Introduction
This course is focused on the design and development process of secure software for enhanced cyber security. It emphasizes the importance of strategizing for security before starting development and teaches students how to gather and plan for security requirements. The course covers mapping and planning for vulnerabilities, running an effective development process, and introducing the concept of software assurance in the cyber security paradigm.
Reflection
Secure software design and development is essential for cybersecurity professionals because it is the foundation upon which secure applications and systems are built. A significant percentage of cyber-attacks exploit vulnerabilities in software applications and systems, making secure software design and development a critical component of any cybersecurity program. By focusing on secure software design and development, cybersecurity professionals can help prevent or minimize the impact of these attacks. Secure software design and development involves integrating security considerations into every stage of the software development lifecycle. This includes requirements gathering, design, coding, testing, deployment, and maintenance. By considering security at each stage, developers can identify and address potential security issues early on, reducing the likelihood of vulnerabilities making their way into the final product. Reducing the risk of cyber-attacks, secure software design and development can also help organizations comply with regulatory requirements, protect intellectual property, and maintain customer trust. Cybersecurity professionals who understand the principles of secure software design and development can work with developers and other stakeholders to ensure that security is a top priority throughout the development process, resulting in more secure applications and systems.
My expectation for the Secure Software Design and Development class was to cover a range of important topics related to secure software development. Starting with an introduction to secure software design and development, followed by threat modeling and secure coding practices, as well as secure software deployment and maintenance. I wanted to also explore topics such as secure software project management, compliance and regulatory requirements, and ethical and legal considerations in secure software development. The course aimed to equip students with a comprehensive understanding of various security threats, mitigation techniques, and best practices for secure software development.
Artifact 1
The use of the Microsoft STRIDE threat modeling approach is crucial for maintaining network security. This approach offers a practical framework that enables security teams to take preventative measures and prioritize mitigation strategies. Given that it's impossible to prevent all types of attacks, it's important to remain agile and adaptable to security breaches. The STRIDE methodology will be employed to assess the E-Health Sensor Platform v2.0, in addition to utilizing the Microsoft Threat Modeling Tool report to map out the platform's architecture. The paper discusses the importance of threat modeling in keeping networks safe and secure. The E-Health Sensor Platform v2.0, an open-source medical device used for monitoring human biometrics, is evaluated using the Microsoft STRIDE threat modeling approach. The paper identifies assets and access points, lists potential threats, and proposes mitigation plans for each threat. The data flow diagram identifies spoofing as a major concern, and countermeasures such as implementing an authentication component and adding monitoring services are suggested. The paper highlights the importance of open-source technology in increasing accessibility to cost-effective medical treatment and extending human life.
Benefits of using Microsoft STRIDE
Artifact 2
DAST stands for "Dynamic Application Security Testing". It is a method of testing software applications and systems for security vulnerabilities by simulating attacks on the running application or system. DAST tools can identify vulnerabilities such as cross-site scripting (XSS), SQL injection, and other common attack vectors. DAST is an important part of a comprehensive security testing program for any application or system. The assignment (artifact #2) includes a table of threat levels and descriptions, followed by a discussion on detected security vulnerabilities and their impacts, as well as recommendations for remediation. The vulnerabilities discussed include the inclusion of JavaScript code from an unrelated domain, the presence of possible absolute filesystem paths, and the exposure of email addresses in scanned content. The summary suggests that the assignment focuses on identifying and addressing security vulnerabilities in web applications.
Lessons learned from using DAST:
In today's digital landscape, cyber-attacks are becoming more frequent and sophisticated, with software applications and systems often being the targets. Secure software design and development, the Microsoft STRIDE threat modeling approach, and DAST are critical concepts for cybersecurity professionals to understand and utilize. These tools help identify potential security threats, prioritize mitigation strategies, and maintain the security of an application or system. Understanding these principles can help prevent or minimize the impact of security breaches, comply with regulatory requirements, protect intellectual property, and maintain customer trust.
