Case Study #3: Technology & Product Review for Application Lifecycle Management Tools
Case Scenario:
As a Nofsinger consultant, you have been tasked with researching and recommending an Application Lifecycle Management (ALM) tool. Your deliverable for this task will be used to help obtain buy-in from the company’s program managers for increased security investments.
An Application Lifecycle Management tool (product) is used to help manage and protect digital assets which are part of or contribute to the management of software applications (especially source code and design documents) throughout the Software & Systems Development Life Cycle (SDLC). The digital assets for each software application must be protected from initiation of a development or acquisition project through to disposal of equipment at the end of its useful lifespan.
Multiple Sifers-Grayson managers have responsibility for making sure that Sifers-Grayson products are developed and delivered on-time and in compliance with the contractual requirements for functionality (“quality”). For the current set of customers this means that Sifers-Grayson must implement security focused configuration management (see NIST SP 800-128). Configuration management is a first-line defense against attacks intended to compromise the security and integrity of software applications. This business process is part of a larger, more complex process known as application lifecycle management.
Note: Application Development Lifecycle Management (ADLM) is related to ALM but does not encompass the entire SDLC. If you choose to review an ADLM tool, make sure that you address the limitations, i.e. does not cover all phases of the ALM. State what impact these limitations may have upon application security for the entire SDLC.
During initial interviews, the engineering managers and program managers provided the following information to your team.
1. Software and Systems Development are the lifeblood of the client company, Sifers-Grayson. From robots to drones to industrial control systems for advanced manufacturing, every product or system sold by the company depends upon software. Some system functions depend upon tiny control programs that capture data from a sensor or command an actuator to move. Other system functions depend upon sophisticated software algorithms to receive and analyze data to make sense out of the surrounding environment.
2. Sifers-Grayson’s engineers are responsible for writing and testing this software. But, they’ve never had to worry about cybersecurity … especially not internal security over software development activities in their own facilities.
3. The engineers feel ownership over their files and folders of source code.
4. There are occasional pranks between engineers working in the labs but software is sacred and off limits.
5. The engineers believe that No one would dare mess with a file containing source code for an operational system or a system that has moved into the integration and test phase of the software lifecycle.see attachments
Recent Comments