Professional Documents
Culture Documents
Risk Management Perspectivein SDLC
Risk Management Perspectivein SDLC
net/publication/273063901
CITATIONS READS
31 12,884
3 authors:
Rajeev Kumar
Shri Ramswaroop Memorial University
55 PUBLICATIONS 437 CITATIONS
SEE PROFILE
Some of the authors of this publication are also working on these related projects:
All content following this page was uploaded by Rajshree Pandey on 10 March 2015.
Abstract – Risk and its management is an area based on the hypothesis of probability. It is well known that requirement
and design phases of software development life cycle are the phase where security integration yields maximum benefits.
In this paper we have tried to tie software security and software risk in a single string. It is a complete process that will
help a developer to choose most appropriate risk management plan for giving software more security. As we know that a
software development life cycle is used to make understand the researchers, scientists, project managers, programmers,
working of particular software in an easier manner. Actually, software development life cycle gives a basic understanding
about the start of a project. This includes a number of phases that provides sequencing of activities and these activities
will perform during the implementation of required software. In this paper, a life cycle is proposed which will help
developer to identify and mitigate risks at the early stage of development.
Key Words –Software Security, Software risk, RMMM plan, Software development life cycle (SDLC), Software quality.
I. INTRODUCTION
In this information era, information systems and networks often consist of software systems running on many Interconnected
computers with various capabilities, such as servers, desktops, laptops, PDAs, and even cell phones In these systems, connectivity
has become more important than ever before [1]. The connectivity has given us opportunity to fast sharing of data which also
enhances the chance of attacking and hacking of personal data. The increasing complexity and extensibility of software Systems
further complicate the situation as they introduce more security breaches and make the information systems more vulnerable to
failures and attacks. Software security, which is the idea of engineering software such that it can function correctly and
continuously under malicious attacks [2], has attracted much attention recently due to the fact that reactive network-based security
approaches, like firewalls and signature-based anti-spyware, have been shown ineffective to achieve secure software. Software
security is the process of planning when risk of software is identified. Risk concerns on future happenings. It might happen, it
might not. There is lot of work has been done on risk mitigation and risk monitoring, but a life cycle of RMMM plan is not
identified yet for securing software in design phase. This work has been done to show the impact of software risk on object
oriented design when developing software [3, 4, 5].
In this paper, it is to be identified first that what is software security. In third section introduction of risk is presented, in fourth
section a life cycle for risk management is presented and in last section future work and its conclusion is presented.
Security is similar to the concept of safety, confidentiality, and reliability. Number of security loopholes and vulnerabilities
exists due to the defects of security architecture and security mechanism [9]. Hackers and attackers do not create security
loopholes; rather they target the weaknesses in the software and exploit them. In order to maintain the software security during
the developmental stages, hacking should be made too difficult [3]. The purpose of making the software secure is to protect the
software from all kinds of attacks, errors, bugs, threats, viruses and vulnerabilities [4]. Software security is concerned with
defending the application program. Security architecture must be designed to provide the needs of product security goals and
sensitive information contains therein. It provokes the developer to build secure software which performs better under
circumstances whish are created by malicious attacks.
Risk is future uncertain events with a probability of occurrence and a potential for loss. Risk is the expectation of the loss or
damage. When risks are analyzed, it is important to quantify the level of uncertainty and the degree of loss associated with each
risk [5]. Risk is the factor which should be identified before going through the software security. Risks can be broadly divided in
two categories which are proactive risks and reactive risks. Proactive risks are the pre assumptions of risks are to be occurred in
future.
How risk is effective within software context, this is shown in the above fig1. Figure shows that the risks can be imposed on
schedule, hardware, system, technology, people and cost. These types of risks are considered and planned before development
of software. Secure software is developed when their risks are identified earlier in the design phase. Reactive risks are when there
any problem occurs after deployment of software Secure software is a need of today life of internet, the software is secure when
its risks are identified earlier and managed. The identification, mitigation and monitoring of risk is the key factor of secure
software. Risk management is the process of identifying addressing, and eliminating the risks before they can damage the project.
It identifies software risks and plans to avoid risks and minimize their effects if they occur. All risks cannot be avoided but by
performing risk management, we can attempt to ensure that the risks are minimized.
Schedule
Cost Hardware
Software
People System
Technology
“Risk is the prospect of suffering failure.” In a software development project, failure describes a negative impact to the project,
which could be in the form of diminished quality of the end project increased costs, postponed completion, or complete project
failure. Risk management is the identification, assessment, and prioritization of risks followed by coordinated and economical
application of resources to minimize, monitor, and control the probability and/or impact of unfortunate event or to maximize the
realization of opportunities [6,7]. Risk management should be done during the software development life cycle (SDLC). Risk
management activities consist of two major activities. Risk assessment and risk reporting, again risk assessment activity includes
Risk identification, Risk analysis and Risk Prioritization. In the proposed framework of risk management a life cycle is presented
to identify and mitigate risks during the software development phase [11, 12]. This life cycle of risk management is described
with fig 2 and in detail. From the figure it is clear that risk management activity involves the six phases:- Requirement phase,
Analysis phase, Design phase, Development phase, Test phase, Maintenance phase.
