Risk Analysis in Software Design

Software design is an important development life cycle. If risk factor is kept in mind during this phase, our design will be secure, robust and 99.9% allocation uptime and if we eliminate the risk factor, intruder may get access to private data and we may face the legal penalty and client loss. In web application security should be there in each layer.

In “N” tier architecture, security should be in “N” tiers.  Clients to interacts with application through virtual directory in web server port 80 is default port and most target for access,

In “N” tier architecture, security should be in “N” tiers.  Clients to interacts with application through virtual directory in web server port 80 is default port and most target for access,

so other ports are used to keep the application secure. Store procedure should be used to prevent the theft to get access to our DB.

Risk Analysis starts during the 1st phase of software development life cycle i.e. requirement phase. Risk Analysis a business decision. It can keep our business run and can fail the business. Risk is there in each business, so risk should be control and minimized.

Cigital’s Approach

  1. Understand the Business:

Risk involve to business should be address and discuss with the stockholders during business initiate process. There are factors which can go against you for example legislative requirements, ethics, in some countries business is ethical to run and in some countries it is illegal due to many factors, culture or religion. Gov. Legislative author which is mother of all security concerns should be kept in mind.

  1. Technical Risks:

Technical risks many involve issues in design for example if store procedures are not used, users personal information may be compromises. Risk should be addressed by technical team and reports should be sent to stockholders for solution.

  1. Measure and Report:

After the proper analysis of business risk, discuss with domain expert, risk reports should be prepared for top management attention.

  1. Process Improvement:

Risk should be mitigated, we cannot eliminate the risks at once. It is a continuous process so continuous risk elimination is very important for the success of business. This process should be improve our time for example one failover server for support in case server gets down and “N” failover server during “N” time for “N” number of clients is continuous process improvement. Process should be assurance, we should judge our process weakness and strength during improvement process.

Application security should be tested.

  1. Cross Site Script testing for Cross Site Scripting attack.
  2. SQL injection testing for SQL injection attacks.

Session management testing etc. are example of security testing. If these factors are tested properly then we can confidently say that our product is safe and secure and can get majority of clients trust. Security policy should be establish in the organization. Access control for employees for example which resource should be accessible to which employees.Last but no least we can sys that security implementation in design is matter of bread and butter for business man.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: