This report details the importance of securely creating a software and the best practices to implement throughout the development lifecycle. Making use of the Microsoft Secure Development Lifecycle Model, a software can be developed with sufficient security measures throughout each stage from the beginning of development until it's eventual release and even responding to incidents that could follow it's release.
Creating an online banking application without thoroughly considering the security of the bank's assets and customer's information would be practically impossible. Because of the vital importance of the assets a bank contains, large security measures while developing any aspect of its services must always be implemented. Developing this online banking application must include various steps as is seen in the Microsoft Security Development Lifecycle (Such as Security Requirements, Risk Assessment and Threat Modelling).
Banks and financial companies are large targets for malicious attackers who target the online services provided by these businesses. It is for this reason that the threats posed to a bank with a web banking service are vast and development of such an application should be treated so.
Considering the OWASP Top 10 is an excellent initial security measure as mitigating the threats of the top 10 most frequent vulnerabilities found in web applications gives a good foundation in avoiding attacks.
The application functions by getting the user access the web site through their browser, navigating through both step authentication and then gaining usage of various options associated with their account such as viewing statements, transferring money to other accounts and viewing the total amount currently in their account.
The to begin the two step verification can be an 8 digit pin that an individual will are determined after earlier when first creating their take into account their online banking service. The next step verification will either be the user's date of birth or occasionally it will be the user's contact number. This second step verification will change randomly in order to avoid use associated with an automated tool attempting to access a user's account.
When the user creates a web based banking account, they will be necessary to give their house address and account number. A letter will be sent to the user giving them a code that is specific to them that they may then use to verify their identity on the first use of the online banking application and complete creating their account. This means that the only people who may use the service are those who already have full usage of the user's account details and their post. This is a highly effective security measure as implementing security into a software that can be compromised simply by having any person impersonate another user signing up for the service would be redundant.
Another way that the login process will be secured is by utilizing a counter where when a user enters details incorrectly three consecutive times then they will struggle to make another attempt for a short period of time.
The reason behind this two step verification process is to hinder the use of tools that could continuously attempt to crack the login system, possibly by using an instrument such as John the Ripper or THC Hydra. The limited amount of login attempts is also used to avoid brute-force attacks from occurring.
Having already been authenticated, a user will get access to their account details including their balance, their previous statements and also they can transfer funds from other account. All this information will be stored in a database which will be encrypted and salted and therefore a leak of the information shouldn't cause for the information to be decipherable by an attacker.
The Secure SDL (Software Development Lifecycle) as implemented by Microsoft is a development process which assists developers in creating secure software and talks about complying with security requirements whilst reducing the overall development cost.
The Lifecycle is sectioned off into 7 different SDL practices as is seen in the figure below. These practices are used to highlight security implementations in the many stages of your software's development. For example, in the designing of the developing software, it's important to produce accurate threat models that can be used to easily locate different possible vulnerabilities that the program may be at the mercy of.
(stan. gr, 2012).
Establishing Security Requirements
One of the first steps to be studied in developing the banking software is to determine what security and privacy requirements will be implemented in the software. This will make it easier to identify the direction of the development and assist in keeping to the schedule. The team developing the banking software will mostly look at the OWASP Top 10 10 as the main vulnerabilities that may occur in the application form and attempt to secure against these.
One of the security requirements that'll be present in the program is to secure the program against Injection. As the information that is shown whenever a user logs in is sensitive, the program must protect against malicious users wanting to login by using injection. In order to avoid SQL injection, the program will be developed using prepared statements to be able to sanitise the input of an individual.
Validation methods will be contained in the software to ensure that each user has the correct authority to work with the functions that they attempt to use and that inputs that are entered into the application will be acceptable in order to avoid cross site scripting and other such threats.
Create Quality Gates / Bug Bars
In the early stages of development, deciding what the minimum acceptable quality level should be there in the security of the program is essential. Without this task, oversights may exist such as user's private information not being totally secure as the development team didn't give attention to protecting this over the different area.
Having the very least acceptance level also helps the development team to improve security bugs as they are to follow the standard set and you will be given some concept as to what risks are associated with various issues.
For this software, it will not be acceptable that any bug that may be related to the leaking of information may be present. Strict security measures will be placed in spot to ensure that the privacy of the bank's customers will be protected.
