Secure Software Development: Software Engineering
Problem Statement & Student Guide
Version 2: 17-Nov-2015
Scenario Part 1
You are a lead security consultant in a large telecommunications enterprise EdgeWise Mobile
International, the enterprise has markets within the UK, Europe, America and the Far East, and
currently employs 120,000 employees globally. Your team has approximately 70 security
consultants globally, supported by additional security subject matter experts who specialise in
Cryptography, Security Engineering, Security Architecture and Governance and Risk. The firm is
organised into four main lines of business:




Retail in store
Telephone sales (customer services)
Wholesale
Digital (internet).
Supporting each line of business there are operational teams that cover the following areas:










Marketing and Branding
Accounts (customer billing)
Finance (accounts)
Legal
Fraud
Regulatory compliance
Business Information Systems (BIS)
Information Technology (IT Support)
Telecommunication Engineering
Information Security (the team you work in).
The firm currently has over 200 million customers who use the company mainly for the
provision of mobile phone handsets and their associated pay as you go and monthly contract
SIM card packages.
Recently the firm has recruited a new chief operating officer (Lewis Pinstripe) who is in charge
of the strategic business operating model and product lines. Despite the firm’s relative success
within the traditional mobile telecommunications sector, they currently have 16% of global
market and require their share price to increase from 300p per share to 400p per share over
the next 3 years. Lewis has been informed by her executive colleagues that they need to
increase their market share from 16% to 22% within the next 2 years in order to be on target.
Lewis has therefore recently decided that the firm needs to embark on an ambitious
programme to expand its digital and wholesale channels. His marketing department has
decided that the digital channel needs to include the following high-level customer services, so
that EdgeWise Mobile can gain a competitive advantage and entice new customers:



Mobile applications to support customer account enquiry.
Mobile applications to support sales of products.
Mobile applications to recruit and drive the firms brand into new markets, such as:
o Location services,
o Payment services (peer to peer payments),
o Entertainment (music and video streaming services).
1
As is usual, Lewis has delegated the programme of work to the Business Information Systems
team to operate the project management office (PMO) for the delivery of the project within
defined strategic phases.
The annual budget for the project is set at 50,000,000 GBP.
As one of the lead security consultants for the firm, it is your role to assist the programme
management in the identification of security tasks, general advice and guidance, standards
adherence (compliance with the firm’s security standards – which are based on the ISO
27001:2013 Annex A controls), as well as appropriate risk identification and acceptance in
accordance with the firm’s Information Security Management System (ISMS) that is also based
upon ISO27001, but as yet is not fully audited to be compliant.
The project team that has been assembled includes the following people:






Business Analysts.
Solution Architects.
Infrastructure Architects.
Software Developers.
Test Teams.
Representatives from key business teams (stakeholders):
o Marketing.
o Fraud.
o Legal.
o Regulatory compliance.
So far the programme has very little in terms of direction, however, Lewis (who is from a
software development background) has stated that the firm’s usual method of software
development which is based on the Software/Systems Development Life Cycle (SDLC) is too
verbose and bureaucratic; consequently the programme has been charged with not only
developing and delivering the new products, but it has also being asked to develop a new
governance process that will allow the programme to meet its high-level business
requirements quickly and safely with minimal risk to the business.
The project management has decided that the first year of the programme will focus on the
following deliveries:




Quarter 1 – construct the new governance model.
Quarter 2 – develop the designs for a new software product to be platformed on
Android, iOS, Windows Mobile and Blackberry (RIM) operating systems.
Quarter 3 – develop the customer support tools.
Quarter 4 – launch the product to staff.
The second year will refocus the project on the release of the core mobile application to
customer base, ensuring that iterative software releases include new and exciting features that
realise Lewis ’ vision for the selling of location, payment and entertainment services.
The final steer from Lewis is that the customer registrations with the new mobile applications
must be as mobile as possible. Allowing customers to see an advert in the street and decide
there and then that they would like to be registered to participate in the service, and register
to receive services without the need to answer post delivered mailer responses.


