Software development unit 4 aos 2

Cybersecurity

Key Knowledge

1. Goals and objectives of medium and large organisations

2. Advantages and disadvantages of developing software in-house or externally

3. Types of vulnerabilities and risks within insecure development environments, including:

4. Security controls used to protect software development practices and data stored within applications

5. Threat modelling principles

6. Criteria for evaluating the security of software development practices within an organisation

7. Key legislation and industry frameworks that affect how organisations develop software and control the security and communication of data

8. Ethical issues that arise when developing software

9. Mitigation measures to reduce or eliminate threats, vulnerabilities and risks within organisations and development environments

10. Strategies for improving the security of software development practices

KK01 - Organisational Goals

Definition:
Broad, long-term outcomes that an organisation aims to achieve. Goals are typically general statements of what the organisation wants to become or accomplish in the future.

Key Features:

• Strategic and high-level

• Long-term focus (often 3–5+ years)

• Inspirational and directional rather than measurable

• Set by senior leadership

Example:

"Become the leading provider of digital education solutions in Australia within five years."

KK01 - Organisational Objectives

•Definition:
Specific, measurable steps that help an organisation achieve its goals. Objectives are more concrete, time-bound, and action-oriented than goals.

•Key Features:

•Short- to medium-term focus

•SMART (Specific, Measurable, Achievable, Relevant, Time-bound)

•Support and align with broader goals

•Example:

•"Increase customer subscriptions by 15% over the next 12 months through targeted digital marketing campaigns."

KK01 - Summary

	Organisational Goal	Organisational Objective
Purpose	Sets overall direction and vision	Defines steps to achieve the goal
Scope	Broad and general	Specific and focused
Timeframe	Long-term	Short- to medium-term
Measurability	Often non-measurable	Always measurable
Example	"Be the market leader in eco-friendly packaging."	"Reduce plastic use by 30% within 18 months."

KK02 – In-house development

Software is developed by your organisation’s internal team

KK02 – In-house development adv/disv

Advantages	Disadvantages
Full control over project direction, timeline, and priorities	Higher upfront costs for staff, tools, and infrastructure
Seamless internal communication and immediate feedback	May lack specialised expertise for complex or niche requirements
Tailored solutions that align closely with organisational processes	Slower development if internal teams are small or overstretched
Enhanced data security with internal handling of sensitive information	Ongoing responsibility for updates, bug fixes, and long-term support
Builds internal staff capability and technical knowledge	Risk of over-reliance on key personnel or limited internal resources
Intellectual property (IP) remains entirely within the organisation	Can be disrupted by shifting internal priorities or organisational changes

KK02 – External development

Software is developed by a 3rd vendor or freelance team

KK02 – External development adv,/disv

Advantages	Disadvantages
Access to specialised expertise and industry best practices	Less control over project direction and delivery timelines
Faster development due to dedicated teams and refined processes	Potential for miscommunication or misalignment with organisational needs
Scalability—can ramp up or down based on project scope	Data security concerns when sharing sensitive information with third parties
Reduced burden on internal staff and resources	Ongoing costs through contracts, licenses, or vendor lock-in
Vendors often bring experience from similar projects	Customisation may be limited or come at a high cost
Predictable budgeting through fixed-price contracts or service agreements	Dependence on external parties for updates, maintenance, and long-term support

KK03 – Types of vulnerabilities and risks: (10)

-        use of application programming interfaces (APIs)

-        malware

-        unpatched software

-        poor identity and access management practices

-        man-in-the-middle attacks

-        insider threats

-        cyber security incidents

-        risks present from software acquired by third parties

-        ineffective code review practices

-        combined development, testing and production environments

KK03 - Types of vulnerabilities and risks: APIs

•Use of application programming interfaces (APIs)

•Definition: interfaces that allow different systems and solutions to interact and communicate with each other seamlessly.

KK03 - Types of vulnerabilities and risks: APIs (table)

Risk	Explanation
Unauthorised Access	APIs without strong authentication and access controls can expose data to attackers.
Data Leaks	Poorly designed APIs may reveal sensitive or excessive information.
Injection Attacks	If APIs don't validate input properly, they can be exploited via SQL or script injection.
Lack of Encryption	Data sent over APIs without HTTPS can be intercepted by attackers.
Abuse and Overuse	APIs without rate limits can be overwhelmed by too many requests (DoS attacks).

KK03 – Types of vulnerabilities and risks: malware (8)

Viruses

Worms

Trojans

Spyware

Ransomware

Keyloggers

Rootkits

Backdoors

Adware

Botnets

malware: viruses

Attach to executable files and replicate when the file is run.

Can corrupt source code or development tools, leading to system crashes or loss of work.

malware: worms

Self-replicate and spread through networks without user action.

