Software development has witnessed tremendous advances with the development of new and better tools and models for development. Businesses typically no longer use models with sequential phases and limited iterations. New development models, such as agile development, extreme programming (XP), and scrum, use teams with highly focused goals, clear deliverables, and iterative development cycles to improve the efficiency of development. These software development models also introduce new security risks in the development organization and the code that is produced.
For this assignment, you will continue development of your software assurance guidelines document to address security in nontraditional development models. This new section of your document will provide guidance to the company when it is using nontraditional development models to ensure that it follows processes and policies that will minimize the threat of security problems. The security development model will be used as the basis for your analysis.
The project deliverables are as follows:
Update the software assurance guidelines document title page with the new date and project name.
Update previously completed sections based on instructor feedback.
Security in Nontraditional Development Models section:
Identify a non-traditional software development model that could be used by your company.
Provide a summary of the major steps in the development model, and describe the potential security threats for each step.
Using the security development model as the foundation for analysis, develop and document appropriate policies and processes for each security risk that will minimize the threat.
Association with the security development model should be demonstrated in the policies and processes.
Individual Project CSS321 Software Assurance Unit 2
Contents Table of Contents
Guidelines for Software Assurance
3 Project Overview
3 Overview of the Organization 3 Security in the Development Life Cycle 4 Techniques of Assurance
6 TBD 6 Nontraditional Development Models and Security
7 sTBD
7 Static Security Analysis
8 sTBD
8 Policies and Procedures for Software Assurance
9 sTBD 9 sReferences 10
Guidelines for Software Assurance
Outline of the Project
Overview of the Organization
Workday is the firm I choose; I use it on a daily basis at work. Workday is an online-based company that combines HR, management, accounting support, forecasting, and other business-related services into a single platform. Workday is used by a number of government-owned businesses. Workday assists with both the hiring and payroll procedures. Companies frequently employ a variety of websites to execute tasks. Weekday, on the other hand, will have all of the resources necessary to execute each activity required in a typical workday. To audit processes and assure the accuracy of said functions, software assurance is required. These functions, in particular, must be monitored and confirmed during the workday.
Workday currently employs over 12,500 people (Workday, 2021). Pleasanton, California is the headquarters of Workdays. The Chief Executive and Senior Director, as well as the Officer in Charge, Chief Senior Officer, and Security Team, make up the Corporate Leadership. All company operations, human resources, money, and approvals are overseen by Corporate Headquarters. The SDC consists of the President of Software Engineering and Chief Scientist, as well as software engineers from the development team. Product design and deployment are the responsibility of the SDC. All product sales and support are handled by Vendor Control Operations (VCO)
Sales teams can monitor their sales opportunity pipeline within Workday using the Sales Opportunity Tracking app, which allows them to quickly add or update opportunities straight from their mobile devices. Sales Opportunity Tracker is a web application used by Workday that is primarily a financial management application. Sales leaders can also get facts and metrics about their workflows through the software’s displays. To link with PLEX for product catalog marketing and customer information, Workday Prism Analytics is employed.
Workday also uses the Annual Compensation Review – Decision Guide tool. This program is mostly utilized for compensation. This is for Human Capital Management, because when it comes to salary reviews at the end of the year, managers in a firm can be problematic. The Annual Compensation Review collects data from each employee and determines the appropriate compensation for that individual. This ensures that each employee is treated consistently and that their performance is tracked throughout the year in order to give them a fair raise (Workday, 2021).
In the Development Life Cycle, Security
The software development life cycle (SDLC) is a method of creating software, then identifying and correcting issues (McGraw, 2006). The seven-phase process helps developers accomplish or surpass their company’s objectives. According to Innovative Architects, the SDLC is divided into seven phases: planning, systems analysis and requirements, systems design, development, integration and testing, implementation, and operations and maintenance (n.d.).
