CSOL Secure Software and Development focused on learning the crucial skills to develop a software system to address and manage existing risk gaps in the supply chain. An example is understanding how to use the Software Development Life Cycle (SDLC). There are 7 phases to completing the SDLC.
Requirements & Analysis:
Project Planning
Design
Coding & Implementation
Testing
Deployment
Maintenance
Additionally, several SDLC models are processed in different ways. The Agile model is the best for software development projects that require flexibility and adaptability. The Waterfall model is the best for small, well-established projects with little to no need for changes. The Iterative model is best for projects that require high flexibility and multiple changes. This model is best suitable for organizations that have the resources. The Spiral model is best for complex projects with multiple changes but can be expensive for small projects.
Reflection
The final project for the Secure Software and Development course was developing risks and metrics in software systems. Risk is exposure to something dangerous, harmful, loss, or negative impact. The assignment was developing and implementing the risks and metrics of a hospitality organization such as a casino. There are no formal steps to create a risks and metrics spreadsheet, but I could break it down into steps I understood and apply it to other organizations. Step 1: I needed to gather all the assets of an industry that can be influenced or impacted by a bad actor. These assets can range from RFID access points, computers, websites, HVAC systems, and anything with an operating system. Step 2: Understand the consequences the organization will face if the asset was to be compromised or shut down. These consequences include financial loss, productivity, PII breach, lawsuit, and other negative consequences. Step 3: Identify the threats and the likelihood those threats can occur. The threats are anything that can negatively impact the assets. Step 4: Identify the vulnerability that can lead to these threats having access to the assets. Step 5: Identify the risk of the threats exposing the vulnerabilities. Step 6: Develop a solution and the cost value of it.
When creating a risk and metric assessment, these steps can be implemented in any organization. The formula to determine the overall Risk is = Asset x Threat x Vulnerability. If the asset is no longer valuable, but the threats and vulnerability are very high, then there will be no risk. Since the Asset is unimportant, it would not matter about the Threats or Vulnerabilities. The same concept applies if there is no Threat or Vulnerability. This will indicate there is no risk, and we should not worry. There would be no risk until a threat, vulnerability, or asset matters. Incorporating this assessment into an Information Systems Security Plan (ISSP) will help identify what controls should be implemented to strengthen the system due to the risk value. A higher risk will need multiple control sets to protect it from bad actors. Little to no risk will need controls but not to the extreme as if it was a higher risk.
Learning how to create a risk and metric assessment has been extremely beneficial because it's an extra tool I used before creating or reviewing an ISSP. I can incorporate this knowledge into multiple small, large, critical, or uncritical tasks. Breaking it down by each step, I have the ability to explain in depth each category regardless of the industry.