Professional Documents
Culture Documents
By
Dr. S.Jagadeesan
Assistant Professor (Senior
Grade2)
School of Information Technology
VIT Vellore
and Engineering , 1
Module 7 – Managing a Secure Software
2
Project Management
3
Establish a project management structure
1. Establish Roles and Responsibilities: Assign roles and responsibilities to each
team member and create a clear chain of command.
3. Set Expectations: Define expectations for each team member, including goals,
deadlines, and deliverables.
those risks.
5. Quality Assurance: Establish the quality standards for the project and
7
8
Risk Types
9
Project Scope
• Security's impact on the scope of the project has several dimensions
that need to be considered throughout project planning and
execution.
• These dimensions influence all SDLC activities and need to be
specifically addressed in the final software and system before they are
approved for release:
• The type and number of threats
• The sophistication of and resources available to the attacker
• The desired response to an attack
• The level of required assurance that the system meets its
security requirements
1
0
Understanding Project Scope
• Understand the customers needs
• Understand the business context
• Understand the project boundaries
• Understand the customer’s motivation
• Understand the likely paths for change
1
1
Project Plan
• The nature of security risks and their consequences affect both
project planning and resources. Actions to mitigate low-consequence
and low-likelihood risks can often be left to the discretion of the
project leader with limited management review.
• The complexity associated with product development may be a
consequence of tight component integration to meet market
demands for functionality or performance.
• Shared services typically aggregate risks.
• System integration has to resolve any mismatches with both internal
and outsourced development
10
Project Planning
• Scoping—understand the problem and the work that must be done
• Estimation—how much effort? how much time?
• Risk—what can go wrong? how can we avoid it? what can we do
about it?
• Schedule—how do we allocate resources along the timeline? what
are the milestones?
• Control strategy—how do we control quality? how do we control
change?
11
Resources
• Tools
• The software development environment should be at least as secure as
the planned security level of the software being produced.
• Appropriate controls for and configuration management of
development artifacts are essential and must have required assurance
level.
• Knowledge and Expertise
• The security expertise required to develop more secure software can
be classified into two categories:
• Knowledge of security functionality and features.
• The skills to identify and mitigate exploitable vulnerabilities
12
Estimating the Nature and Duration of Required Resources
• The main objective of software project planning is to provide a framework
that enables the manager to make reasonable estimates of resources,
cost, and schedule.
• These estimates are made within a limited time frame at the beginning of a
software project and should be updated regularly as the project
progresses
• Estimates should attempt to define best case and worst case scenario so
that project outcomes can be controlled.
• Early estimates for staff effort and schedule are not very reliable until a
more detailed description of the software is available.
• Using shared services and a shared IT infrastructure across a number of
application development projects can reduce component development
costs but typically aggregates risks across all uses.
• Project estimates need to consider and reflect the increased assurance that
will need to be applied to any shared services.
13
Project and Product Risks
• Potential requirements for secure data access during development,
secure facilities, or demonstration of capability can add great
complexity and schedule concerns to projects.
• Change and configuration management procedures provide some
assurance for internal development.
• Activities such as an architectural risk assessment, threat analysis,
and static analysis for the source code provide practices for specific
development phases.
• Development controls and change management are essential
development tools.
14
Project and Product Risks
15
Thank you
16
Dr. M. LAWANYA SHRI, SITE 17