Acquisition Process For New

Technology

Steps of acquiring new technology

Identify the need •This may involve conducting a needs assessment, analyzingcurrent processes or workflows, and
identifying areas for improvement.
•research potential solutions that can address the need. This may involve reviewing product
Research potential solutions specifications, consulting with experts or vendors, and evaluating the costs and benefits of different
options.
•develop a business case for the new technology. This may involve defining the expected benefits,
Develop a business case estimating the costs and return on investment, and identifying any risks or challenges associated
with the new technology.
•obtain funding to acquire and implement the new technology. This may involve securing budget
Obtain funding allocations, obtaining grants or loans, or seeking investment from stakeholders.

•begin the process of procuring the new technology. This may involve issuing a request for proposal
Procure the technology (RFP), evaluating vendor proposals, negotiating contracts, and finalizing the purchase agreement.

•implement and integrate it into its existing systems and processes. This may involve installing
Implement and integrate hardware or software, configuring settings, and training staff on how to use the new technology.

•Once the new technology has been implemented, the organization should evaluate its effectiveness
Evaluate and optimize and optimize its use. This may involve monitoring performance metrics, conducting user surveys,
and making adjustments to workflows or processes as needed.

4
 Researching potential solution
Identify the needs from technical perspective and from stakeholders' perspective
Assess the benefits required from the technology, and the introduction methods to align with
existing design and controls
Develop potential test cases for what is expected from this solution
Conduct online research, you may use vendor websites, and other online resources specialized
in vendor assessment such as Gartner reports and Gartner Peer review, Forrester Research and
IDC
Identify the products or potential vendors and go through assessment for scalability and future
needs as well
Perform testing or pilot or proof of concept “POC”, and assess solution performance based on
test cases.

Gartner, Forrester, IDC

333

5
 Test cases AND POC REPORT
Test case Test Criteria Test Result
Malware detection
False positives
Performance impact
Update frequency
Compatibility
User interface
Suppo rt

334

stakeholders
Customers
Strategy committee
Steering committee
Project Sponsor
Application development
System development
User management or end-users
Information Security
Quality assurance
Regulator, or other third parties

335

6
 Feasibility Analysis and Business
Case

Feasibility analysis
An assessment of whether a proposed project or initiative is technically, economically, and
operationally feasible.
Takes various factors into account, including economic, technical, and legal factors, to ascertain
the likelihood of completing the project successfully.
Consider how the project will impact the organization in terms of risk, costs, and benefits.
Provides important information that can be used to develop a business case.

Identify requirements Provide a Evaluate cost- Conduct a formal

Define the project
Conduct analysis based on stockholder recommended effectiveness of the review with
scope
needs approach approach stakeholders

337

7
 Business Case
A document that outlines the rationale for a proposed project or investment,
and provides a detailed analysis of the costs, benefits, risks, and potential
returns on investment.
A business case is a justification for a proposed project, developed after the
feasibility analysis has been conducted
A business case provides the information required for an organization to decide
whether a project should proceed.
Followed by either RFP or Request for Budget to assess the budget cost.

CYVITRIX -ALL RIGHTS RESERVED ©

338

Request for budget and

proposal

CYVITRIX -ALL RIGHTS RESERVED ©

339

8
 Request for budget
A request for budget is a document that outlines the organization's financial
needs and requests funding from the relevant authorities or stakeholders.
The purpose of a request for budget is to secure the necessary funding to
support the organization's operations, projects, or initiatives.
It should be clear, concise, and well-supported by data and evidence, and should
make a compelling case for why the funding is necessary and how it will support
the organization's goals and objectives.

340

Request for proposal -RFP

A Request for Proposal (RFP) is a formal document that is used by organizations to solicit
proposals from vendors or service providers for a specific project or initiative.
The RFP typically includes a detailed description of the project requirements, as well as
instructions for vendors to submit their proposals.

Introduction and Evaluation Technical Terms and Contact

Scope of Work Deliverables Schedule
Background Criteria requirements Condition Information

341

9
 Project Management

342

Project
A project is a temporary process that is designed to achieve a specific goal or objective.
Projects are typically unique and have a defined scope, budget, and timeline.
Examples of projects include building a new office building, developing a new software
application, implementing a new business process, or launching a marketing campaign.
Project include the following steps:-

Initiating Planning Executing Controlling Closing

343

10
 Project VS PROGRAM

Project
•Has specific objectives, deliverables, and start and end dates
•Shorter time

Programs
•Group of projects have a common objective
•Longer duration

Project Management Structures

•The project •The project •Management

Matrix project organization
Pure project organization

manager has manager has authority is

Influence project

only a staff formal authority shared between

organization

function without over those the project

formal taking part in manager and
management the project. the department
authority. heads.

345

11
 Project manager and project
management office
A project manager is responsible for planning, organizing, executing, and closing a project. The project
manager is responsible for ensuring that the project is completed on time, within budget, and to the
required quality standards. The project manager also manages the project team, communicates with
stakeholders, and identifies and manages risks and issues.
A Project Management Office (PMO) is an organizational unit that is responsible for defining and
maintaining project management standards, policies, and procedures. The PMO provides support to
project managers to ensure that projects are completed successfully and consistently.
In summary, the project manager is responsible for managing the project, while the PMO is responsible
for providing guidance, support, and governance to ensure that projects are completed successfully and
efficiently.

