73
© 2011 by Taylor & Francis Group, LLC
Chapter 2
Enterprise-Wide Systems
Development Security
Maura Van Der Linden
Contents
Managing Security in Dierent Methods of Systems Development .....................75
Systems Development Life Cycle ....................................................................75
Proposal: Plan the Project ...........................................................................76
Gather Requirements ................................................................................ 77
Design the Project ..................................................................................... 77
Implementation: Build the Project .............................................................78
Verication: Test the Project .......................................................................78
Deployment ...............................................................................................79
Maintenance ..............................................................................................79
Rapid Application Development .....................................................................80
Pre-Project .................................................................................................81
Requirements .............................................................................................81
User Design ...............................................................................................82
Construction ..............................................................................................82
Implementation/Transition ........................................................................83
End Project ................................................................................................83
Security and Risk Analysis .................................................................................. 84
Security Elements in Systems Projects .............................................................85
Project Risk ................................................................................................85
Mandated Security .....................................................................................86
Security Cost ..............................................................................................88
74 ◾ Official (ISC)
2
® Guide to the ISSMP® CBK®
© 2011 by Taylor & Francis Group, LLC
Systems developed for use across an enterprise can fall victim to the myth that,
because they are not for sale or public consumption, they don’t need as much atten-
tion to security. In fact, this can be the complete opposite of reality. ere is often
more data to protect, internal company and employee information as well as cus-
tomer information. ese enterprise-wide systems also have more threats to protect
against that already have some sort of access—like internal attackers. Both of these
factors mean that enterprise-wide systems need a focus on security and secure prac-
tices as much as any system developed for external release.
e Enterprise-Wide Systems Development Security domain describes the role
of security management in dening, designing, developing, testing, implement-
ing, and maintaining the critical software infrastructure that supports today’s and
tomorrow’s business environment. e security manager has a crucial role to play
in protecting business operations through providing input to the development pro-
cess. is requires knowledge of various types of applications, software languages,
databases, and operating platforms. e security manager must understand the risk
and threats that are applicable to this environment and the countermeasures that
can be employed to minimize damage, loss, compromise, or manipulation of data,
systems, processes, and personnel. Key areas of knowledge include the following:
◾ Building security into the systems development life cycle
◾ Integrating application and network security controls
◾ Integrating security with the conguration management program
◾ Developing and integrating processes to identify system vulnerabilities
and threats
Security of Project Elements ...........................................................................89
Hardware .................................................................................................. 90
Operating System .......................................................................................93
Networks ...................................................................................................96
Web Servers .............................................................................................106
Other Applications ...................................................................................110
Project under Development ......................................................................112
Service-Oriented Architecture Security .....................................................121
System Testing ...................................................................................................123
Testing and Documentation of Security Elements .........................................123
Component Testing ..................................................................................124
Integrated System Testing .........................................................................124
Penetration Testing ...................................................................................124
Condential Test Data ..................................................................................124
Insider Attacks ..............................................................................................125
Certication and Accreditation .........................................................................125
Review Questions ..............................................................................................125
Get Official (ISC)2® Guide to the ISSMP® CBK® now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
