SDLC Stages
Requirements, Design, Code, Testing, Release
Requirement Stage
Stakeholders need are gathered, analysed, and documented to define what the system must do
Design Stage
System architecture, components, data models, and interfaces are planned. Design flaws here
Code Stage
Developers write code according to the design and requirements. Security defects here implementation issues in code
Testing Stage
software is tested to find and fix bugs and ensure it meets requirements
Release Stage
Basics of Application Security (6)
- Design application with security in mind
- Proper repository management and versioning
- Well-defined software process
- Code reviews and security testing
- Secure coding training and guidelines
- Threat modelling, penetration testing and monitoring
What is the waterfall model?
First SDLC model where each phase must finish before the next begins
Waterfall phases
Requirements -> Design - > Implementation -> Validation -> Maintenance
Waterfall Disadvantages (4)
- No working version until late
- poor fit for complex projects
- Hard to measure progress
- Difficult to handle changing requirements
What is agile thinking?
An umbrella term for frameworks and practices based on Agile Manifesto values and 12 principles
What is Scrum used for?
Managing complex, adaptive problems with fast delivery and evolving requirements
What are main steps in Scrum
- Product owner priorities work in the product backlog
- Scrum team delivers an increment during a sprint
- Team and stakeholders review and adapt
- Repeat
What is water-scrum-fall?
Hybrid of waterfall and scrum used in practice but not a formal stadard
Manual Inspection and review techniques
Reviewing people, polices and processes for security
Advantages and disadvantages of manual inspections
Pros: Early in SDLC, flexible, improves teamwork and understanding
Cons: Time-consuming and requires skilled analysis
What is threat modelling?
A risk assessment technique that identifies threat actors and vulnerabilities by breaking down applications into assets, functionality and connectivity
What is code review in security testing?
Manually analysing source code to find security weaknesses by inspecting implementation details
What is pentration testing
Ethical hacking used to find exploitable vulnerabilities should be combined with other techniques and not use first
Why is input validation
It protects systems by ensuring only safe and expected input is processed
What types of input validation exists?
Origin - verify source (IP, API key)
Size - check input length
Lexical content - validate characters and format
Syntax - ensure correct structure
Semantics - ensure data is logical and consistent