346

Project planning and objective

identification

347

12
 Project Planning
several key factors that need to be considered to ensure that the project is completed successfully:-
Project Objectives
Project Scope
Project Deliverables
Project Schedule
Project Resources
Project Risks
Project Budget
Communication Plan and escalation matrix

Project Planning help in eliminating Project creep faster

348

Project Objectives
The specific action statements that support the project goals.
Should be well defined and communicated
Should be tracked for the progress by identified KPIs (Key Performance Indicators)
Tracked and monitored by project steering committee
Can be divided to smaller sub-objectives for easier management and execution (Object Breakdown &
Work Breakdown)
OBS (Object Breakdown Structure) and WBS (Work Breakdown Structure) are two important project
management tools that are used to help plan, organize and manage projects.

349

13
 Object breakdown
Object Breakdown Structure (OBS) is a hierarchical structure that breaks down a
system or product into smaller components or objects.
The OBS is typically used in engineering and manufacturing industries to help
organize and manage complex systems or products.
The OBS typically starts with the highest level of the system or product and breaks
it down into smaller components or subsystems. Each component is then further
broken down into smaller objects until the entire system or product is fully
defined.

350

Work Breakdown structure

A hierarchical decomposition of the project work into smaller and
more manageable components, called work packages.
Used to organize, plan, and manage complex projects.
The WBS starts with the project's major deliverables, which are then
broken down into smaller, more manageable components.

351

14
 Project Scheduling Tools

352

Critical Path Methodology / cpm

A CPM scheduling tool is asoftware applicationthat is specifically designed to help project managers
create, manage and update their project schedules using the CPM technique.
Used to create a schedule that identifies the critical path of a project and helps to determine the
shortest possible time to complete the project.
The tool allows project managers to define the project scope, activities, durations, dependencies, and
resources required to complete the project.
The critical path is the longest sequence of activities that must be completed to finish the project on
time.
Activities on the critical path should have zero slack time, by maintain that the critical path will have
shorter duration (Slack time is the buffer or extra time).
CPM always consider a single scenario for time required unlike other techniques, consider critical path a
priority to reduce the slack time

353

15
 Cpm example

354

Program Evaluation ReviewTechnique /

pert
It is a statistical tool that enables project managers to estimate the duration of a project, identify
the critical path, and manage project risks.
By using PERT, project managers can develop moreaccurate project schedules, improveproject
performance, and increase the chances of project success.
Followed by CPM for each task, PERT More holistic than CPM as it is more focused on the time
required to complete the project, while CPM focus on the critical path
PERT is probabilistic while CPM is deterministic, also PERT use three estimates for activity
duration, while CPM use only 1

355

16
 Pert example

356

Gantt chart
Gantt chart is a horizontal bar chart that represents project tasks and activities along a timeline.
Show the chronological order of activities, and show when activity should start and end to
monitor the overall project progress
Gantt charts are useful for visualizing the project schedule and identifying task dependencies.
Gantt chart typically uses a single estimate for task duration
Gantt chart does not explicitly show the critical path
Gantt chart focuses more on schedule management, risk is not in focus
Suitable for simpler and more predictable projects.

357

17
 GANTT CHART EXAMPLE

358

Project Scheduling tools(Timebox Management)

Involves breaking down a project into time-bound iterations or timeboxes. Each
timebox typically lasts between one to four weeks and includes a set of tasks or
activities that must be completed within the timebox.
A time management method
Lead to more focus work and better quality in delivery, and prevent cost overruns
The term is very common in Agile development methodology and method (such
as Prototyping and Rapid Application development) in software development
field.

359

18
 Project Scheduling tools (EVA)
Technique used to measure the progress of a project against its planned schedule and budget.
Help to monitor project progress, identify problems early on, and take corrective action to keep the project on
track.
Forecast the completion date and the final cost, and to analyze any variance in the budget (Cost variance) or
Schedule (Schedule variance) or earned value (Earned value performance index)
SV, CV, EVPI are known as EV metrics
Help in determining if the project is on track or behind schedule or over budget
EVA used to predict and do forecasting for the project progress

360

Project Cost and Size Estimation

Techniques

361

19
 Project Cost Estimation Methods

Analogous estimate Parametric estimate Bottom-up estimate

•The cost of a new project is estimated based •Past data is used to make the cost estimation •List all activities then estimate each, after
as well as other statistical method that might
on prior projects. then sum all of them
consider additional parameters.
•Fastest method •Most accurate method, most complex and
•Inflation, increased cost of labor might not •More accuracy most time consuming
be considered •Consume more time and require experience.

362

Project size/time estimation(for

software development)

Source lines of Code Constructive Cost Model Function Point Analysis

SLOC COCOMO FPA
•Size estimation based on total lines of •Advanced way of SLOC
•Put complexity, Input, processing,
code written in the source-code of •Put complexity into the consideration output into the consideration
software •May result in Better results •Use indirect estimation methods to
•We may rely on OOP, so the modules are estimate the size of software and time
already there required to create it.
•Not fit complex projects •More reliable than SLOC & COCOMO
•Not accurate way

363

20
 Project Closure Activities

364

Project Closure
Performance Evaluation: The performance of the project is evaluated against the project objectives and success
criteria to determine whether the project was successful.
Deliverable Acceptance: The project deliverables are reviewed and accepted by the stakeholders to ensure that
they meet the required quality standards and are complete.
Resource Release: The project resources are released from the project and reassigned to other projects or
operational activities.
Financial Closure: The project finances are reviewed and closed, including the final budget and any outstanding
expenses or payments.

