Genuine Program SuccessTM

Presentation Transcript

Genuine Program Success TM Costs of Security in a COTS-Based Software System Arlene Minkiewicz, Chief Scientist PRICE Systems, L.L.C. arlene.minkiewicz@pricesystems.com October 2004

Conclusion COTS arrangements can spare time and cash in the improvement and life-cycle periods of a product item. Security requirements on a product framework may affect the cost/advantage examination when fabricating a COTS-Based programming framework Understanding of issues connected with COTS frameworks and security suggestions is crucial to fruitful sending of COTS-Based Software Systems

Cost of security in a COTS-Based Software System The Problem Solution Methodology Security Issues Six Steps to a Successful COTS Implementation Adding security to the six stages Conclusions

The Problem COTS - Not generally the ease arrangement Adding security limitations to a product framework will change the components required in a cost/advantage investigation contrasting COTS arrangements with home developed arrangements Need to see the greater part of the exercises connected with a COTS based arrangement so as to appropriately evaluate the cost of a COTS Based arrangement Need to comprehend the effect of security imperatives on the expenses of these exercises

Solution Methodology Understand and bound the issue Understand the way toward including COTS and recognize the exercises connected with this procedure Identify the elements that drive costs for these exercises Identify the effect of security imperatives on the expenses of these exercises Construct a scientific model to decide cost from these cost drivers Test the numerical model against genuine information and refine the model

Bounding the Problem Extended Definition of COTS Product (from USC CSE) to incorporate adjustments Commercially accessible programming item - sold, rented or authorized Source code here and there inaccessible Periodic discharge with new elements, updates for innovation, and so on. Changes to programming Focus is on COTS items being inserted in new programming frameworks Additional emphasis is on those frameworks with security limitations Security imperatives characterized as acknowledgment criteria identified with Evaluation Assurance Levels as sketched out in the Common Criteria for IT Security Evaluations

Security Requirements Present in Two Forms Additional useful prerequisites related particularly to security related elements Encryption calculations Password insurance Remote get to security strategies Additional levels of capability and testing to guarantee that the product does not permit security ruptures into the framework on which it works Backdoors Buffer floods Other deformities that permit entrée to programmers Patches that can be turned around built to discover shortcomings

Cost Impacts of Security Requirements Additional Functional Requirements Related to Security expand add up to Functional Size of the product (SLOC, Function Points, and so forth.) Impact of Assurance Requirements on Cost are an element of: COTS Selection Strategy Process Maturity of Organization Delivering Solution Focus of process model on security Expertise of faculty identifying with Secure Software Development and Good Software Engineering hones

COTS Selection Strategy Once a choice has been made to consolidate COTS segments into a framework with security limitations, the integrator needs to pick a procedure Buy and wrap Select segments that best meet general utilitarian prerequisites Develop a wrapper with paste code that embodies the COTS segments, guaranteeing that security prerequisites are met Buy pre-confirmed segments Only assess COTS segments with seller affirmation at the required Evaluation Assurance Level Buy and ensure inside Select segments that best meet general useful prerequisites with merchant confirmation that they conform to security prerequisites Perform essential accreditations inside

Process Maturity of Organization Biggest region for security concerns is in the nature of the product Organization with a decent programming process show solidly settled in construct higher quality programming Processes concentrated on security get the best results Cleanroom Formal scientific strategies Good procedures by and large still have generous effect CMI PSP/TSP Good programming improvement practices can considerably lessen effect of security certification necessities on the grounds that most security dangers emerge from the nearness of imperfections in outline and execution

Expertise of staff Security Assurance Requirements are well on the way to be met if security is composed into the product from the earliest starting point Personnel with preparing and/or involvement in the advancement of secure programming frameworks comprehend this Personnel with preparing and/or involvement in great programming advancement rehearses comprehend the significance of building quality into the procedure from the earliest starting point

