As organizations grow and change, their information systems must change as well. Consider these examples:
Gazing more at the rowers on the [Schuylkill River] below than on the automobiles ahead, a [Center City Philadelphia] driver slams into the car in front of him, causing an accident that increases the ride home for many commuters—and sets in motion a series of legal and insurance steps. Such a traffic incident is only one of more than 70,000 automobile accidents reported each year in Philadelphia, and the city's police department prepares a report for each one. Accident reports are necessary for insurance companies to process claims and ultimately pay settlements to their customers. Until recently, processing an accident report was a costly, time-consuming process, taking up to six weeks for a paper copy to become available. Thanks to the efforts of a unique public/private partnership and the power of Internet technology, Philadelphia accident reports are now available to insurance companies in less than one week [Coghlan and on Mechow, 2004].
When Wacoal [Corporation] analyzed their information technology systems, what they found wasn't very encouraging. Their technology had been growing as the company grew—systems were added on an as needed basis, which resulted in a patchwork quilt of 32 independent legacy systems. Many of these legacy systems were more than 10 years old. To improve the quality of business-decision information, Wacoal sought a solution that would connect its disparate systems together in a seamless data flow. These system changes would allow the company to achieve operational efficiency and concentrate on its core competence. The question was how to accomplish a seemingly complex task of system and platform integration in a very short time frame with a limited project budget. The answer came from Wacoal's technology partner—Hitachi—and the freely available extensible
Business Reporting Language for General
Ledger (XBRL-GL), the Journal Taxonomy. [Hasegawa et al., 2004] Sources: T. Coghlan and T. vonMechow, "Driving Auto Accident Costs Down," Strategic Finance, January 2004; M. Hasegawa, T. Sakata, N. Sambuichi, and N. Hannon, "Breathing New Life into Old Systems with XBRL-GL: The Wacoal Story," Strategic Finance,March 2004. Considering either the accident report case or the information technology case, respond to the following questions:
a. How would workers in the case have used the SDLC to make the changes described?
b. Compare the "before" and "after" processes in the case you chose. How would you classify each one?
c. Which macro- and micro-level factors for IT selection are indicated/implied in the case?
Processes regarding Lifecycle of software is enclosed, with examples.
Web Application Vulnerability & Software Development Life Cycle
UNFO traditionally has been a brick-and-mortar retailer, and the management has experienced associated business risks such as employee theft and shoplifting. However, as the organization moves into the e-commerce model, new risks will be introduced to the organization. As the information security analyst, it will be your role to summarize the business impact of these new risks, the motivating factors behind exploiting vulnerabilities, and how the risks can be mitigated.
Prepare an executive summary report for presentation to the senior management to assist the team in understanding IT security risks associated with an e-commerce model. Additionally, the senior management team will need to use the report as guidance for determining a budget allocation for hiring new IT professionals who will implement the e-business model and design the web applications using the Software Development Life Cycle (SDLC). Also discuss how this team can make this process secure and thus greatly reduce the risk of having exploitable web applications. Your report should cover the following points.
Through the given scenario of UNFO, identify the weaknesses and vulnerabilities associated with creating web applications for the proposed Web platform using the SDLC process. To do so, you must:
1. Research and classify common weaknesses and attacks associated with e-commerce and social networking applications.
2. Identify the motivation for potential attacks and summarize the importance of identifying them early in the development or implementation process.
3. Identify the roles such as System administrator, developer, security engineer, and quality assurance analyst for each classification.
4. Explain the business impacts of a successful exploit on a Web application's weakness.
5. Identify resources to create secure coding policy and guidelines.
6. Explain how to introduce security into the SDLC.
7. Recommend revisions to the control process.
8. Identify the techniques or processes for software developers to review their source code.