365

21
 Project Closure
Lessons Learned: A lessons learned process is conducted to identify areas of improvement and
best practices to be applied to future projects.
Project Closure Report: A project closure report is prepared to document the results of the
project and to provide a record of the project for future reference.
Communication: The project closure is communicated to all stakeholders, including the project
team, sponsors, and other relevant stakeholders.

366

Auditor roles in project management

review

367

22
 Auditor’s & Feasibility and business case
◦Review the assumptions made in the business case and feasibility analysis to determine if they
are reasonable and based on accurate data.
◦Audit the feasibility analysis to determine if it was conducted comprehensively and if it
included all relevant factors, such as technical, economic, and operational feasibility.
◦Review the cost estimates in the business case and feasibility analysis to ensure that they are
accurate, complete, and reasonable.
◦If the required need can be achieved with existing solution
◦Audit the alternatives analysis to ensure that it was conducted comprehensively and
objectively.
◦Review the project plan to ensure that it is comprehensive, realistic, and achievable.

368

Auditor’s & project management

◦Evaluating the effectiveness of project management processes and controls.
◦Reviewing project documentation: The auditor may reviewproject documentation, such as project
charters, project plans,status reports, and contracts, to ensure that they are complete, accurate, and
consistent.
◦Review the exception process (if any) to identify it follow the governance requirements
◦Assessing the project performance against goals and intended benefits
◦Review the project acceptance process and reports related to testing

369

23
 Software development overview

370

What is programming?
Programming is the process of creating computer software, applications, and systems using a
programming language.
A programming language is a set of instructions and rules that are used to communicate with a
computer and tell it what to do.
Programmers use programming languages to write code, which is a series of instructions that
the computer can understand and execute.
Programming involves several steps, including planning, designing, coding, testing, and
maintaining the software.
Program include codes and modules

371

24
 How is program written?
Coding refer to writing computer code in way to achieve program requirements
Program code is known as source code, could be close source, or open source
Module is a self-contained unit of code that perform specific function or set of functions, modules are
designed to be reusable and interchangeable
Each program is written by a specific programming language
Programming language influence the environomentwhere the program can run such as Windows,
Linux, Android, IOS
Some cross-platform languages exist (Java, Python, C#-C Sharp, Kotlin)

372

Coding tools
The tool used to write code is called an Integrated Development Environment (IDE). An IDE is a
software application that provides programmers with a comprehensive environment for writing
and testing software. –Microsoft visual studio and PyCharm, Eclipse, Atom
IDE is also known as (COMPUTER-AIDED SOFTWARE ENGINEERING)
IDE or CASE can be used in code auditing and debugging as well
Code generators can generate source code based on parameters defined by developer or system
analyst.

373

25
 Types of programming language

374

EXAMPLE FOR PROGRAMMING CODE

375

26
 Object oriented programming
In OOP, a system is modeledas a collection of interacting objects, each with its own set of properties and behaviors.

376

OOSD & CBD

Object-oriented system development is an approach to software development that emphasizes
the use of object-oriented programming (OOP) techniques for designing and building complex
software systems.
In OOP, a system is modelled as a collection of interacting objects, each with its own set of
properties and behaviours.
Component-Based Development (CBD) is a software development approach that emphasizes the
use of reusable software components to build complex software systems.
In CBD, a software system is created by assembling pre-existing, independently developed
components into a larger system.

377

27
 OOSD & CBD Examples

378

Software development methodologies

379

28
 Software development life cycle
(SDLC) is a process used by software development teams to plan, design, build, test, and deploy
software applications.
SDLC is a continuous process, and each phase may overlap with others. The exact process may
vary depending on the specific development methodology used
Typical phases are Planning, Analysis, Design, Implementation, Testing, Deployment,
Maintenance
Many development methodologies are there
General phases remain the same

380

WATERFALL MODEL
Traditional model for software development
Suitable if requirements are defined properly
Suitable when no change is expected
No fallback (No new requirements)

381

29
 AGILE METHODOLOGY
Agile methodology is an iterative and incremental approach to software development that emphasizes
flexibility, collaboration, and customer satisfaction.
developed as a response to the rigid and inflexible approach of traditional software development
methodologies, such as the Waterfall model.
The Agile process is typically divided into short iterations, or sprints, which can last from one to four
weeks. During each sprint, the development team works on a set of prioritized tasks, called user stories,
which are identified and prioritized by the product owner or customer.
In each iteration, the full SDLC is considered
Emphasizes collaboration, transparency, and continuous improvement.

382

AGILE / SCRUM
Scrum is based on the idea of short iterations, called sprints,
which typically last two to four weeks.
the development team meets with the product owner to identify
and prioritize user stories, or tasks, for the sprint.
The team then creates a sprint backlog, which is a list of tasks
that they will work on during the sprint.
During the sprint, the team meets daily for a short stand-up
meeting, or scrum, to discuss progress, identify any obstacles,
and plan the work for the next day.
At the end of the sprint, the team reviews the work that was
completed and demonstrates a potentially shippable product
increment to the product owner and stakeholders.