My expectation for the Secure Software Design and Development class was to cover a range of important topics related to secure software development. Starting with an introduction to secure software design and development, followed by threat modeling and secure coding practices, as well as secure software deployment and maintenance. I wanted to also explore topics such as secure software project management, compliance and regulatory requirements, and ethical and legal considerations in secure software development. The course aimed to equip students with a comprehensive understanding of various security threats, mitigation techniques, and best practices for secure software development.
Artifact 1
The use of the Microsoft STRIDE threat modeling approach is crucial for maintaining network security. This approach offers a practical framework that enables security teams to take preventative measures and prioritize mitigation strategies. Given that it's impossible to prevent all types of attacks, it's important to remain agile and adaptable to security breaches. The STRIDE methodology will be employed to assess the E-Health Sensor Platform v2.0, in addition to utilizing the Microsoft Threat Modeling Tool report to map out the platform's architecture. The paper discusses the importance of threat modeling in keeping networks safe and secure. The E-Health Sensor Platform v2.0, an open-source medical device used for monitoring human biometrics, is evaluated using the Microsoft STRIDE threat modeling approach. The paper identifies assets and access points, lists potential threats, and proposes mitigation plans for each threat. The data flow diagram identifies spoofing as a major concern, and countermeasures such as implementing an authentication component and adding monitoring services are suggested. The paper highlights the importance of open-source technology in increasing accessibility to cost-effective medical treatment and extending human life.
Benefits of using Microsoft STRIDE
- Provides a practical framework for identifying and addressing security threats in a systematic and comprehensive manner.
- Helps prioritize security measures and mitigation strategies based on the severity of identified threats.
- Helps security teams to remain agile and adaptable in responding to security breaches.
- Enables security teams to proactively identify potential security issues before they occur, rather than reacting to incidents after they happen.
- Facilitates communication and collaboration between different stakeholders involved in the software development process.
- Can be used throughout the software development lifecycle, from initial design to deployment and maintenance, to ensure ongoing security.
- Helps to improve the overall security posture of software systems and reduce the likelihood of successful attacks.
- Can be used to comply with security standards and regulations, such as PCI-DSS, ISO 27001, and NIST cybersecurity framework.
Artifact 2
DAST stands for "Dynamic Application Security Testing". It is a method of testing software applications and systems for security vulnerabilities by simulating attacks on the running application or system. DAST tools can identify vulnerabilities such as cross-site scripting (XSS), SQL injection, and other common attack vectors. DAST is an important part of a comprehensive security testing program for any application or system. The assignment (artifact #2) includes a table of threat levels and descriptions, followed by a discussion on detected security vulnerabilities and their impacts, as well as recommendations for remediation. The vulnerabilities discussed include the inclusion of JavaScript code from an unrelated domain, the presence of possible absolute filesystem paths, and the exposure of email addresses in scanned content. The summary suggests that the assignment focuses on identifying and addressing security vulnerabilities in web applications.
Lessons learned from using DAST:
- Identification of security vulnerabilities in applications and systems
- The impact of identified vulnerabilities on the security of the application or system
- Recommendations for mitigating or addressing identified vulnerabilities.
- The effectiveness of existing security controls in place
- The level of risk associated with identified vulnerabilities.
- The areas of an application or system that are most vulnerable to attacks.
- The need for additional security testing or remediation efforts
- The ability to simulate realistic attack scenarios and identify potential attack vectors.
- The importance of ongoing security testing and monitoring to maintain the security of an application or system.
- The impact of changes or updates to an application or system on its overall security posture.
In today's digital landscape, cyber-attacks are becoming more frequent and sophisticated, with software applications and systems often being the targets. Secure software design and development, the Microsoft STRIDE threat modeling approach, and DAST are critical concepts for cybersecurity professionals to understand and utilize. These tools help identify potential security threats, prioritize mitigation strategies, and maintain the security of an application or system. Understanding these principles can help prevent or minimize the impact of security breaches, comply with regulatory requirements, protect intellectual property, and maintain customer trust.