installed via pip. I was also the main reviewer of my team members’ pull requests, aiming to achieve a high-quality and secure software as per the assignment’s specifications.
Unit 12: The Great Tanenbaum-Torvalds Debate Revisited
In this unit, I had the chance to revisit the Great Tanenbaum-Torvalds Debate, thus reviewing further articles on monoliths, microkernels, and microservices, as well as exploring additional advances in secure software development. As a part of this unit, I also submitted this e-Portfolio for consideration.
Reflections on Secure Software Development, this module, and own self-development
In this reflective piece, I summarised what I learnt on Secure Software Development in this module, the work I carried out throughout it, and their impact on my personal and professional development. Click ‘LEARN MORE’ below to read it.