383

30
 SCRUM Roles
The product owner, who is responsible for defining and
prioritizing the product backlog and represent end user and
communicate their requirements
The development team, who responsible for delivering the
product increment, consist of 5-9 members
The scrum master, who is responsible for promoting and
facilitating the scrum process and act as the project manager

384

Rapid application development and

prototyping
Prototyping is another way of doing Agile, the project is broken into smaller versions and
developed incrementally.
Using Prototype, users can provide feedback, which help in product adaption to user
requirements
Prototyping help in getting early version from the product
RAD use smaller teams, and rely on prototyping concept, it suitable for more rigid time,
the greatest advantage of RAD is the shorten in development time by adopting (RAP) –
Rapid Application Prototyping

385

31
 Spiral model
Combination between waterfall and prototyping
Project is divided to phases
In each phase, risk assessment and alternative evaluation is
performed
The result of risk assessment and requirements review will devideif
project will continue or not
Help to avoid losses very early

386

Use Case & Abuse Case

387
 Use case
Testing technique that involves creating and executing tests based on how a user would interact
with the software in real-world scenarios.
used to validate the functionality, usability, and reliability of the software application, and to
ensure that it meets the requirements and expectations of end-users.
Use case testing typically involves creating test scenarios based on user stories, personas, or
other representations of typical users, and executing these scenarios to validate the behaviour
of the software application.
Helpful in identifying user requirements and acceptance criteria

388

Misuse / abuse test case

Testing technique that involves testing the software application for potential security
vulnerabilities and misuse scenarios.
Used to identify and prevent attacks that may be carried out by malicious actors or attackers.
Misuse case testing typically involves creating test scenarios based on known attack vectors and
vulnerabilities and executing these scenarios to validate the security and resilience of the
software application.

389

33
 Types of Software

390

Software/System Product
Software products are either
◦Generic / Commercial off the Shelf
◦Customized / Developed
◦In House development
◦Developed by another company

◦Application is written using programming language

◦Open Source
◦Closed Source / Proprietary

391

34
 License Types
Proprietary
Open Source
Freeware
Shareware
Software Support license
Hardware support license

392

Proprietary license
Perpetual license
Subscription based
Enterprise license
OEM license
Site license
Named user license
Licenses also can be based on user count, cpuscount, or based on performance
required “per transaction or per size of data processed”
For support licenses, it vary depend on the SLA and level of support

393

35
 Software Re-engineering and Reverse
engineering

394

SOFTWARE RE-ENGINEERING
Software re-engineering is the process of transforming an existing software system into a new
form, using modern programming languages, tools, and techniques.
This may involve re-architecting the system to improve its scalability, maintainability, and
performance, as well as updating the system to support new features and technologies.
Software re-engineering is typically done to extend the life of a legacy system or to migrate it to
a new platform.

395

36
 SOFTWARE REVERSE ENGINEERING
is the process of analysing an existing software system to extract information about its design,
behaviour, or implementation.
This may involve analysing the source code, binaries, or other artifacts of the system, and using
reverse engineering tools and techniques to understand how the system works.
Software reverse engineering is typically done to gain insight into a system, to recover lost or
missing source code, or to create interoperable components for the system.

396

Application controls

397

37
 How to identify the required controls
Risk Management
Threat Modeling
Abuse case scenario
Try to strive the balance between Usability and Security

398

Application controls

•Only full, •Correct task is •Output results is

accurate and performed as per the
correct type of •Data is delivered expectation
data is entered properly
to system
Process or
Input Stage Transmit Stage Output Stage

399

38
 INPUT CONTROL: AUTHORIZATION
ANY INPUT SHOULD BE AUTHORIZED AND ALLOWED BASED ON MANAGEMENT APPROVAL
EXAMPLES FOR TRANSACTION APPROVAL:-
◦File type or Source document
◦Internal Approval Cycle
◦Source device or user used for data input via Access Control

400

Input control : input batch check

Input batch controls are a set of procedures and techniques used to ensure the accuracy, completeness,
and validity of data entered a computer system.
One type of input batch control is the input batch check, which is a set of procedures designed to
validate the data in a batch of input records before they are processed by the system.
Input batch check can validate
◦Record Count via hash total or total items : verify that the number of records in the batch matches the
expected count.
◦Content check:checking the content of each field in each record to ensure that it is valid and within the
expected range.
◦Limit check :Control data input up to predefined count

401

39
 Input control : CHECK DIGIT
A check digit is a single digit added to a numerical code to detect errors introduced during data
entry or transmission.
It is calculated using a mathematical algorithm that takes into account the other digits in the
code.
The check digit is used to verify the accuracy of the code during data entry or transmission, and
if the two check digits match, the code is assumed to be accurate.
The use of a check digit can help to reduce errors and improve accuracy in data entry and
transmission, save time and money, and improve the reliability of business processes.

402

Processing controls:
parity bit
A parity bit is an extra bit added to a binary code to detect errors during data transmission or
storage.
It is used to ensure that the number of bits with a value of one in a transmission or storage block
is either even or odd.
The parity bit is calculated based on the values of the other bits in the block, and is set to either
a one or a zero
When the block is received or retrieved, the parity bit is recalculated and compared to the
original value. If the values do not match, an error has occurred, and corrective action can be
taken.
The use of a parity bit can help to improve the reliability of data transmission and storage by
detecting and correcting errors.

