QUAID-E-AWAM UNIVERSITY OF ENGINEERING, SCIENCE & TECHNOLOGY

NAWABSHAH
DEPARTMENT OF CYBER SECURITY
SECURE SOFTWARE DEVELOPMENT
Lab Experiment #01

INTRODUCTION TO SECURE SOFTWARE DEVELOPMENT (SSD)

What Is the Secure Software Development Life Cycle (SSDLC)?

The secure software development life cycle is a step-by-step procedure to develop software with several
objectives, including:

• Scalably streamlining the product/software pipeline and

• Optimizing the design, deployment, and maintenance of said software.

Although the SDLC might seem like a magic sauce to an organization's project management timeline, it
does not work well when there is uncertainty about the expectations and vision of the software project.

More importantly, SDLC does not enable team members to add creative inputs, as the entire life cycle is rooted in
the planning phase.

Engr. Muhammad Umar

Lab Experiment #01 Page 1 of 2

 How Do You Make an SDLC Secure?
You can make a SDLC more secure by adding extra security measures to the existing groundwork of
your SDLC development process.
For example, a tech leader could write, draft, and enforce security requirements alongside the collection of
functional requirements in the SDLC.
And during the architecture and design phase, you can perform a risk analysis to target specific vulnerabilities.
A variety of secure software development life cycle models have been proposed and effectively enforced in
modern development frameworks.
Here are a few of them:
• NIST 800-64: Developed by the National Institutes of Standards and Technology, the guidelines provide security
considerations and parameters within the SDLC to be observed by U.S. federal agencies.
• MS Security Development Lifecycle (MS SDL): Proposed by Microsoft in association with the phases of a
classic SDLC, the MS SDL is one of the first of its kind and provides dependable security considerations that
work for most modern development pipelines.
• OWASP CLASP (Comprehensive, Lightweight Application Security Process): Based on the MS SDL,
OWASP is very easy to integrate into your existing software architecture plan. It maps security activities to roles
in an organization.

In software testing the main terms are:

• Error: A human action that produces an incorrect result. The mistakes made by programmer is knowns as an
‘Error’. This could happen because of the following reasons: some confusion in understanding the requirement
of the software; some miscalculation of the values; or/and misinterpretation of any value, etc.
Example
1. We can’t compile or run a program due to coding mistake in a program. If a developer unable to
successfully compile or run a program then they call it as an error.

2. Let’s say a dev has typed an incorrect variable name or mistaken a design notation. The result will be
inconsistencies (incorrect login, syntax, or logic) in code leading to an error. Needless to say, inconsistent
code leads to undesirable or non-existent functioning of the software itself.

• Fault: A manifestation of an 'Error' in software. Faults are also known colloquially as defaults or bugs.
• Defect: The departure of a quality characteristic from its specified value that results in a product not satisfying
its normal usage requirements. The 'Error' introduced by programmer inside the code are known as a 'Defect'.
This can happen because of some programatical 'Error'.
• Failure: Failure is a deviation of the software from its intended purpose. If under certain circumstances these
'Defects' get executed by the tester during the testing then it results into the 'Failure' which is known as software
'Failure'.
• Bug: A bug is the result of a coding error. An Error found in the development environment before the product
is shipped to the customer. A programming error that causes a program to work poorly, produce incorrect results
or crash. An error in software or hardware that causes a program to malfunction. A bug is the terminology of
Tester.
Example
Let’s say that an eCommerce website has an Add to Cart button – as it is supposed to, However, when clicked,
the button opens a window leading back to the product catalog, rather than the payment page as it should. This
unpredictable and irrational behavior is a bug that needs to be fixed.

Engr. Muhammad Umar

Lab Experiment #01 Page 2 of 2

Threat:

A cyber threat is a malicious act that seeks to steal or damage data or discompose the digital network or system.
Threats can also be defined as the possibility of a successful cyber attack to get access to the sensitive data of a
system unethically. Examples of threats include computer viruses, Denial of Service (DoS) attacks, data
breaches, and even sometimes dishonest employees

Vulnerability:

In cybersecurity, a vulnerability is a flaw in a system’s design, security procedures, internal controls, etc., that
can be exploited by cybercriminals. In some very rare cases, cyber vulnerabilities are created as a result of
cyberattacks, not because of network misconfigurations. Even it can be caused if any employee anyhow
downloads a virus or a social engineering attack.

Risk:

Cyber risk is a potential consequence of the loss or damage of assets or data caused by a cyber threat.
Risk can never be completely removed, but it can be managed to a level that satisfies an organization’s tolerance
for risk. So, our target is not to have a risk-free system, but to keep the risk as low as possible.
Cyber risks can be defined with this simple formula- Risk = Threat + Vulnerability. Cyber risks are generally
determined by examining the threat actor and type of vulnerabilities that the system has.

Exercise 1

Answer the questions

1. A software bug is an?

The process of finding and fixing bugs is termed exception handling? t/f
2. In software testing, the bug can occur for the?
An impersonation of an authorized user is an example of threat? t/f

Engr. Muhammad Umar

Lab Experiment #01 Page 3 of 2

 3. The records of each patient that is receiving or has received treatment resembles which security concept ?
A. Assets
B. Threats
C. Vulnerability
D. Controls

4. Which of following is not a protection system ?

A. System to stop a train if it passes a red light.

B. System to indicate not returning of library book.
C. System to shut down a reactor if temperature/pressure are too high.
D. None of the mentioned.

5. “Consider a system where, a heat sensor detects an intrusion and alerts the security company.” What kind of
a requirement the system is providing ?

A. Functional
B. Non-Functional
C. Known Requirement
D. None of the mentioned

6. Choose the incorrect statement with respect to Non-Functional Requirement (NFR).

A. Product-oriented Approach – Focus on system (or software) quality

B. Process-oriented Approach – Focus on how NFRs can be used in the design process
C. Quantitative Approach – Find measurable scales for the functionality attributes
D. Qualitative Approach – Study various relationships between quality goals

7. Mention some NFRs of any system?

Exercise 2

Identify from following statements whether its bug or error?

• If the end user clicks the “Save” button, but their entered data isn’t saved? Bug

• A Login button doesn’t allow users to login, an Add to cart button that doesn’t update the cart, a search box
not responding to a user’s query, etc.

• A developer may misunderstand a de-sign notation, or a programmer might type a variable name incorrectly
which may leads to -----

• Entering a significantly larger or a smaller number or entering an input value of an undefined data type. These
-------------------------------------- often pop up in form validations during functional testing of web or mobile
apps.

• if you sell a $4 coffee to a customer and they go to pay for it and the price displays as "$4", there's a flaw in
the software that gives an unexpected result.
Engr. Muhammad Umar

Lab Experiment #01 Page 4 of 2

Students Names: Jahanzeb

Students Roll no #: 22 CYS 07

Date: 22-10-2024

Subject Teacher
Remarks

Engr. Muhammad Umar

Lab Experiment #01 Page 5 of 2