Six Steps to a Successful COTS Implementation Analyze Software Requirements Evaluate and Select COTS Solution(s) Negotiate terms with the COTS Vendors Implement COTS Based Solution Tailoring Modifications (not great but rather now and then esteemed vital) Develop Glue Code Integration with different COTS Components or homegrown segments Maintain License, Subscription and Royalty expenses Maintain and Upgrade COTS-Based Solutions

Analyze Software Requirements Necessary whether programming is being assembled or purchased In actuality part of the prerequisites talk ought to be whether building or purchasing bodes well Selection criteria ought to relate back to prerequisites Care ought to be taken to recognize where there is adaptability – as no COTS arrangement will meet all product prerequisites totally COTS Selection Strategy chose amid Requirements Analysis Care ought to be taken to comprehend handle development and staff ability as for secure programming improvement while selecting the best methodology for achievement

Identify, Evaluate, and Select Identify arrangements that fulfill item, seller and security prerequisites Techniques for assessment incorporate dynamic separating riddle approach cornerstone segments COTS Selection Strategy is enter figure this action Buy and wrap – not an issue Buy pre-affirmed or Buy and Certify – obviously will affect assessment prepare

Negotiate terms with COTS sellers Understand that seller collaboration and bluntness is best amid the transaction stage Address and resolve absent or deficient useful and known bugs before leaving all necessary signatures Establish desires for responsiveness to issues distinguished once the combination exertion has started Develop a reasonable photo of the repeating and non-repeating expenses of the framework being created Security issues affect transactions and costs Pre-ensured segments bear the cost of certificate and re-confirmation – see how that effects costs. On the off chance that segments are to be guaranteed by incorporating association – make certain to incorporate arrangements in the transactions in the occasion accreditation neglects to meet guaranteed affirmation levels.

Implement the COTS Based Solution Tailoring incorporates non advancement exercises that must be connected to the COTS parts to meet framework necessities. Changes at times happen Need to comprehend affect on cost and hybrid where altered COTS cost more than home developed arrangements Buy and Wrap COTS – security is not an issue as wrapper will typify adjusted segment Modifications would require finish re-affirmation if segment is confirmed by the seller or the buyer

Implement COTS Based Solutions Glue code will be code created to hold every one of the segments of the framework together Wrapper would be considered part of the paste code Costs for paste code improvement would be affected by security prerequisites Good procedures, preparing and aptitude would alleviate this cost affect System level incorporation and tests guarantee that every one of the segments work together to meet prerequisites Part of reconciliation and test would be confirmations that the aggregate framework meets all confirmation prerequisites Costs would be affected by security prerequisites Good procedures, preparing and ability would relieve this cost affect

Maintain permit, membership and sovereignty expenses Important to play out a long haul examination to comprehend the long haul outer expenses of executing a COTS based arrangement Initial transactions ought to be utilized to guarantee that ensured or guaranteed level of security is kept up with redesigns Renewal period is a decent chance to return to terms of arrangements to figure out if merchant is meeting backing and overhaul responsibilities

Maintenance and Upgrade of COTS arrangements Evaluation and conceivable consideration of updates and redesigns Perform assessment to figure out if update enhances Software System Re-perform inner accreditations Modifications to wrapper code if important to suit new interfaces Costs for paste code alterations and mix and test will be affected by security imperatives Good procedures, preparing and experience will moderate security cost impacts Fix bugs In paste code, adjustments or to make up for COTS bugs not settled by merchant Costs affected by security limitations Reintegration essential Good procedures, preparing and experience will relieve security cost impacts

Conclusion Six Steps to a Successful COTS Implementation Analyze Software Requirements Evaluate and Select COTS Solution(s) Negotiate terms with the COTS Vendors Implement COTS Based Solution Tailoring Modifications (not great but rather now and then regarded vital) Develop Glue Code Integration with different COTS Components or homegrown segments Maintain License, Subscription and Royalty charges Maintain and Upgrade COTS-Based Solutions

Conclusion COTS arrangements can spare time and cash in the advancement and life-cycle