Software Security

By
Dr. [Link]
Assistant Professor (Senior
Grade2)
School of Information Technology
VIT Vellore
and Engineering , 1
 Module 7 – Managing a Secure Software

Security and Project Management – Project Scope and Plan,

Resource, Estimate the Resources, Product and Project
Resources, Measuring Software Security, Maturity of Practice.

2
Project Management

3
 Establish a project management structure
1. Establish Roles and Responsibilities: Assign roles and responsibilities to each
team member and create a clear chain of command.

2. Develop a Communication Strategy: Develop a plan that outlines how

communication will be handled within the project team and with other
stakeholders.

3. Set Expectations: Define expectations for each team member, including goals,
deadlines, and deliverables.

4. Implement Project Management Software: Utilize project management

software to track progress and keep the project on schedule.

5. Monitor Performance: Monitor team performance and measure progress

against the project plan. Identify any issues that arise and take corrective action.
 Project Definition
1. Scope: Define the project’s goals, objectives, deliverables, and timeline.

2. Budget: Estimate the cost of the project and develop a budget.

3. Resources: Identify the resources needed to complete the project, including

personnel, materials, and equipment.

4. Risk Management: Identify potential risks and develop a plan to moderate

those risks.

5. Quality Assurance: Establish the quality standards for the project and

develop a plan to ensure those standards are met.

 Security and Project Management
• Continuous risk management and periodic risk assessment are key
activities that help guide project managers in determining which security
practices to incorporate in each life-cycle activity and to what degree.

• Software security requirements affect project planning and monitoring,

with respect to the following aspects of the project:
• The project’s scope
• The project plan
• Tools, knowledge, and expertise
• Estimating the nature and duration of required resources
• Project and product risks 6
 Project Management
• The overall goal of project planning is to establish a realistic strategy for
controlling, tracking, and monitoring a complex technical project.
• Why?
• So the end result gets done on time, with quality!

7
8
Risk Types

9
Project Scope
• Security's impact on the scope of the project has several dimensions
that need to be considered throughout project planning and
execution.
• These dimensions influence all SDLC activities and need to be
specifically addressed in the final software and system before they are
approved for release:
• The type and number of threats
• The sophistication of and resources available to the attacker
• The desired response to an attack
• The level of required assurance that the system meets its
security requirements

1
0
Understanding Project Scope
• Understand the customers needs
• Understand the business context
• Understand the project boundaries
• Understand the customer’s motivation
• Understand the likely paths for change

1
1
Project Plan
• The nature of security risks and their consequences affect both
project planning and resources. Actions to mitigate low-consequence
and low-likelihood risks can often be left to the discretion of the
project leader with limited management review.
• The complexity associated with product development may be a
consequence of tight component integration to meet market
demands for functionality or performance.
• Shared services typically aggregate risks.
• System integration has to resolve any mismatches with both internal
and outsourced development

10
Project Planning
• Scoping—understand the problem and the work that must be done
• Estimation—how much effort? how much time?
• Risk—what can go wrong? how can we avoid it? what can we do
about it?
• Schedule—how do we allocate resources along the timeline? what
are the milestones?
• Control strategy—how do we control quality? how do we control
change?

11
Resources
• Tools
• The software development environment should be at least as secure as
the planned security level of the software being produced.
• Appropriate controls for and configuration management of
development artifacts are essential and must have required assurance
level.
• Knowledge and Expertise
• The security expertise required to develop more secure software can
be classified into two categories:
• Knowledge of security functionality and features.
• The skills to identify and mitigate exploitable vulnerabilities
12
Estimating the Nature and Duration of Required Resources
• The main objective of software project planning is to provide a framework
that enables the manager to make reasonable estimates of resources,
cost, and schedule.
• These estimates are made within a limited time frame at the beginning of a
software project and should be updated regularly as the project
progresses
• Estimates should attempt to define best case and worst case scenario so
that project outcomes can be controlled.
• Early estimates for staff effort and schedule are not very reliable until a
more detailed description of the software is available.
• Using shared services and a shared IT infrastructure across a number of
application development projects can reduce component development
costs but typically aggregates risks across all uses.
• Project estimates need to consider and reflect the increased assurance that
will need to be applied to any shared services.
13
Project and Product Risks
• Potential requirements for secure data access during development,
secure facilities, or demonstration of capability can add great
complexity and schedule concerns to projects.
• Change and configuration management procedures provide some
assurance for internal development.
• Activities such as an architectural risk assessment, threat analysis,
and static analysis for the source code provide practices for specific
development phases.
• Development controls and change management are essential
development tools.

14
Project and Product Risks

15
Thank you

16
Dr. M. LAWANYA SHRI, SITE 17