Risk Management Framework in SDLC for Software Security

There is a close relationship between the System Development Lifecycle and Risk Management Framework. The development phases always encounter various risks throughout the risk. These risk are technical, business, Organisational, environmental or operational in nature. The below section discuss the system development lifecycle, its phase, methodology and risk management framework in brief and shows the relationship between SDLC and Risk Management Framework.

SDLC

The system development lifecycle has been used by the system developer from ages to plan for design, build, and test and implement a system. This is a tailored systematic approach that gives the frame to plan, execute and deliver the system in high quality. There are various steps or phased in the SDLC and various methodologies to approach the development of the system. The core phases in SDLC are illustrated in the figure below.

Figure 1: SDLC Lifecycle (Wikimedia Foundation, Inc., 2020)

The phases include in SDLC have the defined tasks and activities

1. Planning

a. Conceptualize Project

b. System Concept Development

c. Cost-Benefit Analysis

d. Risk Management Plan

e. Feasibility Study

f. Project Management Plan Development

g. Other planning documents

2. Analysis

a. Preliminary Analysis

b. System Analysis

c. Requirement Definition

3. Design

a. System Design

b. UML Design

c. Coding and Development

d. Testing and Review

4. Implementation

a. Implementation Preparation

b. Installation

c. Training

5. Maintenance

a. Support

b. Debugging and maintenance

With the complexity level of managing a project, there are various methodologies in SDLC.

These methodologies are as bellows:

· Waterfall: The traditional approach mostly preferred in a huge project of system development where the phase-wise completion of activities are achieved and the product is delivered on completion of the SDLC. The phases of the waterfall are rigid in nature and completion of one phase leads to another.

· Agile: The evolutionary approach that has adaptive planning through continual development and fast delivery of the system.

· Lean: This methodology relies on techniques and practices used to establish a more efficient and rapid culture of development within a lean manufacturing environment. These techniques and practices include waste disposal, learning amplification, making decisions as late as possible in the process, delivering fast, empowering a team, embracing integrity, and viewing development as broadly as possible.

· Spiral: This framework incorporates various models, based on what works best in a given process or situation of development. As a result, it can rely on waterfall, Agile, or DevOps for various components or for different projects that fit under the same initiative for software development. Spiral uses a risk-based approach to assess the best choice for a given situation

· DevOps: This technique combines the functions of "development" and "operations" to build a collaboration- and communication-focused framework. It aims to automate processes and introduce a continuous-development environment.

· Iterative Development: The development of iterative software focuses on an incremental approach to coding. The approach revolves around shorter cycles of development, typically tackling smaller pieces of development. It also incorporates repeated cycles: the step of initialization, step of iteration, and list of project controls. Typically, the iterative development is used for large projects.

· V Model: The approach is seen as an extension of methodologies for the development of waterfalls. It revolves around methods of testing and uses a model in V form that focuses on verification and validation.

Risk Management Framework (RMF)

The risk management framework suggested by Gary (2005-2007) is an approach it identifies the risks, prioritize them, define the risk mitigation strategy and implement the controls during the assurance activities. Since there are five steps in the risk management framework. The initial step is to understand the business context. Then followed by the identification of technical and business risk in the business and the activities. This leads to analyzing and evaluating the risk through the impact and likelihood criteria. In addition to these steps, there is a definition of risk mitigation strategy and finally, the controls are implemented. This is a continual process.

Figure 2: Risk Management Framework

(Source: (McGraw, Risk Management Framework (RMF), 2005)

Table 1: Mapping SDLC with Risk Management Framework

Hence, Risk Management is an integral part of SDLC. The understanding of requirements during the planning phase is the stage to plan risk management. The risk management framework can be developed in this stage which includes developing risk criteria, identifying the potential technical and business risk that may be encountered in the SDLC. As in every phase, the system encounters the changes due to changes in an internal or external factor. So, the risk analysis must be in place in every phase to ensure software security. This can also be called a check and balance the risk in SDLC.

Bibliography

ISO 31000. (2009). Introduction. Risk Management - Principles and guidelines. Switzerland: The International Organisation of Standardization (ISO).

McGraw, G. (2005, September 21). Risk Management Framework (RMF). Retrieved from CISA Cyber Infrastructure: https://www.us-cert.gov/bsi/articles/best-practices/risk-management/risk-management-framework-%28rmf%29

McGraw, G. (2006). Software Security: Building Security in. Boston: Pearson Education Inc.

Wikimedia Foundation, Inc. (2020, March 24). Systems development life cycle. Retrieved from Wikimedia: https://en.wikipedia.org/wiki/Systems_development_life_cycle