Can slow down or crash development networks and expose code to unauthorised access.

malware: trojans

Disguised as legitimate software but perform malicious actions.

May steal source code, introduce backdoors, or compromise builds.

malware: spyware

Secretly monitors user activity and collects data.

Can capture credentials (e.g. GitHub tokens, API keys) or steal sensitive project files.

malware: ransomware

Encrypts files and demands payment to restore access.

Can lock developers out of source code, repositories, or entire systems.

malware: keyloggers

Record keystrokes to capture sensitive information.

Can steal login details for version control, cloud platforms, or internal systems.

malware: rootkits

Hide the presence of other malware and gain privileged access.

Allow attackers to stay hidden while tampering with development environments.

malware: backdoors

Provide unauthorised remote access to systems or software.

Can lead to tampering with code or future exploitation of released software.

malware: adware

Unwanted software that displays ads, often bundled with freeware.

Distracting, may install additional unwanted software or degrade performance.

malware: botnets

Turn infected devices into part of a controlled network for malicious purposes.

Developer machines could be used for DDoS attacks or spreading malware further.

KK03 – Types of vulnerabilities and risks: unpatched software (5)

Unpatched or Newly Discovered Flaws

Malware Infections

Data Breaches

System Instability

Compromised Software Releases

unpatched software vulnerability : Unpatched or Newly Discovered Flaws

Includes both known vulnerabilities that haven't been fixed and zero-day exploits with no patch yet—both can be exploited by attackers.

unpatched software vulnerability : Malware Infections

Outdated systems are more vulnerable to viruses, ransomware, and spyware.

unpatched software vulnerability: Data Breaches

May expose source code, credentials, or sensitive development data.

unpatched software vulnerability: System Instability

Can lead to crashes, bugs, or failed builds due to unaddressed software issues

unpatched software vulnerability: Compromised Software Releases

Insecure environments may allow vulnerabilities to be embedded in production code.

KK03 – Types of vulnerabilities and risks: unpatched software (5)

Vulnerability	Impact on Software Development
Unpatched or Newly Discovered Flaws	Includes both known vulnerabilities that haven't been fixed and zero-day exploits with no patch yet—both can be exploited by attackers.
Malware Infections	Outdated systems are more vulnerable to viruses, ransomware, and spyware.
Data Breaches	May expose source code, credentials, or sensitive development data.
System Instability	Can lead to crashes, bugs, or failed builds due to unaddressed software issues.
Compromised Software Releases	Insecure environments may allow vulnerabilities to be embedded in production code.

KK03 – Types of vulnerabilities and risks:
poor identity and access management

(5)

Vulnerability	Impact on Software Development
Weak or Reused Passwords	Increases risk of unauthorised access to source code, servers, or cloud services.
Lack of Multi-Factor Authentication (MFA)	Makes it easier for attackers to compromise accounts with stolen credentials.
Excessive Privileges	Developers or users may have access to systems or data they don't need—widening the attack surface.
Shared or Hardcoded Credentials	Reusing accounts or embedding credentials in code can lead to leaks or misuse.
Poor Account Management	Inactive accounts not removed can be exploited; no user auditing means attacks may go unnoticed.

KK03 – Types of vulnerabilities and risks: man-in-the-middle attacks

What Happens	Impact on Software Development
An attacker secretly intercepts and possibly alters communication between two parties (e.g., developer and server).	Sensitive data like login credentials, API keys, or source code can be stolen or modified.
Lack of encryption or use of unsecured networks makes interception easier.	Compromises the integrity and confidentiality of data transmitted during development or deployment.

KK03 – Types of vulnerabilities and risks: insider threats

What It Means	Impact on Software Development
Risks posed by people within the organisation—employees, contractors, or partners—who misuse their access either intentionally or unintentionally.	Can lead to theft, sabotage, or accidental exposure of source code, sensitive data, or credentials.
Includes disgruntled staff, careless users, or those manipulated by external attackers.	Insider actions may bypass traditional security controls, making detection difficult.

KK03 – Types of vulnerabilities and risks: cybersecurity incidents

What It Is	Impact on Software Development
Events where security is breached or threatened—such as hacking, data theft, malware infections, or denial-of-service attacks.	Can cause data loss, downtime, compromised code integrity, and damage to reputation.
May involve both external attacks and internal mistakes or accidents.	Often leads to costly recovery efforts, legal consequences, and loss of user trust.

KK03 – Types of vulnerabilities and risks: 3rd party software (5)

Risk	Impact on Software Development
Hidden Vulnerabilities or Malware	Third-party software may contain security flaws or malicious code that compromise the project.
Lack of Control or Visibility	Developers may not fully understand or be able to fix issues within external software.
Incompatibility or Integration Issues	Can cause bugs or system instability when combined with existing software.
Delayed Updates or Support	Dependence on third parties for patches and bug fixes can slow response to vulnerabilities.
Licensing and Compliance Risks	Using software without proper licenses can lead to legal problems and project delays.