Stage 1: Planning and Analysis of Requirements – This is the responsibility of the SDC’s top software development professionals. This SDC team will work directly with customers to gather all requirements. The team will create a project plan and evaluate the project’s financial, financial, scalability, and efficiency viability.
Stage 2: Defining Requirements — The SDC team will now define the requirements for system design, security, and software development.
Stage 3 – Product Architecture Design – The SDC team will use Software Requirements Specifications (SRS) as a common reference for product architects to ensure that the proper product is created. A multitude of design approaches may be utilized to accomplish proper development. To document this, a Design Document Specification (DDS) record will be prepared.
Building and Developing the Product (Stage 4) – The SDC team will work on code development and generation, as defined in the DDS. This is also the moment when key security elements must be incorporated into the computer code to ensure its security.
Stage 5: Testing the Product — In most SDLC models, testing is done at every stage. This step focuses on repairing errors caused by defects.
Stage 6: Market Deployment and Maintenance – When the project is finished, it is released. Depending on user feedback, the product may be given as-is or with fresh updates for existing consumers.
Techniques of Assurance
Many companies are concerned about the possibility of a data breach in their database, which holds a range of sensitive data. Whether it’s consumer information or commercial secrets, a company must ensure that sensitive data stored in business or government systems is protected (Catterall, 2012). Three software programs are produced by the company. One of the software tools utilized by the HRBP is a desktop management system that allows them to manage the organization’s activities using Workday. The software uses web hosting to connect to a shared database.
The other application is a mobile-based software that managers use to be advised of upcoming deadlines. They may see and mark their plans as complete. Government agencies use another web-based program to keep track of personnel on leave of absence. They can use the app to see which staff are showing up for work. The parts that follow, “Analysis” and “Guidelines,” will go through each program in greater detail, including potential security risks, client impact, software assurance approaches to address any security problems, and the resulting software assurance guidelines.
Given the nature of the business that Workday is attempting to achieve within its market strategy, flexibility must be prioritized as a critical attribute. The main reason for the company’s adaptability is that unforeseen market swings may necessitate an immediate response, and software technology should infuse adaptive responses in the smallest amount of time possible. Many firms that follow the standard SDLC process wind up becoming obsolete, especially when faced with significant market upheavals that necessitate quick and effective adaptation. Structured software development methods such as the Waterfall, which are strongly based on a predetermined sequence, include planning as a key component (Eduard Wonohardjo, 2019). While such approaches accommodate modifications, unexpected and unforeseen implementation shifts, as well as market needs, may trump organized approaches, especially when there is a pressing need. Testing is done as an intermediary between consecutive phases in traditional systems, which follow iterative system development algorithms. As a result, time constraints become a stumbling block to effective development. Iterative procedures that are followed to the letter fail to provide clients with the desired software product on time.
Modern software modeling has strongly interwoven agile programming as its major strategy to development as a result of such components. The main distinction between agile programming methods like SCRUM and traditional programming approaches is flexibility, which is a huge benefit for software development teams on a tight deadline. Non-traditional methods provide a useful foundation for managing software projects with a high rate of nascent element evolution. Such projects would also have notably ambiguous requirements, as the clients for whom the system was built may not fully comprehend the project’s desired goals. Non-traditional ways emphasize not just completing the project without a predetermined requirements list, but also on the understanding that a client’s wants may change at any time. Key aspects of software development and use, such as data integrity and security, are addressed in a progressive manner through consistent trials and testing. To make a more acceptable system, the skeletal prototype is undergoing a number of enhancements and customizations (Hidalgo, 2019). As a result, SCRUM bases its implementation on ongoing engagement with stakeholders in order to adjust the produced system, as well as an incremental approach to meet all of the system’s goals (Hidalgo, 2019). The SCRUM methodology is divided into six key phases, the first of which is the developmental stage. It’s worth noting that the technique incorporates business goals throughout the process and iteratively verifies that they’ve been incorporated into system development. The first phase examines critical areas of the project, including as funding, the project’s goal, and the product backlog. A release plan for the initial project prototype is also given, providing the market with a model for reverting needed adjustments to the development team. The spring review is used to determine the set of changes that need to be incrementally incorporated into the initial release, as well as the product backlog updates that will occur.
