See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/273063901

Risk Management Perspective in SDLC

Article  in  International Journal of Computer Science and Software Engineering · March 2014

CITATIONS READS
8 6,301

3 authors:

Kavita Sahu Rajshree Pandey

Dr. Shakuntala MIsra Rehabilitation University, Lucknow Babasaheb Bhimrao Ambedkar University
8 PUBLICATIONS   15 CITATIONS    34 PUBLICATIONS   102 CITATIONS   

SEE PROFILE SEE PROFILE

Rajeev Kumar
Babasaheb Bhimrao Ambedkar University
18 PUBLICATIONS   54 CITATIONS   

SEE PROFILE

Some of the authors of this publication are also working on these related projects:

Software Reliability - 2015-2020 View project

evaluation of security durability View project

All content following this page was uploaded by Rajshree Pandey on 10 March 2015.

The user has requested enhancement of the downloaded file.

Kavita et al., International Journal of Advanced Research in Computer Science and Software Engineering 4(3),
March - 2014, pp. 1247-1251

Volume 4, Issue 3, March 2014 ISSN: 2277 128X

International Journal of Advanced Research in

Computer Science and Software Engineering
Research Paper
Available online at: www.ijarcsse.com
Risk Management Perspective in SDLC
Kavita Sahu* Rajshree Rajeev Kumar
DIT, BBAU, Lucknow DIT, BBAU, Lucknow DIT, BBAU, Lucknow
Kavi9839@gmail.com rajshree.bbau2009@gmail.com rs0414@gmail.com

Abstract – Risk and its management is an area based on the hypothesis of probability. It is well known that requirement
and design phases of software development life cycle are the phase where security integration yields maximum benefits.
In this paper we have tried to tie software security and software risk in a single string. It is a complete process that will
help a developer to choose most appropriate risk management plan for giving software more security. As we know that a
software development life cycle is used to make understand the researchers, scientists, project managers, programmers,
working of particular software in an easier manner. Actually, software development life cycle gives a basic understanding
about the start of a project. This includes a number of phases that provides sequencing of activities and these activities
will perform during the implementation of required software. In this paper, a life cycle is proposed which will help
developer to identify and mitigate risks at the early stage of development.

Key Words –Software Security, Software risk, RMMM plan, Software development life cycle (SDLC), Software quality.

I. INTRODUCTION

In this information era, information systems and networks often consist of software systems running on many Interconnected
computers with various capabilities, such as servers, desktops, laptops, PDAs, and even cell phones In these systems, connectivity
has become more important than ever before [1]. The connectivity has given us opportunity to fast sharing of data which also
enhances the chance of attacking and hacking of personal data. The increasing complexity and extensibility of software Systems
further complicate the situation as they introduce more security breaches and make the information systems more vulnerable to
failures and attacks. Software security, which is the idea of engineering software such that it can function correctly and
continuously under malicious attacks [2], has attracted much attention recently due to the fact that reactive network-based security
approaches, like firewalls and signature-based anti-spyware, have been shown ineffective to achieve secure software. Software
security is the process of planning when risk of software is identified. Risk concerns on future happenings. It might happen, it
might not. There is lot of work has been done on risk mitigation and risk monitoring, but a life cycle of RMMM plan is not
identified yet for securing software in design phase. This work has been done to show the impact of software risk on object
oriented design when developing software [3, 4, 5].
In this paper, it is to be identified first that what is software security. In third section introduction of risk is presented, in fourth
section a life cycle for risk management is presented and in last section future work and its conclusion is presented.

II. SOFTWARE SECURITY

Security is similar to the concept of safety, confidentiality, and reliability. Number of security loopholes and vulnerabilities
exists due to the defects of security architecture and security mechanism [9]. Hackers and attackers do not create security
loopholes; rather they target the weaknesses in the software and exploit them. In order to maintain the software security during
the developmental stages, hacking should be made too difficult [3]. The purpose of making the software secure is to protect the
software from all kinds of attacks, errors, bugs, threats, viruses and vulnerabilities [4]. Software security is concerned with
defending the application program. Security architecture must be designed to provide the needs of product security goals and
sensitive information contains therein. It provokes the developer to build secure software which performs better under
circumstances whish are created by malicious attacks.

