CAP 20 - Software Development Security

Introducing systems development controls

Avoiding and mitigating system failure

input validation

authentication and session management

error handling

logging

system development lifecycle (conceptual definition - functional requirements determination - control specifications development - desisgn reviw - code review walk-through - system test review - maintenance and change management)

Lifecycle models (Waterfall, spiral,agile, SWCMM, IDEAL

change and configuration management

software testing

Establishing databases and data warehousing

ACID

database contamination

concurrency (lock)

semantic integrity, content dependent access control, cell suppression, context dependent access control, polyinstantiation

Storing data and information

storage threats

illegitimate access

covert channel attacks(trassmission of data through classification levels)

Understanding knowledge based systems

expert systems

machine learning

neural networks