The registration process must cater for existing customers of the firm; and
It must also be able to expand to extend to other customers of other mobile phone
company networks.
One month into the development programme at EdgeWise Telecommunications Plc, it is
widely recognised that 2 years is actually a very tight timeline in which to deliver the
programme, and much emphasis has been made by the senior stakeholders within the
business that the programme must deliver prototypes and methodologies within the first year.
The PMO, which is panicked and is escalating all teams to mobilise dedicated resources, has
2
therefore decided that delivery milestones for software prototypes shall be based on a 30 day
cycle.
They have a working prototype for a web service that will broker mobile client requests, and a
mobile application.
Learning Outcomes
The following technical learning outcomes are assessed in this scenario. On completion of the
scenario, students will be able to:
1. Explain the differences between RAD and SDLC.
2. Articulate the key risks involved in rapid development life cycles, and prescribe
methods for mitigating them
3. Justify an approach for integrating security audit into the development of software
Apps and the tasks that will be undertaken by the security team.
4. Undertake a threat analysis against a mobile software app, and identify controls that
would mitigate the threats
5. Identify a way in which the customer can register their mobile device with the service
securely to mitigate against the threat of malware and social engineering.
6. Explain good practice in securing software and have an awareness of relevant
standards and codes of practice.
Your Task
Security is important to the telecommunications company as it does suffer from customer
fraud and has regulatory requirements to adhere to. Traditionally, the business has been
guided by the ISMS process that is closely aligned to the SDLC. And as such it is understood
that the security team are a key stakeholder by which the project must gain some buy-in
before any product line can be a success.
As such the project is looking to you to provide them with guidance on:



The customer registration process
The overall development of the products
The governance model
o

Most large enterprises have a governance framework in which they operate. For
example based on SDLC – however, there others that provide agile working.
Governance models are closely coupled to project management life cycles and
normally involve mandatory ‘gates’ in which the project must pass through before the
project is allowed to proceed. For example, no systems within should be allowed to go
into production without a service code, risk assessment, operating model, penetration
test – the release cycle for systems requires projects to evidence that they have these
artefacts.
The risk management process.
Deliverables
1. Provide an executive summary that identifies the key risks involved in rapid
development life cycles, and prescribe methods for mitigating the risks (300 words)
2. Provide consultancy report that identifies the Information Security team’s preferred
method for software development, identify the phases for each delivery, and the tasks
that will be undertaken by the security team at each phase (1500 words)
3. Undertake a threat analysis against the proposed products, and identify controls that
would mitigate the threats (1500 words).
4. Identify a way in which the customer can register their mobile device with the service
securely to mitigate against the threat of malware and social engineering (1500
words).
3
Scenario Part 2: Infrastructure
During the development of the EdgeWise Telecommunications Mobile Application, the
programme team has identified a new hardware based appliance that will undertake TLS deep
packet inspection of TCP packets containing XML and SOAP messaging, so that they can check
the digital signatures of messages signed with ws-security signatures, and also undertake
malware detection. As such there will be a requirement store high value cryptographic keys
(i.e. the keys used for decryption of all TLS encrypted flows at layer 4 ingress and egress, and
also to be able to digitally sign messages at layer 7). The device must support TLS mutual
authentication.
The device will be deployed within the firm’s DMZ. The DMZ has zones dedicated to:




Management and monitoring – where SNMP managers and other management and
monitoring software is stored.
Presentation layers – where web forms are located that are customer accessible.
Application layers – where the application containing the core business logic is stored.
Storage layers – where the database is.
Before the product can be used by the programme team must make arrangements for the
product to be added to EdgeWise Telecommunications Plc’s approved products list.
Your Task
Develop a baseline standard that the product must conform to (1500 words):
1. Identify the industry standards and certifications to which you would expect a product
such as this to conform.
2. Identify the security requirements that you would expect this device to meet:
a) Event logging
b) Authentication
c) Crypto key storage (HSMs).
3. Provide an overview of TLS in mutual authentication mode, and identify the benefits
on a standardisation of using a single set of PKI providers – what policies relating to
mutual authentication must the enterprise adopt?
Reflection on Learning
It is also important that at the end of the scenario you should reflect on your learning and
team working and identify what worked well, what didn’t and actions for future improvement.
The Consulting Process
One of the benefits of Problem-based Learning is that you learn professional skills as well as
technical knowledge. The process we ask you to follow to explore and provide solutions to the
problem also mirror those used in consultancy.
In order to assist you with the process, the following table shows the activities we would
expect you to complete in your PBL team. You should read this carefully and make sure you
are familiar with both the generic activities (in column 2) and the specific ones in column 3.
Steps 1 & 2 will be conducted in the first PBL tutorial.
Step 3 a) and b) comprises your individual research, and summarizing your learning.
Step 3c) takes place as a sharing and teaching session at the next tutorial. This process of
sharing and teaching others is extremely beneficial to your own learning.
Step 4, 5, 6 consist of team work and whilst they are logically distinct, they may take place at
the same meeting as stage 3c) depending on the schedule of meetings.
4
Step 7: In this Scenario you will not be implementing a solution, so step 7 is not undertaken in
this scenario
Step 8 should be completed at the end of the scenario, both individually and as a team, to
identify what you’ve learned and how you can improve your learning and team performance in
future.
Your tutor/ facilitator will discuss it with you.
5
The CSKE Consulting/ Learning Model
1
Problem-solving model
What PBL normally includes’
Understanding
organizational history and
context



Scenario analysis
Socio-technical organizational analysis.
Clarification of ambiguities



Requirements Analysis: identify key
issues
Simulated consultation with
stakeholders (e.g. through role-play
and/or online interaction).
Reviewing technology/ processes in use.
Identifying learning goals.

Facilitator Guidance.


Individual research & learning to resolve
knowledge gaps.
Summarising & reflection.

Teams share learning.

Determining and agreeing evaluation
criteria and process.

Identifying technical possibilities,
considering acceptance issues and
organizational fit.
Facilitator Guidance.

2
3
4
Determining the problem
to be resolved
Identifying/ learning
necessary knowledge
Identifying alternative
solutions


5
Choosing optimal solution

6
7
8
Planning the
implementation
Implementation

Deciding on best technical,
organizational and social outcomes.
Proposing solution with justification



Building the solution (if appropriate).
Deploying the solution (if appropriate).

Formal evaluation methods re project
success.
Personal reflection and evaluation.

6
a)
Applying planning and scheduling
techniques.
Proposing plan and deadlines.
Final evaluation
What you will be doing at each stage
b)
c)
a)
b)
c)
a)
b)
c)
a)
b)
c)
Individual and team review of scenario
text and video resources.
Team discussion.
Clarification of ambiguities with
tutor/facilitator.
Team review of scenario: identifying key
issues.
Identifying learning goals.
Team publish action list & summary in
forum.
Individual research & learning to resolve
knowledge gaps.
Individually creating summary of learning
and how it applies to the scenario.
Team sharing learning/ teach each other.
Determining evaluation criteria through
team discussion.
Team identification of options considering
acceptance issues and organizational fit.
Facilitator Guidance.
a)
b)
Team decision and justification.
Presentation to tutor in role of main
stakeholders.
a)
b)
Review Scenario text and resources.
Produce Report identifying the phases for
each delivery, and the tasks that will be
undertaken by the security team at each
phase.
a)
Team evaluation of performance and
project success.
Individual reflection on personal learning
& development.
b)
Resources:
Aizuddin, A. (2001) The Common Criteria ISO/IEC 15408–The insight, some thoughts, questions
and issues. SANS Institute, Available online at: http://www.sans.org/readingroom/whitepapers/standards/common-criteria-iso-iec-15408-insight-thoughts-questionsissues-545

This paper provides an overview of an international effort called Common Criteria (CC),
an IT Security evaluation methodology, developed to define and facilitate consistent
evaluations of security products and systems,fostering international recognition and
trust in the quality of security products and systems. You need to be aware of the
Common Criteria.
Anderson, R. (2008) Security Engineering: A Guide to Building Dependable Distributed Systems,
2nd Edition, Wiley: http://www.cl.cam.ac.uk/~rja14/book.html

An updated (and expanded) version of the 2001 book, widely acclaimed as an in-depth
treatment of taking a holistic approach to building secure systems. . A Brief video
introduces it, from eurocrypt 2008: https://www.youtube.com/v/jU4QHfi6E3w
Axelrod,C.,W. (2012) Engineering Safe and Secure Software Systems , Artech House.

