Experiment – 2: To learn Case study for SDLC

Aim: To learn Case study for SDLC.

Objectives: After study of this experiment, the student will be able to

● Understand different steps of SDLC

Outcomes: After study of this experiment, the student will be able to

● Demonstrate knowledge of different stages SDLC.

Prerequisite: Cyber security, software engineering
Requirements: PC and Internet
Pre-Experiment Exercise:
Brief Theory:
What Is Secure SDLC and Why Is Important?
Security System Development Life Cycle (SecSDLC) is defined as the set of procedures
that are executed in a sequence in the software development cycle (SDLC). It is
designed such that it can help developers to create software and applications in a way that
reduces the security risks at later stages significantly from the start. The Security System
Development Life Cycle (SecSDLC) is similar to Software Development Life Cycle
(SDLC), but they differ in terms of the activities that are carried out in each phase of the
cycle. SecSDLC eliminates security vulnerabilities. The process involves identification
of certain threats and the risks they impose on a system as well as the needed
implementation of security controls to counter remove and manage the risks involved.
Whereas, in the SDLC process, the focus is mainly on the designs and implementations
of an information system.
Phases involved in SecSDLC are:
1. Requirements Gathering (Secure Requirements)
o Goal: Define functional + security needs before coding starts.
o Security Activities:
 Identify security requirements alongside business requirements.
 Consider compliance/regulatory needs (e.g., GDPR, HIPAA).
 Define security objectives like authentication strength, encryption needs,
and access control rules.
 Identify potential threats early using threat modeling.

2. Design (Secure Architecture)

 Goal: Build a blueprint with security baked in.
  Security Activities:
o Perform threat modeling (STRIDE, PASTA, etc.).
o Apply secure design principles (least privilege, defense in depth, fail secure,
etc.).
o Select secure frameworks, libraries, and APIs.
o Create data flow diagrams to identify trust boundaries.
o Plan for secure error handling and logging.

3. Implementation (Secure Coding)

 Goal: Write clean, secure, and maintainable code.
 Security Activities:
o Follow secure coding standards (e.g., OWASP, CERT).
o Avoid hardcoding secrets and credentials.
o Use input validation and output encoding to prevent injection attacks.
o Implement proper authentication and authorization checks.
o Run Static Application Security Testing (SAST) during development.

4. Testing (Security Testing)

 Goal: Find vulnerabilities before release.
 Security Activities:
o Static Testing (SAST) – Analyze source code without running it.
o Dynamic Testing (DAST) – Test running applications for runtime
vulnerabilities.
o Interactive Application Security Testing (IAST) – Combine static &
dynamic methods.
o Penetration Testing – Simulate attacks to check exploitability.
o Fuzz Testing – Feed random or malformed data to check robustness.

5. Deployment (Secure Release)

 Goal: Release software in a hardened, monitored environment.
 Security Activities:
o Ensure secure configuration of servers, containers, and cloud environments.
o Use code signing to verify authenticity.
o Apply least privilege to deployment accounts.
o Review dependencies for vulnerabilities.

6. Maintenance & Monitoring (Security in Operations)

 Goal: Keep security strong after release.
 Security Activities:
o Apply patches and updates promptly.
o Monitor logs and alerts for suspicious activity.
o Conduct post-incident reviews if issues occur.
o Reassess threats periodically as the environment changes.
o Provide security training to developers and admins.

Laboratory
Exercise
Procedure
Study any of the case study from references and the difference between software
development life cycle and security development life cycle
Post-Experiments Exercise

1. Describe how secure coding can be incorporated into the software

development process.
Incorporating secure coding into the software development process is
essential for minimizing vulnerabilities and protecting applications
from potential breaches. Secure coding practices involve
implementing best practices and principles throughout the software
development lifecycle (SDLC) to safeguard applications against
malicious attacks. Here's how secure coding can be seamlessly
integrated into the software development process:

1. Formalize and Document the SDLC Processes

Define Major Components: Ensure that the SDLC processes,
including requirements gathering, architecture and design,
implementation, testing, deployment, and maintenance, are
formalized and documented. This documentation should clearly
outline how secure coding principles are addressed at each stage.
2. Integrate Secure Coding Principles into SDLC Components
Address Secure Coding in Documentation: Provide a general
description of how secure coding principles are incorporated into
architecture and design documents. If a secure coding principle is not
applicable to the project, this should be explicitly documented along
with a brief explanation.
3. Perform Automated Application Security Testing
Automated Testing: Incorporate automated application security
testing as part of the overall application testing process. This helps in
identifying vulnerabilities early in the development cycle, allowing
developers to address them before deployment.
4. Secure Development and Testing Environments
 Data Protection: Ensure that development and testing environments
redact all sensitive data or use de-identified data to protect against
unauthorized access and breaches.