KK03 – Types of vulnerabilities and risks: ineffective code review practices

Risk	Impact on Software Development
Missed Security Vulnerabilities	Poor or rushed reviews can overlook bugs, backdoors, or insecure coding patterns.
Inconsistent Standards	Lack of clear guidelines leads to variable code quality and increased errors.
Lack of Accountability	Without proper review, responsibility for security flaws is unclear.
Delayed Detection of Bugs	Issues may remain hidden until later stages, increasing cost and effort to fix.
Reduced Team Collaboration	Ineffective reviews can discourage knowledge sharing and constructive feedback.

KK03 – Types of vulnerabilities and risks:
combined development, testing and production environments

Risk	Impact on Software Development
Accidental Data Exposure	Testing or development may use real production data, risking leaks of sensitive info.
Unintended Changes in Production	Bugs or unfinished code from development/testing could be deployed accidentally.
Security Misconfigurations	Weaker security controls in dev/test environments can expose production systems.
Difficulty in Troubleshooting	Mixing environments makes isolating and fixing issues more complex and error-prone.
Compliance Violations	Using production data in test/dev can breach privacy laws and organisational policies.

KK04 - Security Controls: version control and code repositories (6)

-        version control and code repositories

-        robust identity and access management

-        encryption

-        code review

-        regular updates and patches to software

-        separated development, testing and production environments

KK04 - security areas definitions

Security Area	Feature	Summary of Security Benefit
Traceability & Accountability	Commit history, metadata, signed commits	Tracks who made each change and when, supporting audits and deterring unauthorized or malicious edits.
Access Management	Role-based permissions, IAM integration, branch protection	Limits who can view or change code; enforces least privilege and protects critical branches from unauthorized changes.
Change Control	Pull/merge requests, required reviews, policy checks	Ensures all changes are reviewed and approved, reducing the risk of introducing vulnerabilities or insecure code.
Secure Automation	CI/CD integration, security scans, secrets detection	Automates testing for vulnerabilities, insecure dependencies, and secrets before code is deployed.
Versioning & Rollback	Commit history, branching, reverts, tags	Enables fast rollback to safe versions and supports controlled releases and incident recovery.
Environment Control	Branching strategies, GitOps workflows	Separates development, staging, and production code, ensuring only tested and approved code is deployed.

KK04 - Security Controls: encryption

•The process of encoding data and information from a plain text format. This is done to protect data and information from being compromised.

•Symmetric encryption involves the use of a single key for the encryption and decryption of data.

•Asymmetric encryption involves the use of a public key for the encryption of data and information and a private key for the decryption of the data and information.

KK05 - threat modelling principles

-        defining security requirements

-        identifying and mitigating threats (STRIDE)

-        confirming threats have been mitigated

KK05 - STRIDE

• SPOOFING (pretending to be someone else to gain access)

• TAMPERING (modifying data or code without permission)

• REPUDIATION (denying actions)

• INFORMATION DISCLOSURE (leaking sensitive info to unauthorised users)

• DENIAL OF SERVICE (disrupting service availability)

• ELEVATION OF PRIVILEGE (gaining more access than permitted)

KK06 - key legislation and industry frameworks

-        Copyright Act 1968 (Cwlth)

-        Essential Eight

-        Information Security Manual (ISM)

-        Privacy Act 1988 (Cwlth) (APP 1, 6, 8, 9, 11)

-        Privacy and Data Protection Act 2014 (IPP 1, 2, 4, 5, 9)

what year?
Copyright Act

1968

protects creators rights over original works

what year?

Privacy Act

1988

protects personal information handled by Australian organisations

what year?

Privacy and data protection act

2014

VIC

Applies to Victorian public sector, governs handling of personal info

KK06 - key legislation and industry frameworks: ESSENTIAL 8

1. Application control (stop malware from running)

2. Patch applications (fix vulnerabilities)

3. Configure Microsoft Office macros (prevent malicious macros from executing)

4. User Application hardening (reduce risk for built in app features)

5. Restrict administrative privileges (limit access to critical systems)

6. Patch operating systems (fix security issues in the OS)

7. MFA (multi factor authentication) (make logins more secure)

8. Regular backups (allow for data recovery)

KK08 - ethical issues that arise when developing software (4)

-        ineffective security practices (fail to protect user data)

-        use of artificial intelligence during development (bias)

-        intellectual property (using someones ideas, code,algorithms without permission)

-        copyright issues (copying or distributing copyrighted materials without permission)

KK10 - strategies for improving the security of software development practices

-        onboarding/induction practices and developer training focused on secure development (educates)

-        development of risk management plans.
(identify and manage potential security risks)