Engineering Safe and Secure Software Systems gives readers conceptual explanations
about the differences between security and safety; ways to integrate the 2 concepts into
the information systems life cycle; technology solutions; and detailed, in-depth case
studies. The book also analyzes current practices for security and safety regarding
appropriate maturity. It has a comprehensive view and analysis of management and
technology solutions that companies require.
Ben Othmane, L. , Angin, P. , Weffers, H. , Bhargava, B. (2014) Extending the Agile
Development Process to Develop Acceptably Secure Software, IEEE Transactions on
Dependable and Secure Computing, (11:6 ) p 497 - 509

This article focusses on:
1) A proposal of a security assurance method for incremental software
development.
2) Attempts to combine security engineering into agile software development
during the development phase to create “real-life” secure software.
3) The efficiency of the proposed security approach in agile development.
Bruno, L. (2012) The Security Development Lifecycle, Available online at:
http://social.technet.microsoft.com/wiki/contents/articles/7100.the-security-developmentlifecycle.aspx

This Technet article explains the Microsoft Security Development Lifecycle (SDL), which
is a software development process that helps developers build more secure software
and address security compliance requirements while reducing development cost. “The
process encompasses the addition of a series of security-focused activities and
deliverables to each of the phases of Microsoft's software development process.
These activities and deliverables include the development of threat models during
software design, the use of static analysis code-scanning tools during implementation
and the conduct of code reviews and security testing during a focused security push."
Busch,M., Koch, N. & Wirsing,M. (2014) Evaluation of Engineering Approaches in the Secure
Software Development Life Cycle, Lecture Notes in Computer Science Volume 8431, 2014, pp
234-265
7

The abstract states: “Our evaluation approach, called SecEval, supports the search and
comparison of these artifacts. SecEval comprises: (1) a workflow that defines the
evaluation process, which can be easily customized and extended; (2) a security
context model describing security features, methods, notations and tools; (3) a data
collection model, which records how data is gathered when researchers or
practitioners are looking for artifacts that solve a specific problem; (4) a data analysis
model specifying how analysis, using previously collected data, is performed; and (5)
the possibility to easily extend the models, which is exemplarily shown for risk rating
and experimental approaches. The validation of SecEval was performed for tools in the
web testing domain”
CERT Secure Coding Resources https://www.cert.org/secure-coding/

CMU’s CERT division provides significant input on secure coding which you should be
aware of. The CERT Division has been extremely successful in the development of
secure coding standards, which have been adopted at corporate levels by companies
such as Cisco and Oracle, and the development of the Source Code Analysis Laboratory
(SCALe), which supports conformance testing of systems against these coding
standards.
Common Criteria (2012), available at: https://www.commoncriteriaportal.org/cc/

The Common Criteria for Information Technology Security Evaluation (abbreviated as
Common Criteria or CC) is an international standard (ISO/IEC 15408) for computer security
certification. It comprises 3 parts: Part 1 - Introduction and General Model. defines general
concepts and principles of IT security evaluation. Part 2 - Security Functional Requirements
establishes a set of security functional components as a standard way of expressing the
security requirements for IT products and systems. Part 3 - Security Assurance
Requirements. This part produces a catalog of establishes set of assurance components
that can be used as a standard way of expressing the assurance requirements for IT
products and systems. .The CC should be used to produce deliverables to meet the (CC)
requirements.
ISO/IEC 15408-1:2009 Information technology -- Security techniques -- Evaluation criteria for IT
security -- Part 1, Part 2, Part 3 Available from:
http://standards.iso.org/ittf/PubliclyAvailableStandards/index.html

The ISO standards from the Common Criteria.
Kissel,R. et al. (2008) Security considerations in the System Development Life Cycle NIST SP80064-rev 2. NIST. Available online: http://csrc.nist.gov/publications/nistpubs/800-64Rev2/SP800-64-Revision2.pdf