Requirement
Phase
Maintenance Analysis
Phase Phase
Risk
Management
Development
Phase
• Test plan and development: - For preparation of next phase a test plan and development plan should be prepared and
risk should be identified related to this.
D. Development phase
The primary goal during the developing phase is to build the solution components code as well as documentation. The team
continues to identify all risks throughout the phase and address new risks as they emerge. This process consists of three steps.
• Code reviews:- A code review can be an effective means by which team can identify whether code meets local standards,
and might even result in identifying some problems prior to compiling, which may be risks for future [8].
• Pair programming: - Pair programming reduces staff- loss risk [6]. Pair programming shoulder to shoulder technique
serves as a continual design and code review, leading to most efficient defect removal rates.
• Unit testing and static testing: - By using unit tests and dynamic analysis developers can validate the security
functionality of components as well as verify that the countermeasures being developed mitigate any security risks
previously identified through threat modelling and source code analysis.
E. Test phase
• Dynamic code testing: - Dynamic code testing is analysis of computer software that is performed by executing
program in a real or virtual world. The target program must be executed with sufficient test inputs to produce
interesting behaviour.
• Web application testing: - Complete testing of a web based system before going live can help address issues before
the revealed to the public. Issues such as the security of the web application, its authorization, availability etc.
• Vulnerability scanning: - Vulnerability is an important method to find software security risks, includes testing space
scanning and non-defect scanning. Testing space scanning deals with network port, string, producer data, network
data and other element scanning. Non defect scanning finds non flaws usually basing on the defect library.
• Test threat actions: - Threat is a negative effect on test. Hence testing of threats creates risks and to identify those
risks this Sep is considered.
F. Deployment phase
In deployment phase the product is partially completed. All risks are identified in whole life cycle now a proper test plan is
prepared in this phase.
• Periodic testing: - Periodic testing means third party testing that must be conducted on the continuing production of
software.
• Risk management plan: - Developing a risk management plan is simply a matter of following some steps which include
constructing a risk categorization table, rank the risk, prepare and sort the risk table and finally to ensure that risk
management activity is an ongoing process throughout the project.
V. FUTURE WORK
It is known that half of the software is designed and developed in papers so if we consider risk during paper work than
it will be risk reduction process on its own and risk will also be minimized. A proactive approach of paying close attention
to security during all phases prevents expensive Security requirements and security features plays a very important role in the
security integration at design phase of the SDLC. The future work for this proposed framework is to plan a RMMM design
which will be common for some kinds of risks.
VI. CONCLUSION
Risk management gives a structured mechanism to provide visibility into threats it project success. By considering the
potential impact of each risk item, we can make sure to control the most rigorous risk first. Without a formal approach, we
cannot ensure that our risk management actions are done in right manner. Thus a proper life cycle of risk management plan
is justified in this paper which provides a step by step implementation of risk management plan.
VII. REFERENCES
[1] M. Howard and D. LeBlanc, “Writing Secure Code”, Microsoft Press, 2001.
[2] Gary McGraw, “Software Security”, IEEE Security & Privacy, vol. 2(2), 2004, pp. 8083 [3] J. Viega and G. McGraw,
“Building Secure Software”, addition Wesley, 2001.
[4] S. Chandra and R. A. Khan, “Object Oriented Software Security Estimation Life Cycle: Design phase perspective”,
Journal of Software Engineering, USA, pp: 39-46.
[5] Roger S Pressmen “Software Engineering a Practitioner’s approach”, Book. [6] http://en.wikipedia.org/wiki/pair-
programming.
[17] M. R. Garey and D. S. Johnson. Computers and Intractability: A Guide to the Theory of NP-Completeness. Freeman,
San Francisco, CA, 1979.
[18] J. Frankle, “Iterative and Adaptive Slack Allocation for Performance-driven Layout and FPGA Routing,” Proceedings
of the 29th ACM/IEEE conference on Design automation conference, 1992, Page 536.
[19] E. S. Ochotta, et al, “A Novel Predictable Segmented FPGA Routing Architecture,” in FPGA ‘98, Proceedings of 1998
ACM/SIGDA intl. symp. On FPGAs, pp. 3-11. [20] http://www.joelinoff.com/ccdoc/index.html.
[21] C.W. Krueger, “Software Reuse.” ACM Computing Survey, vol. 24, no. 2, pp. 131-182, 1992.
[22] E. Mettala and M.H. Graham, “The Domain-Specific Software Architecture Program,” CMU/SEI-