Advanced Web Based Application

Development

Lecture 13

Integrating Web Security in the SDLC

Dr. Obuhuma James

Description
This topic explores how security elements should be integrated in the system development
process. Reference will be made to the phases of the traditional System Development Life
Cycle (SDLC). The activities that occur in each phase with reasons why security measures
should be considered in each phase will be extensively discussed.
Learning Outcomes
By the end of this topic, you will be able to:

▪ Understand the phases of the traditional System Development Life Cycle (SDLC).

▪ Describe the need for integration of security in each phase of the SDLC.

▪ Describe how security aspects can be integrated in each phase of the SDLC.

Introduction
The security of any given system has to be founded over the various stages that lead to its
production. This is in addition to security measures put in place during the time period when
the system is in use. Viruses, worms, theft of data, manipulation of data and any other
security threats are critical aspects to watch with respect to web-based application
development [1]. Applications should only get into the production environment upon
thorough consideration of security aspects within and around it [1]. Any given system in
existence must undergo through different phases of the System Development Life Cycle
(SDLC). According to Sommerville [2], there is no universal software engineering method or
technique that is applicable for circumstances. However, three general issues affect many
different types of software, namely, heterogeneity, business and social change and security
and trust. The life cycle may be expressed differently, based on the many varied existing
process models. However, no matter the approach used by any given process model,
elements of standard development activities are normally embraced. For better security of
the system, developers and other technical staff should always adhere to secure or
defensive coding practices and principles [1]. Such coding approaches have become major
goals for many information software development companies in a move to help in the
reduction of maintenance costs channeled towards fixing flaws in the production
environment of commercial software [1]. It is worth noting that since software is
intertwined with all aspects of our lives, it is vital for users to trust every software they use
[2]. This is especially the case for remote software systems accessed through a web page or
web service interface. Under all circumstances, we must ensure that malicious users won’t
attack our software and that information security is maintained at all costs [2].
The System Development Life Cycle
Consider the two broad approaches to software development, namely, plan-driven and agile
methodologies shown in Figure 1 [2].

Figure 1. Software Development Methodologies [2]

According to Figure 1, the agile approach considers design and implementation as central
activities in the development process which incorporates requirements elicitation and
testing, into design and implementation [2]. Contrary, the plan-driven approach preplans
separate phases of software development such that outputs from one phase serves as a
basis for planning for the next phase [2]. Even though the agile methodology does not
follow the phases in a preplanned manner, the critical software development activities are
still embraced.

Despite the existence of the two main software development methodologies, the traditional
System Development Life Cycle (SDLC) has the following seven phases:
1. Planning
2. Analysis
 3. Design
4. Development
5. Testing
6. Implementation
7. Maintenance
Some versions of the system development process either combine some of these phases or
rephrases the phases as earlier seen in the description of the plan-driven and agile
methodologies. But the bottom line is that it all boils down to the incorporation of some
standardized activities. This topic hence attempts to bring out how security should be
integrated in the traditional Software Development Life Cycle.

Integrating Web Security in the Phases of the SDLC

The following is a brief description of activities involved in each of the seven phases of the
traditional Software Development Life Cycle. The discussion per phase concludes by
indicating how security aspects can be incorporated in each phase.

Planning

The planning phase is the starting point for system development. This is the point at which
project stakeholders initiate a need for a system. The phase defines the scope of the
problem and the desired solution. Furthermore, the resources needed in terms of cost and
time are also determined in this phase. It is vital to ensure that the project has enough
personnel and budgetary allocation. Part of the outcomes for the phase include a clear
project plan, cost estimations, and procurement requirements. At this stage, it is essential
for the project plan to include an element of how security measures are to be factored in
the system under planning. Stakeholders may be probed to outline any potential security
concerns that they may wish to be taken care of.

Analysis

The second phase of the life cycle entails getting a clear understanding of the requirements
and/or user needs. Such requirements include but are not limited to functional
requirements aimed at helping the system end-users. The analysis relies on data gathered
through stakeholder engagement in the planning phase. In summary, the phase entails a
review of problem specifications which describe what the program should accomplish [3].
The outputs from the requirements analysis stage vary depending on the methodology
used. Regardless of whether your team is working with a formal requirements document or
a list of tickets, everyone has to understand each need. It is worth remembering that
comprehensive planning and analysis ensure that developers provide systems that meet
user needs [4]. It is advisable for the team carrying out requirements analysis to include a
comprehensive analysis of security needs gathered in the previous phase. A better analysis
of security elements at this stage will lay a good foundation for the next phases.

Design

The third phase entails transforming requirements gathered and analysed in previous
phases into some form of models that embrace features of the proposed system. The
models may include prototypes for the desired system, where a prototype in this case is a
mock-up of screens depicting the look of the desired final product [3]. Such prototypes are
normally shared with stakeholder and/or end users to solicit for their feedback. It is
advisable for the design team to include a security perspective in the designs as informed by
what was outlined during planning and analysis. The mock-ups should demonstrate a secure
application as an envisioned version of the final system.

