Security System Development Life Cycle (SecSDLC)
The Security System Development Life Cycle (SecSDLC) follows the same methodology as the more commonly known System Development Life Cycle (SDLC), but they do differ in the specific of the activities performed in each phase.
Both the SecSDLC and the SDLC consist of the following phases:
- Investigation
- Analyst
- Logical Design
- Physical Design
- Implementation
- Maintenance
The SecSDLC process involves the identification of specific threats and the risk that they represent as well as the needed implementation of security controls to counter, mitigate and manage the risk. Whereas, in the SDLC process, the focus is on the design and implementation of an information system in an organization for use in information technology (IT).
Below is a brief explanation on the specifics of activities associated with the SecSDLC process.
Investigation – The investigation phase of the SecSDLC begins with a directive from upper management specifying the process, outcomes, and goals of the project, as well as its budget and other constraints.
Analyst – A preliminary analysis of existing security policies or programs, along with documented current threats and associated controls are conducted.
Logical Design – In the logical design phase, team members create and develop the blueprint for security, and examine as well as implement key policies that influence later decisions.
Physical Design – In the physical design phase, team members evaluate the technology needed to support the security blueprint, generate alternative solutions, and agree upon a final design.
Implementation – The security solutions are acquired, tested, implemented, and tested again. Personnel issues are evaluated and specific training and education programs conducted
Maintenance – Once the information security program has been implemented, it must be operated, properly managed, and kept up to date by means of established procedures.
WordPress 3.6.1 Maintenance and Security Release
After nearly 7 million downloads of WordPress 3.6, we are pleased to announce the availability of version 3.6.1. This maintenance release fixes 13 bugs in version 3.6, which was a very smooth release.
WordPress 3.6.1 is also a security release for all previous WordPress versions and we strongly encourage you to update your sites immediately. It addresses three issues fixed by the WordPress security team:
- Block unsafe PHP unserialization that could occur in limited situations and setups, which can lead to remote code execution. Reported by Tom Van Goethem.
- Prevent a user with an Author role, using a specially crafted request, from being able to create a post “written by” another user. Reported by Anakorn Kyavatanakij.
- Fix insufficient input validation that could result in redirecting or leading a user to another website. Reported by Dave Cummo, a Northrup Grumman subcontractor for the U.S. Centers for Disease Control and Prevention.
Additionally, we’ve adjusted security restrictions around file uploads to mitigate the potential for cross-site scripting.
We appreciated responsible disclosure of these issues directly to our security team. For more information on the changes, see the release notes or consult the list of changes.
Download WordPress 3.6.1 or update now from the Dashboard → Updates menu in your site’s admin area.
From WordPress News
‘Apps act’ would make privacy disclosures mandatory
With more than 1.5 million apps now available for Android phones and Apple’s iPhone, a congressman is proposing a law that would require mobile app developers to let users know what an app’s privacy policies are when it comes to information being shared and the length of time the information is kept by a developer.
“Data has become the oil of the 21st century, and like any other resource, there must be common-sense rules of the road for this emerging challenge,” said Rep. Hank Johnson, D-Ga., in introducing the Application Privacy, Protection and Security in Congress Thursday.
“Every day millions of Americans use mobile applications to help us get through the day,” Johnson said. “But many consumers do not know their data is being collected. This privacy breach is just not 1s and 0s, it’s personal information, including our location at any given moment, our photos, messages and many of the things meant only for our friends and loved ones.
“Yet we lack basic rights to control how and how much of our data is collected on our phones, iPads and tablets.”
The bill, H.R. 1913, also being called the “Apps Act,” follows a report from the Federal Trade Commission in February about the same issue. In that report, the agency suggested ways for “critical players” such as app developers, advertising networks and mobile operating system providers like Google, Apple, Amazon, Microsoft and BlackBerry, to provide “timely, easy-to-understand disclosures about what data they collect and how the data is used.”
The FTC report noted that “consumers increasingly are concerned about their privacy on mobile devices. For example, 57 percent of all app users have either uninstalled an app over concerns about having to share their personal information, or declined to install an app in the first place for similar reasons.”
Read more here.