403

40
 Processing/TRANSMISSION controls
•More advanced than parity bit
Checksum •Can recognize more complex errors
•Detect the error only

Cyclic Redundancy •More advanced than the Checksum

•Known as CRC
•Detect the error only
check
Forward Error •Detect and correct the error
Control

404

Output controls
Output controls are a set of procedures and techniques used to ensure the accuracy,
completeness, and security of data output from an application.
Examples of output controls
◦Reconciliation : comparing output to input (Automated system balancing)
◦Validity checking : Ensure output data is within acceptable range
◦Accuracy check : Ensure output data is accurate and is not corrupted
◦Filtering : Remove sensitive or unnecessary data from output
◦Access Control : Ensure output is visible only to authorized people

405

41
 OTHER TYPES OF CONTROLS
Auditing and logging controls
Anti-Debuggers
Sandboxing
Authorization and access controls

406

Software integrity controls | code signing

Code signing is the process of digitally signing software code to verify its authenticity and
integrity. Its purpose is to ensure that the code has not been tampered with or modified by
unauthorized parties, and to provide assurance to users that the software is trustworthy.
An example of code signing is when a software developer signs their application with a digital
certificate before distributing it to users.
The digital signature is verified by the operating system or security software, which checks the
certificate against a trusted list of certificate authorities. If the digital signature is valid, users can
be assured that the software has not been tampered with and can be installed and used safely.

407

42
 Software Testing

408

Software Testing
The process of evaluating a software application or system to detect defects or errors, and to ensure that it meets
the specified requirements and quality standards.
Quality standards are identified by QA team according to best practices.
Testing is a critical part of the software development lifecycle and is typically performed at multiple stages of the
development process.
Software testing aim to ensure the software quality from multiple point of view
◦Functional aspects (Also known as reliability testing)
◦ Unit
◦ Regression
◦Performance
◦ Integration
◦ UAT
◦Non-Functional aspects (concerned about recoverability aspect)
◦ Load
◦ Stress testing
◦ Security

409

43
 Testing Approaches
Top-down testing involves testing higher-level modules first and progressively integrating lower-level
mo du les
Top-down testing is often more appropriate when there is a clear and well-defined overall architecture or
design for the software system, and where the higher-level modules or components have a greater impact
on the overall functionality of the system.
By testing the higher-level user interface first, any design or functional issues can be identified early in the
testing process, which can help to reduce the overall development time and cost. –Example Web
Application FE&BE
bottom-up testing involves testing lower-level modules first and progressively integrating higher-level
mo du le s.
Bottom-up testing is often more preferred when the software system is large and complex, and when the
individual components are relatively independent and can be tested in isolation. –Example complex
financial system

410

Unit, Regression, Integration,

Unit testing
◦testing individual units or components of the software application in isolation to ensure that they function
correctly.
◦Done by the developer in very early stage to test program logic using test cases

Integration or Interface testing

◦testing how individual units or components of the software application work together to ensure that they
function correctly as a whole.
◦Done by developer and tester (QC)

Regression or Verification testing

◦Retesting the software application after changes have been made to ensure that existing functionality has not
been affected.
◦building confidence that changes have not broken existing components.
◦Done by developer and tester (QC)

411

44
 Compatibility, Sociability
Compatibility testing
◦Testing the software application's compatibility with different hardware, operating systems, and
browsers. This helps ensure that the software application can function properly in different
environments.
◦Done by developer and tester (QC)

Sociability testing
◦evaluate how well a software system or application interacts with external systems or components.
◦The goal of sociability testing is to ensure that the system or application is able to communicate and
exchange data with other systems or components in a reliable and efficient manner.

412

Usability and System Testing

Usability testing
◦testing the software application's user interface and user experience to ensure that it is user-friendly
and easy to use. This includes testing for accessibility, ease of navigation, and overall user satisfaction.
◦Done by tester

System testing / Quality Assurance testing / Alpha testing

◦Testing the entire software application to ensure that it meets the specified requirements and quality
standards.
◦System testing is a general term, in reality it include security, load, stress, recovery tests.
◦Done by testers (QC & Security) with minimal user impact

413

45
 Performance, Load, Stress
Volume testing
◦Evaluates the ability of a software application or system to handle large volumes of data or transactions. The
goal of volume testing is to ensure that the system is able to handle the expected volume and variety of data
without any errors or performance issues.

Performance testing
◦Testing the software application's performance under various conditions, such as heavy user loads or high
volumes of data. This helps ensure that the software application can handle these conditions without
performance degradation.

Load Testing
◦Evaluate how well the software application or system performs under expected or peak load conditions, such as
high user traffic or data volume.

Stress Testing
◦Evaluate how well the software application or system performs under unexpected or extreme load conditions,
such as sudden spikes in user traffic or data volume, ensure exception handling in place

414

Acceptance testing
◦Testing the software application with end-users to ensure that it meets their needs and
expectations.
◦Last step of testing before getting user management sign off, without this test, management
acceptance will not be guaranteed
◦The goal of the test is to ensure application meet the requirements as defined during the
requirement gathering
◦Test cases and acceptance criteria should be documented and agreed upon since the
required gathering stage.
◦Also known as Smoke testing or end-user testing
◦Done by end user or customer
◦Beta testing is a form of acceptance testing

415

46
 Commercial of the shelf software (Cots)
testing
COTS are developed by vendor or software house by following the development life cycle and all
mentioned tests
The software vendor perform testing on the Alpha release and might release beta version after
completing the alpha testing for the public preview
Example for Beta release, is one Microsoft release free-public preview or for a subset of users
for Windows 11 to allow users to test and provide feedback
Feedback can be helpful in fixing issues identified in beta release in the final release or
production release “public availability”
When company need to purchase COTS, they might request a PoC first (AKA Pilot)

416

Certification vs Accreditation

417

47
 Certification vs Accreditation
Certification refers to a process in which an independent third-party organization, such as a
certification body, evaluates a product or service to determine if it meets certain standards or
requirements. Certification can be voluntary or mandatory, and it can cover a wide range of
areas, such as quality management, information security, and software development.
In software development, certification can be used to ensure that products meet certain
standards, such as the ISO 9001 quality management standard, the ISO 27001 information
security standard, or the IEEE software engineering standards.