Security & Privacy Risk Assessment
This stage of the development calls for examining the software design and locating areas that are potentially prone to more threats or simply have more risks than the areas. For instance, the database being protected, as it includes vital information, is of higher risk of a malicious attack than the website hosting the application. Identifying these risks and what they are vunerable to will enhance the security of the software. This will be further developed in the threat modelling step as this task determines which parts of the project will require threat modelling.
This stage is vital in the development process as the likelihood of avoiding a risk that has been overlooked in the introduction of the software is much less than if it turned out analyzed throughout the development.
Establish Design Requirements
Establishing the look Requirements will ensure that the program will function in the intended way while also allowing to minimise cost and improve security throughout the development. This stage will guarantee that the program will be user-friendly and can also help out with ensuring that there is no way that a user may accidentally gain access to information that they are not authorised to take action.
Analyze Attack Surface
This step involves analyzing which elements of the software presents opportunities for attackers and can help developers in reducing these vulnerabilities. This may involve disabling or restricting certain access to services. This stage is another stage that'll be a large part of the threat modeling stage in that it will permit the developers to identify aspects of the software that are viable to be attack targets.
This step allows the developers to look at exactly what happens whenever a user is using the service and to anticipate what aspects are vulnerable to threats. From here, developers can decide the feasibility of reducing these threats and how this can be achieved. This can be done by identifying vulnerable areas and ensuring that they are simply secured from the attacks they are vunerable to. The need for this stage is highlighted by the value of protecting the sensitive information that the application form will be using.
The figure below shows a threat model created with the 'Microsoft Threat Modelling Tool 2016' with regards to the online banking service.
Use Approved Tools
Using approved tools throughout the development process will assist in making certain correct security procedures will be used in the program. This includes utilizing a compiler which will flag security warnings if the software has been compiled possesses a known risk of security. These tools can include the IDE (Integrated Development Environment) for the developers to programme the software on, such as Eclipse.
Deprecate Unsafe Functions
Banning functions that are deemed to be unsafe will certainly reduce potential bugs in the software. Detecting these can be carried out by using automated tools or manually checking the code and making certain none of the functions are present on the banned list which may be found at <https://msdn. microsoft. com/en-us/library/bb288454. aspx>.
Analyzing the foundation code before compiling it is an excellent way of making certain the code has been developed in a secure manner. This stage will involve the developers to check out the code and check that the right security protocols have been set up such as prepared statements and sanitisation of inputs.
This stage of the Software Development Lifecycle involves testing the software to ensure that the software is functioning as it is intended and also permits web application penetration testing to be completed in order to verify that the security functions set up will work correctly. This penetration testing can be carried out by the business enterprise if they have their own department or it can be outsourced to another specialist company such as Offensive Security.
Offensive Security offers "more accurately simulate real-world hacking situations to audit network, web, and application security programs" (Offensive Security, 2016).
Perform Dynamic Analysis
Using various tools to monitor things such as user privilege issues will help in verifying how secure the software is when being utilized. It is at this time that the software can be looked at for just about any possible security oversights. This stage is comparable to the testing stage and may be used to verify what devices the web application works on and also if there are any errors with how to application performs. A good example of this would be that the application may are intended over a Firefox browser from an android device but might not exactly work completely as intended on Safari on an iOS device.
This step involves wanting to make the program fail by introducing random data. This testing is employed to verify the way the software handles errors and when there is any weakness in the security of the way the software does this. This may involve an error occurring gives sensitive data about the software's database. This testing will ensure that the sanitisation of the user input's is working appropriately by handling these errors rather than executing code that is input.
Attack Surface Review
Reviewing the attack surface when the code has been completed can help ensure that any future changes to the look or functionality of the program has been considered and these changes won't compromise the security of the software. An example of this may be that considering making the net application into a mobile device application may present difficulties as different vulnerabilities may be present.
Create an Incident Response Plan
The Preparation phase involves having implemented the right controls in order to recover following an incident. It states the policies, tools and contact information that is essential to be able to respond effectively to the incident.
Detection is a phase that involves the discovery of the incident. This can be through use of logging or will come by means of a consumer alerting the business enterprise. On this phase, the incident will be declared and the severe nature of it'll be determined.
