NORMA eResearch @NCI Library

Gaps and Improvements in Secure Development – In Practice

Hussain, Nassir (2021) Gaps and Improvements in Secure Development – In Practice. Masters thesis, Dublin, National College of Ireland.

[thumbnail of Master of Science]
Preview
PDF (Master of Science)
Download (1MB) | Preview
[thumbnail of Configuration manual]
Preview
PDF (Configuration manual)
Download (414kB) | Preview

Abstract

Organisations understand that cybersecurity is a critical issue to address to protect their interests. Data breaches, data leaks and hacks are the events that threaten most organisations. There are challenges to address these issues. Modern Software Development Lifecycles (SDLCs) emphasise the developing of code and getting it deployed to production for business needs. There is little emphasis and importance placed on the security aspect of SDLC. Agile and DevOps teams may or may not address security issues as part of their SDLC. In this research proposal, I will outline the importance of a software security champion being embedded into the SDLC. The criticality of having secure software led SDLC where security should be embedded into whichever flavour of SDLC that is chosen. The inclusion of the security champion into SDLC will help bridge contextual gaps in security frameworks such as OWASP and SSDF.

The literature and underlying research highlights gaps are from practical implementation and theoretical understanding of secure coding. What does this mean? This means that context plays a huge role in the security driven concerns within an organisation. The research will look at the implementation of a specific security toolkit for an organisation using .Net web applications. Context is important is because it refers to architecture, software patterns, software configuration and software implementation understanding. Practical secure development is difficult as it needs understanding across the tenets of software programming, architectural and security practices. While the artefact developed is designed to address security risks in the continuous integration / continuous deployment (CI/CD) pipeline, it can be used as a standalone tool should this be required, however this is less effective as it may not be integrated into the software development life cycle (SDLC). The security toolkit (CLI tool) will address content security policy, X-frame security options, X-Content type options and X-XSS-Protection. The CLI will be built using C# in .Net Core Framework and will allow for security issues to be addressed as part of the SDLC. Automated and building the fixes into the SDLC will be a cost save and will not require a penetration test and subsequent remediation to fix the issues.

Item Type: Thesis (Masters)
Uncontrolled Keywords: Cyber; cybersecurity; programming; Agile; DevOps; OWASP; SSDF
Subjects: Q Science > QA Mathematics > Electronic computers. Computer science
T Technology > T Technology (General) > Information Technology > Electronic computers. Computer science
Q Science > QA Mathematics > Computer software > Computer Security
T Technology > T Technology (General) > Information Technology > Computer software > Computer Security
Divisions: School of Computing > Master of Science in Cyber Security
Depositing User: Clara Chan
Date Deposited: 19 Oct 2021 15:09
Last Modified: 19 Oct 2021 15:09
URI: https://norma.ncirl.ie/id/eprint/5110

Actions (login required)

View Item View Item