418

Certification vs Accreditation
Accreditation, on the other hand, refers to a process in which an organization evaluates a
product or service to determine if it meets certain standards or requirements.
Accreditation is typically mandatory and is often required by law or regulation or based on
internal governance requirements
In the field of software, accreditation can be used to ensure that products or services meet
certain regulatory requirements, such as those related to privacy, security, or data protection.
Accreditation is the management authorization to operate the system or application and accept
all risks related to that

419

48
 Security Testing

420

Security Testing
◦Testing the software application's security measures to ensure that it is secure and protected
against unauthorized access or attacks. This includes testing for vulnerabilities in the software
application's code and testing for compliance with regulatory requirements.
◦Vulnerability scanning –testing internal modules and libraries to identify if there any
vulnerable or outdated components
◦VA testing better to be authenticated scan not unauthenticated

421

49
 Code review -SAST
◦Secure Code Review
◦Known as Whitebox or crystal as everything is clear, source code is required
◦Use automated and manual tools as well
◦Automatized tools are known as (Static application security testing SAST) and
◦DAST use various techniques to emulate
◦Microfocus solution, SonarQube, IBM App scna
Fagan code inspection or Fagan peer reviews is a type of formal testing for code developed in 1970s ,
help in identify coding errors, design flaws and performance issues, adopted wherever safety and
reliability of software is a great concern.
◦Planning, overview, preparation, inspection, rework, follow-up

422

Dynamic application security testing -

DAST
DAST (Dynamic application security testing) and SCA (Software composition analysis)
involves running a software application with a set of pre-defined inputs and analysing the output for
potential security vulnerabilities.
DAST typically involves a tool or set of tools that automate the process of testing the application for
common security vulnerabilities, such as SQL injection, cross-site scripting (XSS), and buffer overflow
vulnerabilities.
DAST is focused on testing the application from the outside, as if it were a potential attacker.
DAST use various techniques to achieve the objective such as
◦Synthetic transactions which simulates user interactions to test the performance and availability of a software
application
◦Interactive application security testing provide real-time feedback on security vulnerabilities during application
runtime.

423

50
 Software composition analysis (SCA)
(SCA) tool is a type of security tool that is used to analyzethe open source components and
third-party libraries used in a software application.
SCA tools can detect and report on known vulnerabilities and license issues that may be present
in the software components used in an application.
SCA tools typically operate by scanning the software application's dependencies and comparing
them to a database of known vulnerabilities and license issues.
They can provide a detailed report of the vulnerabilities and issues found, along with
recommendations for remediation and mitigation.

424

RUNTIME APPLICATION SELF

PROTECTION (RASP)
RASP (Runtime Application self-protection) is not a testing tool; however, it is a security
technology that operate within the application runtime, and it can detect and prevent the
attacks in real time.
RASP can identify and block attacks at the application layer, even if the application has
vulnerabilities that have not yet been identified or patched.
RASP come as a solution that you can integrate your application with, for example

◦ AppTrana
◦Contrast Security
◦ Sqreen
◦ Waratek

425

51
 Penetration testing
◦Penetration testing –Black box (No knowledge) and grey box (Partial knowledge)
◦PT consist of stages (Planning, Gathering information, Attack, Reporting)
◦PT should be performed based on clear rules of engagement
◦Penetration tester perform it, using many tools related to ethical hacking
◦Try to predict the vulnerability based on providing input and fuzzing
◦Fuzz testing, also known as fuzzing, is a type of software testing that involves inputting
random and unexpected data into a software application or system, with the aim of
identifying vulnerabilities or defects that could lead to unexpected or incorrect behaviour,
fuzzing can mutate, generate and flap which make it more intelligent

426

Release management

427

52
 RELEASE MANAGEMENT
Release management is the process of planning, scheduling, coordinating, and controlling the
release of software and other applications into production environments.

It involves the management of all activities related to the release of software, including
planning, testing, deployment, and monitoring.
The goal of release management is to ensure that software releases are delivered on time, with
the required functionality, and with minimal disruption to users.

428

Release management systematic process

Change
Release planning: management: Build and test: Deployment: Monitoring:
This involves This involves This involves This involves This involves
defining the scope managing changes building and testing deploying the monitoring the
of the release, to the software and the software to software into software in
setting release ensuring that ensure that it meets production production
dates, and changes are quality standards environments and environments to
identifying any properly tested and and is ready for ensuring that it
dependencies or documented. release. operates as ensure that it is
risks. expected. functioning
properly and to
identify any issues
that may arise.