© 2014, IJARCSSE All Rights Reserved Page | 1247

Kavita et al., International Journal of Advanced Research in Computer Science and Software Engineering 4(3),
March - 2014, pp. 1247-1251

III. WHAT IS RISK?

Risk is future uncertain events with a probability of occurrence and a potential for loss. Risk is the expectation of the loss or
damage. When risks are analyzed, it is important to quantify the level of uncertainty and the degree of loss associated with each
risk [5]. Risk is the factor which should be identified before going through the software security. Risks can be broadly divided in
two categories which are proactive risks and reactive risks. Proactive risks are the pre assumptions of risks are to be occurred in
future.
How risk is effective within software context, this is shown in the above fig1. Figure shows that the risks can be imposed on
schedule, hardware, system, technology, people and cost. These types of risks are considered and planned before development
of software. Secure software is developed when their risks are identified earlier in the design phase. Reactive risks are when there
any problem occurs after deployment of software Secure software is a need of today life of internet, the software is secure when
its risks are identified earlier and managed. The identification, mitigation and monitoring of risk is the key factor of secure
software. Risk management is the process of identifying addressing, and eliminating the risks before they can damage the project.
It identifies software risks and plans to avoid risks and minimize their effects if they occur. All risks cannot be avoided but by
performing risk management, we can attempt to ensure that the risks are minimized.

Schedule

Cost Hardware

Software

People System

Technology

Fig: Risk within software context

IV. RISK MANAGEMENT IN SDLC

“Risk is the prospect of suffering failure.” In a software development project, failure describes a negative impact to the project,
which could be in the form of diminished quality of the end project increased costs, postponed completion, or complete project
failure. Risk management is the identification, assessment, and prioritization of risks followed by coordinated and economical
application of resources to minimize, monitor, and control the probability and/or impact of unfortunate event or to maximize the
realization of opportunities [6,7]. Risk management should be done during the software development life cycle (SDLC). Risk
management activities consist of two major activities. Risk assessment and risk reporting, again risk assessment activity includes
Risk identification, Risk analysis and Risk Prioritization. In the proposed framework of risk management a life cycle is presented
to identify and mitigate risks during the software development phase [11, 12]. This life cycle of risk management is described
with fig 2 and in detail. From the figure it is clear that risk management activity involves the six phases:- Requirement phase,
Analysis phase, Design phase, Development phase, Test phase, Maintenance phase.

© 2014, IJARCSSE All Rights Reserved Page | 1248

Kavita et al., International Journal of Advanced Research in Computer Science and Software Engineering 4(3),
March - 2014, pp. 1247-1251

Requirement
Phase

Maintenance Analysis
Phase Phase

Risk
Management

Test Phase Design Phase

Development
Phase

Fig2: Risk management activity in SDLC

Risk management activity in SDLC phases in details are as follows:-

A. Requirement phase
• In the requirement phase of SDLC requirements are gathered from users. Risk can be occurred in any phase of SDLC
also in requirement phase; hence risks are identified and assessed here. Two processes take place in this phase:-
• Asset identification: - Evaluation of likelihood that certain disruptions will occur and the controls to decrease
organizational exposure to such risk. It is performed jointly with the vulnerability assessment [14,18].
• Threat identification: - This process is used to identify threats in requirement phase. Threat analysis methodology is
used to identify risks and guide subsequent design, coding and testing decisions. Identifying security threats is a prepared
activity that requires some creativity since many systems have unique requirements that introduce unique threats [13,
17].
B. Analysis phase
To understand the nature of risk report gathered in first phase a developer must understand the information domain required
functions, actions and plans for mitigating risks associated. The purpose of analysis phase is to assess the loss probability and
magnitude of each risk item.
C. Design phase
During the design phase of development, carefully review security and privacy requirements and expectations to identify
security concerns and privacy risks. It is efficient to identify and address these concerns and risks during the design phase. This
process includes following steps.
• Asset identification: - Iterates through the assets and capabilities. For each security service on each capability, identify
all possible security threats.
• Vulnerability identification: - A security assessment or security vulnerability analysis is a subset of a process called
enterprise risk management. Vulnerabilities that exist in the software environment or that result from interaction with
other systems are identified in this step.
• Risk assessment: - Once risk has been identified they must be assessed as to their potential severity of impact and to the
probability of occurrence. These quantities can either be simple to measure or impossible to know of occurrence.
Therefore in the assessment process it is critical to make best educated decisions in order to properly prioritize the
implementation of the risk management plan.
• Risk mitigation: - The risk mitigation is a plan that would reduce or eliminate the highest prioritizes risks. The mitigation
plan includes a description of actions that can be taken to mitigate the red rated risk and assigns a primary handler for
the action.

© 2014, IJARCSSE All Rights Reserved Page | 1249

Kavita et al., International Journal of Advanced Research in Computer Science and Software Engineering 4(3),
March - 2014, pp. 1247-1251