[Infographic] Wiretapping: Privacy vs. security
This infographic traces the history of the privacy vs. security debate in the U.S. from the Bill of Rights to PRISM.
Here is a timely trip through the U.S. history of the privacy vs. security debate as it relates to wiretapping, courtesy of whocalledmyphone.net. The infographic below follows a path from the establishment of the 4th Amendment in 1791 to Edward Snowden, the NSA.
September 2013 Patch Tuesday Preview
Microsoft announced its lineup for next week’s Patch Tuesday. We will get 14 bulletins, already bringing the number for this year to 80 in September. We are well on our way to get
more than 100 bulletins this year compared to 83 in 2012 and exactly 100 in 2011, a good reflection of how challenging the computer security business continues to be.
Of the 14 bulletins, the first eight are rated as “Remote Code Execution,” which is the type of weakness that attackers are after when looking for ways to get into your network. Bulletins #1 to #4 are rated “critical” by Microsoft indicating that they can be exploited only with user interaction. Bulletin #1 is for Sharepoint Server and should be the highest priority on the list for your server administrators, after diligent testing to assure that the patch does not impact any business critical functionality. Bulletin #2 should be high priority for your desktop security team; it addresses a flaw in Microsoft Office that can be triggered simply by previewing an e-mail in Outlook, even without explicitly opening the e-mail. Outlook in Office 2007 and 2010 is affected.
Bulletin #3 is a critical update for Internet Explorer (IE) affecting all versions starting from IE6 to IE10 and including Windows 8 and Windows RT. Bulletin #4, the last critical bulletin, addresses a flaw in Windows, but only affects the soon-to-be legacy operating systems Windows XP and Windows Server 2003. You should be phasing those out by now since they lose support for security patches in April of next year, similar to Office 2003 which will also lose support in April. Those operating systems and the Office suite will then start to accumulate unfixed vulnerabilities and become a magnet for attackers who will have access to easy-to-use and surefire tools to exploit setups that run on XP/2003 or that have Office 2003.
Read the rest here.
All-over-IP Expo 2013: Karlheinz Biersack (Dallmeier electronic) to Share Ideas on Boosting Critical Infrastructure Security
All-over-IP Expo 2013: Karlheinz Biersack (Dallmeier electronic) to Share Ideas on Boosting Critical Infrastructure Security
Dallmeier electronic Head of Russia-s Rep. Office – Karlheinz Biersack will share his extraordinary expertise with Russian security and IT customers at All-over-IP Expo 2013. (November 21, 2013, Sokolniki Expo, Moscow). www.all-over-ip.ru/eng
6 years of managing various huge SIEMENS projects around the world;
6 years of сonsulting Sirte Oil Company (Lybia) on security for their oil refinery and drilling sites;
13 years of hi-tech Dallmeier electronic projects in Russia and Eastern Europe.
In his keynote, entitled “Situational Awareness: US Air-Force Formula for Business Success”, Karlheinz Biersack will focus on how security departments can improve their overall situation awareness for efficient critical infrastructure protection.
According to US Air-Force, creating situational awareness has equal importance as the invention of firearms. Nowadays, military operations are not the only application situational awareness is relevant and vital for.
All-over-IP Expo 2013 visitors have a chance to meet up and share ideas with Karlheinz Biersack, whose expertise in boosting critical infrastructure security around the globe is absolutely crucial to Russia-s security installations.
6th Annual International ALL-OVER-IP EXPO 2013 is Russia-s No. 1 networking event for global IT, Surveillance and Security vendors and key local customers. All-over-IP brings together major global and Russian brands to ensure the best marketplace for the latest technology and innovation, and to lead customers to the Next Big Thing.
Primary Sponsor of All-over-IP Expo 2013: ITV | AxxonSoft – a leading software developer that combines IP-based physical security management, intelligent video surveillance, and an enterprise-wide platform.
Companies interested in exhibiting should contact Alla Aldushina at aldushina@groteck.ru
For keynote speaking opportunities please contact Olga Fedoseeva at fedoseeva@groteck.ru
6th Annual International ALL-OVER-IP EXPO 2013
November 20–21, 2013
Russia, Moscow, Sokolniki Expo