2. List the major types of coding errors and their root cause.
Coding errors are a natural part of the software development process, and understanding
their types and root causes is crucial for improving code quality and efficiency. Here are
the major types of coding errors along with their root causes:

1. Syntax Errors
Definition: Syntax errors occur when the programmer violates the rules of the
programming language syntax. Examples include missing semicolons, mismatched
parentheses, or incorrect keyword usage.

Root Cause: Lack of familiarity with the programming language's syntax rules or simple
typographical mistakes.

2. Logical Errors
Definition: Logical errors happen when the code runs without crashing but does not
produce the expected outcome. These errors are often due to flaws in the logic
implemented in the code.

Root Cause: Misunderstanding of the problem requirements, incorrect assumptions, or

flawed logic in implementing algorithms or control structures.

3. Runtime Errors
Definition: Runtime errors occur during the execution of the program. Examples include
division by zero, accessing null pointers, or trying to open a file that does not exist.

Root Cause: Insufficient error handling, lack of validation checks for inputs, or failure to
anticipate exceptional conditions during runtime.

4. Compilation Errors
Definition: Compilation errors prevent the source code from being successfully translated
into machine-readable instructions. They are often caused by syntax errors, semantic
errors, or issues with external dependencies.

Root Cause: Syntax mistakes, undeclared variables or functions, incompatible data types,
or missing libraries and dependencies.

3. Describe good software development practices and explain how

they impact application security.
Good software development practices play a crucial role in enhancing
application security by incorporating security considerations into
every phase of the software development lifecycle (SDLC). These
practices aim to identify and mitigate potential security threats and
vulnerabilities early in the development process, making it
significantly more cost-effective and efficient to address them. Here
are some key practices and their impact on application security:

1. Establish a Secure Software Development Lifecycle (SSDLC)

Impact: Integrating security into the SSDLC ensures that security is
considered from the very beginning of the development process,
rather than being an afterthought. This approach reduces the
like lihood of introducing vulnerabilities late in the development
 cycle, when they are more costly and time-consuming to fix.
2. Follow Web Application Security Best Practices Set by OWASP
Impact: Adhering to recognized standards, such as those provided by
the Open Web Application Security Project (OWASP), helps
developers avoid common pitfalls and follows a proven path to
securing applications. This adherence promotes consistency and best
practices across projects, leading to more secure applications.
3. Employ Static and Dynamic Security Testing Throughout the
Development Process
Impact: Early and frequent testing helps identify vulnerabilities and
security issues before they reach production. Static analysis tools can
catch issues in uncompiled code, while dynamic analysis tools can
detect problems during runtime. Both approaches contribute to a more
secure application by catching vulnerabilities early in the
development cycle.
4. Document Software Security Requirements Alongside Functional
Requirements
Impact: Clearly defining security requirements alongside functional
specifications ensures that security is not overlooked during the
development process. This documentation serves as a reference for
developers, testers, and auditors, ensuring that security is an integral
part of the application's design and functionality.

4. List and discuss Secure SDLC Best Practices.

Secure Software Development Life Cycle (SSDLC) best practices are essential
for integrating security into the software development process, thereby reducing
the risk of vulnerabilities and enhancing application security. Here are key
practices derived from the sources:

1. Involve Security Experts from the Beginning

Impact: Engaging security experts early in the development process ensures that
security considerations are woven into the fabric of the application from its
inception. This collaborative approach helps in identifying potential security risks
and designing secure architectures.
2. Train Developers on Secure Coding Best Practices
Impact: Providing developers with training on secure coding practices equips them
with the necessary skills to write secure code. This education reduces the
likelihood of introducing vulnerabilities through coding errors.
3. Adopt a Strong SDLC Governance Program
Impact: A robust governance program establishes clear policies and procedures
for managing the SDLC, ensuring that security is consistently integrated into each
phase. This structured approach helps in maintaining high standards of security
throughout the development process.
4. Monitor Software for Security Vulnerabilities After Deployment
Impact: Continuous monitoring post-deployment helps in identifying and addressing
vulnerabilities that may have been missed during the development phase. This
proactive approach ensures that the application remains secure over time.
 Conclusion: Case study was carried out to find out the difference between software
development life cycle and security development life cycle.
The research has identified various important elements as security policies, processes being
practiced, and tools used within the SDLC through the review of the literature and the case
study investigated. The evidence gathered from the field indicates the lack of clear policy
and guidelines that are in place at the project management level within each phase of the
SDLC. In This regard, recommendations and verification were gathered to elicit the actual
activities that are appropriate for inclusion at each phase of the SDLC.
References:
Case study 1: https://quod.lib.umich.edu/j/jsais/11880084.0001.103/--case-study-of-the-
application-of-the-systems-development?rgn=main;view=fulltext
Case study 2: https://onlinelibrary.wiley.com/doi/epdf/10.1002/sec.1700
https://snyk.io/learn/secure-sdlc/