429

53
 Software release types
Major release: Minor release: Patch release: Hotfix release: Beta release: Release candidate:

•major release is a •minor release is a •patch release is a •hotfix release is a •beta release is a •release candidate is
significant update smaller update that small update that is small update that is pre-release version a near-final version
that includes major includes minor new used to fix specific used to address of the software of the software
new features or features or bugs or security critical issues or that is made that is made
functionality. It may functionality, bug vulnerabilities in vulnerabilities that available to a available to a larger
also involve fixes, and other the software. Patch need to be fixed limited group of group of users for
changes to the user improvements. releases are immediately. Hotfix users for testing testing and
interface or other Minor releases are typically numbered releases are and feedback. Beta feedback. Release
significant changes typically numbered using a third typically released releases are used to candidates are used
to the software. using a decimal decimal point, such outside of the identify and to identify any
Major releases are point, such as from as from version regular release address issues remaining issues
typically numbered version 1.2 to 1.2.1 to version cycle and may not before a full before the final
using a new version version 1.3. 1.2.2. include full release. release.
number, such as regression testing.
from version 1.0 to
version 2.0.

430

Software Implementation and

Maintenance

431

54
 Implementation or changeover
Implementation should start after QAT and UAT and management accreditation
Implementation plan should be available and prepared and communication
Implementation should be carried by another team (better), but software operation and support shall
be with different department other than original development team.
Implementation plan should consider

◦Data migration to make sure migrated data integrity will be preserved and verified
◦Appropriate security controls over data during migration
◦Data conversion process is doable with no impact on original data
◦Rollback plan is in place
◦All required documentations in place
◦Change is following internal change management process

432

Changeover types
Parallel Changeover
◦Old and new system are live
◦Once new system is fully ready and tested, old system will be decommissioned
◦Require 2x resources as two systems are there
◦More safe

Phased Changeover
◦New system introduction is based on planned phases
◦Implementation is broken down into multiple phases
◦One phase complete, the function in old system replicate it will be discontinued

Abrupt or Direct Changeover / cutover

◦Remove old system completely and introduce the new one during a downtime window agreed upon

433

55
 Post Implementation Review
Typically conducted after the project has been in use long enough to realize its business
benefits and costs and to measure the project’s overall success and impact on the business
units.
Help in identifying the
◦Total cost of ownership (TCO)
◦Return on Investment (ROI)
◦Whether the system is still providing the required value

434

System/Software Maintenance
System development and maintenance is continuing process
Maintenance aim to fix code defects, introduce new features, and patch security issues
Across the life of product, there are many versions until software reach the End-of-life stage
Product life consist of following stages usually
◦Public availability
◦End of Sale
◦End of Support
◦End of Life

◦Patch management, configuration management, release management and change

management are essential practices for software maintenance

435

56
 Change Management

436

CHANGE MANAGEMENT OVERVIEW

Change management is the process of managing changes to an organization's systems,
processes, and procedures in a controlled and systematic manner.
It involves identifying, documenting, and evaluating proposed changes, and implementing
changes in a way that minimizes disruption to the organization and ensures that the changes are
effective.
It is a preventive control
Involvement of business is very important as change advisory board members
Impact analysis, risk analysis should be prepared
Backout or rollback plan should be ready

437

57
 Change management systematic process
Change request

Impact analysis and evaluation

Change assessment and approval

Change scheduling

Change implementation

Change monitoring

Change closure

438

Change types
Standard changes Normal changes Emergency changes Major changes

•Standard changes are low- •Normal changes are •Emergency changes are •Major changes are
risk, pre-approved changes that are not changes that are required changes that have a
changes that follow a considered standard or immediately to address a significant impact on the
predetermined process emergency changes and critical situation, such as a organization, such as
and do not require require a formal security breach or system changes to core business
extensive evaluation or evaluation and approval outage. Emergency processes or the
approval. Examples of process. Normal changes changes are typically implementation of new
standard changes might may involve changes to expedited and may systems or technologies.
include routine systems, processes, or involve bypassing some of Major changes require
maintenance tasks or procedures and may the normal change extensive evaluation and
minor configuration require significant management processes. approval processes and
changes. evaluation and testing may involve significant
before being risks and costs.
implemented.

439

58
 Configuration Management

440

Configuration management
A key process for managing the changes made to software or application configuration or network devices
configuration over time and ensuring that these changes are properly tracked, documented, and tested
before being released to production environments.
Configuration management involves the management of all aspects of the software development
lifecycle, including planning, development, testing, deployment, and maintenance. It includes the
management of source code, build scripts, documentation, test plans, and other artifacts related to the
software.
Identifying the specific version of the software and its dependencies that are required to run in
different environments, such as development, testing, and production.
Help to identify the baseline of required configurations that need to be implemented
Help to ensure that the correct version of the software is deployed in each environment, and that any
changes made to the software are properly tested and approved before being released to production.

441

59
 Systematic configuration management
process

Develop the configuration management plan.

Baseline applicable components.

Analyze and report on the results.

Develop configuration status reports.

Develop release
procedures.

442

Version control system and

securing source code

443
 Version control system
A Version Control System (VCS), also known as source control or revision control, is a software
tool that helps software developers manage changes to source code and other files.
It is a system that tracks the history of changes to a file or set of files over time, enabling
developers to collaborate on a project, track changes, and maintain different versions of the
same file or set of files.
A VCS provides a centralized repository for source code and other files, allowing multiple users
to access and modify the same files simultaneously.
It records changes made to the files, including who made the changes, when the changes were
made, and what changes were made.
Some popular VCSs include Git, Subversion (SVN), and Mercurial.