NIST provides authoritative publications. SP800-64. This guide focuses on the information
security components of the SDLC. First, descriptions of the key security roles and
responsibilities that are needed in most information system developments are provided.
Second, sufficient information about the SDLC is provided to allow a person who is
unfamiliar with the SDLC process to understand the relationship between information
security and the SDLC. This document integrates the security steps into the linear,
sequential (a.k.a. waterfall) SDLC.
Mano,P. (n.d.) The Need for Secure Software: (ISC)2 Available from:
https://www.isc2.org/uploadedfiles/%28isc%292_public_content/certification_programs/csslp
/csslp_whitepaper.pdf [ Last Accessed: 25-Nov-15]

A good introduction which discusses the drivers and need for secure software,
relationship to SDLC and approaches to achieve security.
Mehta, D.M. (n.d.) Effective Software Security Management: OWASP

8
You should be aware of OWASP, it is important. They say that:”The Open Web Application
Security Project (OWASP) is a not-for-profit charitable organization focused on improving
the security of software.”. This paper describes the need and methodology of improving
the current posture of Application Development by integrating Software Security. It
attempts to provide an effective platform for organizations to understand how they can
align software security in their SDLC.
Microsoft (2005) At a Glance: Security Code Review, available online at:
https://msdn.microsoft.com/en-us/library/ff649921.aspx

This provides a summary view of the main input, output, and steps for performing a
security code review, together with links to more detailed information.
,
NIST (2002) SECURITY REQUIREMENTS FOR CRYPTOGRAPHIC MODULES FIPS PUB 140-2
FEDERAL INFORMATION PROCESSING STANDARDS PUBLICATION. Available online at:
http://csrc.nist.gov/publications/fips/fips140-2/fips1402.pdf

Another detailed standard from NIST which contains the requirements and standards for
cryptography modules that include both hardware and software components. The
standard provides four increasing, qualitative levels of security intended to cover a wide
range of potential applications and environments
PCIDSS Various papers, and standards, https://www.pcisecuritystandards.org/index.php

A key standard for payment cards. The Payment Card Industry Data Security Standard (PCI
DSS) is a proprietary information security standard for organizations that handle branded
credit cards from the major card schemes. Certification is critical for conducting ecommerce.
Seacord, R. (2011) Top 10 Secure Coding Practices, CERT, Available online at:
https://www.securecoding.cert.org/confluence/display/seccode/Top+10+Secure+Coding+Prac
tices;jsessionid=70BCBBA55CA2F2FD12DC29F4EDDB6D4E

A very brief, focussed list of coding practices for achieving security. Very relevant to
this scenario.
Christian Collberg and Jasvir Nagra (2009) Surreptitious Software: Obfuscation, Watermarking,
and Tamper proofing for software Protection. Addison-Wesley Professional, Print ISBN-13: 9780-321-54925-9

An excellent book if you want to get into the subject in depth
Gutmann, P. (n.d.) Everything you Never Wanted to Know about PKI but were Forced to Find
Out. Available online from: http://www.cs.auckland.ac.nz/~pgut001/pubs/pkitutorial.pdf

X.509 is the standard for a public key infrastructure (PKI). It specifies, amongst other
things, standard formats for public key certificates, certificate revocation lists,
attribute certificates, and a certification path validation algorithm. This presentation
provides a quick outline.
IISP Framework C2 – Secure Development






9
Implementing secure systems, products and components using an appropriate
methodology.
Defining and implementing secure development standards and practices including, where
relevant, formal methods.
Selecting and implementing appropriate test strategies to demonstrate security
requirements are met.
Defining and implementing appropriate processes for transfer of a product/system to
operation/sale/live use.
Defining and implementing appropriate secure change and fault management processes.
Minimising the risk to an asset or product through the ‘standard’ design and development
processes.