Workday has used a variety of programming languages to serve a variety of applications that are critical to organizational processes. One of the main reasons for adopting many programming languages is that the system is linked to three essential integrations that are crucial in defining how security protocols are implemented in the system. The Workday studio is at the center of the three integrations. Third-party entities can utilize this user interface to debug, maintain, and deploy sophisticated integrations within the client environment, such as within an enterprise. The studio is critical to the agile methodology mentioned earlier, especially when the system’s deployment is based on the report compilation process from multiple sources.
The application’s second integration involves the use of cloud infrastructure, which stores data in particular databases. Reports and data on various interactions that can occur within the organization are stored in these databases. The third integration is the implementation of the enterprise Interface builder, which assists the user to perform basic integrations and customize operations to the specific needs of the organizations. Given the complex nature of operations that are catered to for Workday, the programming languages used in its build include Java, Python, and Ruby. With different syntaxes to specify operations, relating heterogeneous systems and integrating such would need the use of Application Programming Interfaces (APIs) to help map complex systems into one seamless overlapping system that provides support to all entities within its implementation. Security APIs would also be deployed for the Workday that infuses elaborate access controls such as the use of public key infrastructure, user authentication, secured communication, and cryptography to ensure confidential organizational information is protected. For the Workday application, Java security API has been used to ensure an underlying security infrastructure is able to withstand breaches into the overall system.
Security in Nontraditional Development Models
TBD
TBD
TBD
References
Catteral, Robert. (Aug 27, 2012). Who’s Doing What in an Organizational Database? Retrieved from http://www.ibmbigdatahub.com/blog/who-s-doing-what-organizational-database
Innovative Achitects. (n.d.). The Seven Phases of the System-Development Life Cycle. Retrieved from https://www.innovativearchitects.com/KnowledgeCenter/basic-IT-systems/systemdevelopment-life-cycle.aspx
McGraw, Gary. (Jan 23rd, 2006). Software Security: Building Security In. Addison-Wesley Professional.
The Workday Tech Strategy eBook.
Zamora, P. M., Kwiatek, M., Bippus, V. N., & Elejalde, E. C. (2019). Increasing Windows security by hardening PC configurations. In EPJ Web of Conferences (Vol. 214, p. 08019). EDP Sciences.
AlRababah, A. A. (2017). A New Model of Information Systems Efficiency based on Key Performance Indicator (KPI). ) International Journal of Advanced Computer Science and Applications, 8(3), 80-83. Retrieved from https://thesai.org/Downloads/Volume8No3/Paper_13-A_New_Model_of_Information_Systems_Efficiency.pdf
B. Chess, G. M. (2004). Static analysis for security. IEEE Security and Privacy, 2(6), 76-79. DOI: 10.1109/MSP.2004.111.
Dragana Velimirović, M. V. (2011). Role and Importance of Key Performance Indicators Management. Serbian Journal of Management, 6(1), 63 – 72. Retrieved from http://www.sjm06.com/SJM%20ISSN1452-4864/6_1_2011_May_1-121/6_1_63-72.pdf
Eduard Wonohardjo, R. S. (2019). A Systematic Review of SCRUM in Software Development. International Journal of Informatics Visualization. Retrieved from http://dx.doi.org/10.30630/joiv.3.2.167
Hidalgo, E. S. (2019). Adapting the Scrum framework for agile project management in science: a case study of a distributed research initiative. Heliyon, 5(3). doi:10.1016/j.heliyon.2019.e01447
Yerukala, M. (2021, August 20). What Is Workday Studio? – An Introduction To Workday Studio. Retrieved from Mind Majix: https://mindmajix.com/workday-studio