• Test plan and development: - For preparation of next phase a test plan and development plan should be prepared and
risk should be identified related to this.
D. Development phase
The primary goal during the developing phase is to build the solution components code as well as documentation. The team
continues to identify all risks throughout the phase and address new risks as they emerge. This process consists of three steps.
• Code reviews:- A code review can be an effective means by which team can identify whether code meets local standards,
and might even result in identifying some problems prior to compiling, which may be risks for future [8].
• Pair programming: - Pair programming reduces staff- loss risk [6]. Pair programming shoulder to shoulder technique
serves as a continual design and code review, leading to most efficient defect removal rates.
• Unit testing and static testing: - By using unit tests and dynamic analysis developers can validate the security
functionality of components as well as verify that the countermeasures being developed mitigate any security risks
previously identified through threat modelling and source code analysis.
E. Test phase
• Dynamic code testing: - Dynamic code testing is analysis of computer software that is performed by executing
program in a real or virtual world. The target program must be executed with sufficient test inputs to produce
interesting behaviour.
• Web application testing: - Complete testing of a web based system before going live can help address issues before
the revealed to the public. Issues such as the security of the web application, its authorization, availability etc.
• Vulnerability scanning: - Vulnerability is an important method to find software security risks, includes testing space
scanning and non-defect scanning. Testing space scanning deals with network port, string, producer data, network
data and other element scanning. Non defect scanning finds non flaws usually basing on the defect library.
• Test threat actions: - Threat is a negative effect on test. Hence testing of threats creates risks and to identify those
risks this Sep is considered.
F. Deployment phase
In deployment phase the product is partially completed. All risks are identified in whole life cycle now a proper test plan is
prepared in this phase.
• Periodic testing: - Periodic testing means third party testing that must be conducted on the continuing production of
software.
• Risk management plan: - Developing a risk management plan is simply a matter of following some steps which include
constructing a risk categorization table, rank the risk, prepare and sort the risk table and finally to ensure that risk
management activity is an ongoing process throughout the project.

V. FUTURE WORK

It is known that half of the software is designed and developed in papers so if we consider risk during paper work than
it will be risk reduction process on its own and risk will also be minimized. A proactive approach of paying close attention
to security during all phases prevents expensive Security requirements and security features plays a very important role in the
security integration at design phase of the SDLC. The future work for this proposed framework is to plan a RMMM design
which will be common for some kinds of risks.

VI. CONCLUSION

Risk management gives a structured mechanism to provide visibility into threats it project success. By considering the
potential impact of each risk item, we can make sure to control the most rigorous risk first. Without a formal approach, we
cannot ensure that our risk management actions are done in right manner. Thus a proper life cycle of risk management plan
is justified in this paper which provides a step by step implementation of risk management plan.

VII. REFERENCES

[1] M. Howard and D. LeBlanc, “Writing Secure Code”, Microsoft Press, 2001.
[2] Gary McGraw, “Software Security”, IEEE Security & Privacy, vol. 2(2), 2004, pp. 8083 [3] J. Viega and G. McGraw,
“Building Secure Software”, addition Wesley, 2001.

© 2014, IJARCSSE All Rights Reserved Page | 1250

Kavita et al., International Journal of Advanced Research in Computer Science and Software Engineering 4(3),
March - 2014, pp. 1247-1251

[4] S. Chandra and R. A. Khan, “Object Oriented Software Security Estimation Life Cycle: Design phase perspective”,
Journal of Software Engineering, USA, pp: 39-46.
[5] Roger S Pressmen “Software Engineering a Practitioner’s approach”, Book. [6] http://en.wikipedia.org/wiki/pair-
programming.

[7] Introduction to software testing available at http://www.onestoptesting.com/introduction/

[8] http://technet.microsoft.com/en-us/librry/bb497041.aspx
[9] G. Booch, Object-Oriented Analysis and Design: with applications. Benjamin/Cummings, 1994.
[10] S. McConnell, Rapid development: taming wild software schedules. Microsoft Press, 1996.
[11] http://www-cse.ucsd.edu/users/wgg/swevolution.html
[12] http://www.bell-labs.com/user/hpsiy/research/evolution.html
[13] http://www.comp.lancs.ac.uk/projects/RenaissanceWeb/
[14] http://www.sei.cmu.edu/reengineering/
[15] J. Lakos, “Large-Scale C++ Software Design,” Addison-Wesley Professional Computing Series [16]
http://www.xilinx.com/company

[17] M. R. Garey and D. S. Johnson. Computers and Intractability: A Guide to the Theory of NP-Completeness. Freeman,
San Francisco, CA, 1979.
[18] J. Frankle, “Iterative and Adaptive Slack Allocation for Performance-driven Layout and FPGA Routing,” Proceedings
of the 29th ACM/IEEE conference on Design automation conference, 1992, Page 536.
[19] E. S. Ochotta, et al, “A Novel Predictable Segmented FPGA Routing Architecture,” in FPGA ‘98, Proceedings of 1998
ACM/SIGDA intl. symp. On FPGAs, pp. 3-11. [20] http://www.joelinoff.com/ccdoc/index.html.

[21] C.W. Krueger, “Software Reuse.” ACM Computing Survey, vol. 24, no. 2, pp. 131-182, 1992.
[22] E. Mettala and M.H. Graham, “The Domain-Specific Software Architecture Program,” CMU/SEI-

© 2014, IJARCSSE All Rights Reserved Page | 1251

View publication stats