10
Verifying that a developed component, product or system meets its security criteria
(requirements and/or policy, standards & procedures).
Analysing problem reports for signs of anomalous security issues, coordinating research into
vulnerabilities and instigating corrective action where necessary.
Specifying and/or implementing processes that maintain the required level of security of a
component, product, or system through its lifecycle.
Managing a system or component through a formal security assessment
Assessment Grading Criteria
Learning Outcome
LO1. Explain the differences
between RAD and
SDLC.
LO2. Articulate the key risks
involved in rapid
development life
cycles, and prescribe
methods for mitigating
them
LO3. Justify an approach for
integrating security
audit into the
development of
software Apps and the
tasks that will be
undertaken by the
security team.
LO4. Undertake a threat
analysis against a
mobile software app,
and identify controls
that would mitigate
the threats
LO5. Identify a way in which
the customer can
register their mobile
device with the service
securely to mitigate
against the threat of
malware and social
engineering.
LO6. Explain good practice
in securing software
and have an
awareness of relevant
standards and codes of
practice
Evidence
Pass (40-49%)
Sound Pass (50-59%)
Very Good Pass (60-69%)
Excellent (70-100%)
Team
Report &
Standard
Most valid risks for
RAD identified. Some
controls identified.
Governance model
identified showing
some phases/ tasks.
Some device threats
and controls
identified.
Appropriate id
techniques for
registration
Appropriate industry
standard identified.
Some security
requirements
identified
Some TLS key points
identified
Reports are
structured with
appropriate headings.
Acceptable spelling
and grammar.
Mostly relevant
content.
Almost all risks for RAD identified
correctly and in suitable format.
Links are made between risks and
controls.
Governance model identified
showing most phases & sec tasks.
Most device threats and controls
identified
Appropriate id techniques for
registration with justification
linked to vulnerabilities.
Appropriate industry standard
identified.
Most security requirements
identified
Most TLS key points identified
Alternatives are discussed, but
may be briefly.
Report structured with appropriate
headings.
Accurate spelling and grammar.
Generally appropriate level of
detail, but inconsistent
All major risks for RAD identified
correctly in suitable format, and
prioritised appropriately with
discussion of controls.
Governance model identified showing
all phases & sec tasks.
Almost all device threats and controls
identified
Appropriate id techniques for
registration with justification linked
to vulnerabilities
Appropriate industry standard
identified.
Almost all security requirements
identified
Almost all TLS key points identified
Alternatives are discussed
highlighting key issues.
Report structured with appropriate
headings.
Written in clear consistent and
appropriate (business) style of
English.
Technical detail explained
appropriately and consistently.
Comprehensive list of risks for RAD,
controls and evaluated and prioritised
appropriately contrasted with SDLC.
Governance model identified showing all
phases & sec tasks with appropriate
justification for preferred method.
Comprehensive discussion of device
threats and controls identified
Critical evaluation of id techniques for
registration with justification linked to
vulnerabilities in platform and
information.
Appropriate industry standard identified.
Almost all security requirements
identified with critical justification.
Almost all TLS key points identified with
critical discussion.
Report structured with appropriate
headings.
Accurate and consistent English
throughout report.
Clear, concise and complete with
appropriate level of detail throughout
almost all report.
70%
Team
Presentatio
n
Presentation is
consistent with, and
relates to report.
As pass and presentation
emphasises key points and has
balanced content.
As sound pass and presentation
clearly links features/ benefits of
solution with client needs and
problems.
Presentation is persuasive, balanced,
thorough and clearly links
features/benefits of solution to client
needs/p[problems
20%
11
Weight
Working With Others:
Participate constructively in
team by



12
Taking responsibility
Showing sensitivity
and provide
supportive feedback to
others.
Meeting deadlines
Timekeepin
g, oral
contribution
s, VLE
postings,
timeliness
of work
produced.
Usually
communicates quickly
with others if
problems attending
or meeting
commitments.
On time for most
meetings.
Completes most work
allocated.
NB Students can be
excluded from teams
for not meeting these
requirements.
Considered reliable by team mates.
Almost always communicates
quickly with others & renegotiates
if problems attending or meeting
commitments.
Shares work with others in timely
way.
As Sound pass and on time for almost
all meetings.
Completes all work as agreed.
As Very good pass and shows initiative /
leadership in some areas of work.
10%