Development

This is where the real action takes place. The model and prototype generated in the design
phase is now transformed into codes that define the system. This is the point at which the
system being developed starts becoming a reality. This phase is fully under the control of
developers as opposed to initial phases that may be undertaken by other people that may
not necessarily be developers. It is at this phase that the development team actualise the
proposed security elements, as detailed in the requirements analysis document and
demonstrated in the proposed system’s prototype. In most cases, a security layer or
wrapper is normally incorporated in the static codes for the system. It is normally advisable
to ensure that the deployment team gets trained on matters relating to security and that
they embrace secure coding standards, described in the following subsection.
Testing

Testing is normally done at various stages of the system development process. For instance,
the Test-Driven Development (TDD) that emphasizes fast, incremental development and
writing of test cases before writing of actual codes [3] is becoming a famous approach used
by majority of developer. Good programmers often build test plans as they analyse and
design their solutions [3]. Such test plans could be tailored in such a manner that they
include elements that test for system security. Furthermore, security elements should be
mainstreamed at all levels of testing, including, during unit testing, component testing and
full application/system testing. Hybrid testing that entails both dynamic and static testing
should be performed, where, dynamic testing should focus on checking for loopholes in
functionality while static testing should check for loopholes in the code. A quality assurance
team may be involved to perform basic vulnerability assessments where they could use a
test plan that incorporate security measures and include the use of automated security
testing tools.

Implementation

System implementation shifts the system from the development environment to the
production environment. The phase is sometimes referred to as the deployment phase. This
is the point when web-based applications’ codes are put on webserver for access by end
users. Training of users and actual system takeover by the users occurs during this phase.
This is the best point to perform real user environment security tests like penetration
testing to expose any loopholes that may be existing in the system. It is advisable to engage
a team of penetration testers to thoroughly test the system and provide a detailed report to
the development team for scrutiny and possible consideration for adoption.

Maintenance

The longest and most expensive phase of system development is the maintenance phase.
This is the lifetime of the system when it is put to use. As the system is in use, both end
users and the development team watch for bugs or defects. Any security loopholes are also
monitored through dynamic testing strategies. During the maintenance phase, bugs may be
fixed in the system, new functionalities may be added to the system, and/or the system may
be adopted to new operational environments. Under whichever of the three types of
maintenance, system security should always be at top notch.

Best Practice for the Integration

The best approach towards ensuring web application security is to establish software design
requirements appropriately as you factor security right from that point. In addition, it is
recommended to use at least some coding standard to enhance on security at the
development stage. Some of the most common standards for web application development
include, OWASP, WASC, CWE, CERT among others. Lastly, software should be tested
appropriately with both static analysis, and dynamic analysis done comprehensively. It is
important to ensure that all roles involved in the system development life cycle, including
the requirements gathering and analysis team, design and development team and the
Quality Assurance team, undergo prior training on matters relating to system security. This
will make them always cognizant of security elements during the entire system
development life cycle.

At the bottom line, there is critical need to integrate security in the entire System
Development Life Cycle (SDLC) as describes in the previous subsection. Why is this quite
important? Discovering and resolving vulnerabilities earlier in the SDLC helps ensure better
application security and at a cheaper cost. In contrary, identifying, and fixing security issues
in an already released application is a much more difficult and expensive venture. At every
point, it is recommended that any detected security issues should be well documented with
details tracked and communicated appropriately to the development team. Upon fixing of
any issues, reassessment of the application in the same environment should be performed
to ensure that no new security loopholes have been introduced.

Summary
The topic has exposed you on how to integrate security in the System Development Life
Cycle (SDLC). It is prudent to ensure that elements of system security are checked in all the
phases of the SDLC. This can best be accomplished through training of all parties involved in
the SDLC on system security aspects.
Check Points
1. Describe the System Development Life Cycle as used in web application development.
2. Discuss how system security can be embraced in each phase of the SDLC.
3. Describe the need for performing both static and dynamic testing.
4. Discuss the essence of offering a security training course to all roles involved in the
SDLC.
5. Discuss the best practice towards ensuring web application security integration in the
SDLC.

Learning Resources

Core Textbooks

1. Gosselin, D., Kokoska, D. and Easterbrooks, R., 2010. PHP Programming with MySQL:
The Web Technologies Series. Cengage Learning.
2. Sommerville, I., 2011. Software engineering 9th Edition. ISBN-10, 137035152, p.18.
Pearson.
3. Doyle, B., 2013. C# Programming: From Problem Analysis to Program Design. Cengage
Learning.
4. Shelly, G., Woods, D. and Dorin, W., 2013. HTML5 and CSS Comprehensive. Cengage
Learning.

Other Resources

5. https://www.w3schools.com/php/DEFAULT.asp
6. https://www.tutorialspoint.com/php/index.htm

References
[1] Brooks, D.R., 2017. Programming in HTML and PHP. Switzerland: Springer.
[2] Gosselin, D., Kokoska, D. and Easterbrooks, R., 2010. PHP Programming with MySQL:
The Web Technologies Series. Cengage Learning.