The containment phase will be where the affected part of the software will be isolated or mitigated if possible. In case the incident affects the program in it's entirety, it must be determined whether or not the entire software is to be taken offline to be able to avoid any more users to be affected by it.
The investigation phase calls for taking a look at the incident and wanting to identify the foundation, the scope and the priority of the incident.
The remediation phase will be where it is set which parties to see about the incident and can concur that the threat has in fact been contained.
The recovery phase will be the phase in which it is set how the software will ensure that the incident does not happen again and will confirm whether it is necessary to review the software's policies. (Raderman, L. 2015)
Conduct Final Security Review
Reviewing all the security checks and measures prior, throughout and post release of the program really helps to ensure that they were carried out effectively and this none had been left out. This step can be assisted by using an automated tool such as Vega to scan the application form and see whether any known vulnerabilities have been overlooked.
Ensuring that the utmost has been done to safeguard the security and privacy of it's users should be one of the bank's largest priorities in developing this software as with no trust provided by this, the bank will surely experience a lack of assets by means of customers and finances.
Certify Release and Archive
Certifying the software before it is released will ensure that of the right security requirements were met. Archiving the info allows the developers to do roll backs and also to review any future security or privacy breaches in relation to the original software. Without certifying the software upon it's full release, the credibility of the software may be questioned and it could cause negative pr for the business. As a bank, it's important that customers are confident in the security and privacy provided by the business enterprise.
Execute Incident Response Plan
The capability of implementing the Incident Response Plan from the Release step will assist in helping users to avoid severe security and privacy breaches and allow for the company to truly have a quicker reaction to any exploits that may arise. This task is important as users should feel confident that the lender has their best interests in mind and can ensure that their security, being one of the business' key assets, is being frequently and effectively protected.
Developing a web based application for a bank could prove extremely beneficial and convenient for it's customers. However, the value of the information that a bank retains in regards to it's customers and their finances is high and with the type of cyber security and its increasing attacks, especially to a higher profile target like a bank, the development of such an application should be assessed with security at heart throughout the procedure. Following the Microsoft Secure Development Lifecycle is a very effective way of ensuring that a software is thoroughly analyzed for security threats and vulnerabilities and ensures that a small business will have reasonable plans set up when any breach of security you can do. It is also beneficial when creating a software to be secure, to make reference to the OWASP Top 10 10 vulnerabilities and ensure that the software is really as secure against these vulnerabilities as possible.
Microsoft (2011) Security Development Lifecycle (SDL) Banned Function Calls [online] available from: https://msdn. microsoft. com/en-us/library/bb288454. aspx [accessed 27th December 2016].
Microsoft (2016) What's the Security Development Lifecycle? [online]
available from: https://www. microsoft. com/en-us/sdl/ [accessed 27th December 2016].
Offensive Security (2016) Advanced Penetration Testing Services [online]
https://www. offensive-security. com/offensive-security-solutions/penetration-testing-services/ [accessed 2nd January 2017].
OWASP. org (2015) Top 10 10 2013-Top 10 [online]
available from: https://www. owasp. org/index. php/Top_10_2013-Top_10 [accessed 27th December 2016].
Raderman, L. (2015) Computer Security Incident Response Plan. Carnegie Mellon Information Security Office [online], 13th Febuary 2015, (pg 8-9),
<https://www. cmu. edu/iso/governance/procedures/docs/incidentresponseplan1. 0. pdf> [accessed 2nd January 2017].
<http://www. stan. gr/2012_11_01_archive. html>, [accessed 27th December 2016].
Also We Can Offer!
- Argumentative essay
- Best college essays
- Buy custom essays online
- Buy essay online
- Cheap essay
- Cheap essay writing service
- Cheap writing service
- College essay
- College essay introduction
- College essay writing service
- Compare and contrast essay
- Custom essay
- Custom essay writing service
- Custom essays writing services
- Death penalty essay
- Do my essay
- Essay about love
- Essay about yourself
- Essay help
- Essay writing help
- Essay writing service reviews
- Essays online
- Fast food essay
- George orwell essays
- Human rights essay
- Narrative essay
- Pay to write essay
- Personal essay for college
- Personal narrative essay
- Persuasive writing
- Write my essay
- Write my essay for me cheap
- Writing a scholarship essay