444

Source code security

Source code is managed using a version control system (VCS).
VCS provides the ability to synchronize source changes with changes from other developers.
Help in conflict resolution, allow branching from the code.
To maintain source code security, following need to be identified
◦Who access the code
◦Who can change the code, and deploy it to production (SoD / Two-man controls)
◦Ensure Audit trails are in place
◦Ensure backup is performed for the source code, and location of backup is identified and controlled
◦Ensure code escrow agreement in place

445

61
 Patch Management &
Vulnerability Management

446

PATCH MANAGEMENT
Patch management and vulnerability management is the same
Vulnerability is weakness in system that can be exploited during attack leading to system
disruption
Patch management is the process of identifying, testing, deploying, and verifying software
patches to address security vulnerabilities, performance issues, and other bugs in software
applications and systems.
An effective patch management process is critical for maintaining the security and reliability of
software systems.
Patch management process include testing, testing is very important before deploying patch at
scale
Example for Patch management software is Tenable & Qualys

447

62
 Vulnerability scanners
Vulnerability scanners are tools that are used to identify security vulnerabilities in software, operating
systems, and other IT infrastructure components. These tools are designed to scan systems and
applications for known vulnerabilities, misconfigurations, and other security issues.
Vulnerability scanners typically work by performing automated scans of the target system or
application, looking for common known vulnerabilities and misconfigurations. This can include checks
for unpatched software, weak passwords, open ports, missing security updates, and other
vulnerabilities that could be exploited by attackers.
Vulnerability scanners can be used by security teams to proactively identify and remediate
vulnerabilities before they can be exploited by attackers.
it's important to note that vulnerability scanners are not foolproof and can produce false positives or
miss certain vulnerabilities, so it's important to use them in conjunction with other security measures
such as penetration testing and manual security assessments.

448

Vulnerability scanners
Vulnerability scanning can be launched against wide variety of systems, network devices and
end points.
The vulnerability assessment tool should be always up to date
The best vulnerability scanning way is the authenticated scan, which in it, you provide
administrative credentials for targeted device to perform login before scan, this provide better
results
Vulnerability scanning tools can also assess the system configurations against hardening baseline
such as CIS benchmark for example, which in that case help security administrators getting the
assurance that systems are hardened properly.
Example Tenable/Nessus and Qualys

449

63
450

451

64
 Auditor roles in Software
Project Auditing

452

Auditor Roles in Software Projects &

Projects in General
Review business case and feasibility study process
Review threat modelling process, and identification of security threats as a basis for controls selection
and review this controls
Verify the controls related to data integrity and conversion and protection especially in data migration
Ensure documentations in place the confirm the results of quality assurance results
Review the system flowcharts for adherence to the general design.
Review the user acceptance test reports and confirm management authorization to use the software
or application
Ensure change management process followed properly for all changes
Ensure adequacy of security over accessing the source code and development environment

453

65
 VIRTUALIZATION

454

Virtualization and SDDC

Virtualization is the concept of creating a virtual version of a resource, such as a server, storage device,
or network.
Virtualization allows multiple virtual resources to run on a single physical resource, which can improve
resource utilization and reduce costs.
Virtualization can be implemented using hypervisors, which are software programs that allow multiple
operating systems to run on a single physical computer.
Virtualization can be bare-metal or hosted.
Make SDDCs possible
SDDC abstracts the underlying hardware and creates a software layer that allows resources to be
provisioned and managed more dynamically.
Efficient utilization of resources and many advantages for scalability and efficiency.
Cloud computing

455

66
 Virtualization

Type I hypervisor (native or bare-metal hypervisor)

Type II hypervisor (hosted hypervisor)

456

Virtual Desktop Infrastructure -VDI

Virtual Desktop Infrastructure (VDI) is a desktop virtualization technology that allows multiple users to
access a shared desktop environment from remote locations.
In a VDI environment, virtual desktops are hosted on a centralized server and accessed by users
through thin client devices such as laptops, tablets, or smartphones.
Users access virtual desktops through thin client devices such as laptops, tablets, or smartphones,
which require minimal processing power and storage.
VDI allows for greater scalability and flexibility, with virtual desktops being easily provisioned, scaled,
and deprovisioned as needed.
VDI provides a more secure environment for desktop computing, with data and applications being
stored on a centralized server rather than on individual devices.

457

67
 VDI

458

Cloud Computing

459

68
 Cloud Computing
• No need to buy your own servers, rent datacenter, and setup complicated power and Air
conditioning infrastructure.
• Instead, you rent a server from Cloud Service provider (CSP).
• This rented server is hosted in huge datacenter managed the CSP.
• this datacenter is designed to be highly available at every level (Power, AC, Network)
• you can connect with this datacenter the same you would connect with one of your branches
(VPN)
• You may hear a lot (Fault domain, Availability domain, Region)

460

Cloud Computing
• Depending on your business growth, you can reduce the server resources (CPU, Memory) or
increase it, “scale up/down”.
• You are charged according to your usage (CPU, Memory, Network, Storage)
• Use PAYG model (Pay as you Go)
• Your data can be distributed across many regions, regions could have many datacenter within
it, and each datacenter has logical data act as separate.
• Cloud computing may seem to be costly (you will pay monthly costs)
• consider the cost of hosting and building your own datacenter (No CAPEX).

461

69
 Cloud Shared Responsibility Matrix
The cloud-shared responsibility matrix is a framework that outlines the division of security and
compliance responsibilities between cloud service providers (CSPs) and their customers.
The specific details of the shared responsibility matrix can vary depending on the CSP and the
type of cloud service being utilized
(Infrastructure as a Service, Platform as a Service, Software as a Service).
The CSP is responsible for implementing and maintaining foundational security controls at the
infrastructure level, such as firewalls, intrusion detection/prevention systems, and identity and
access management (IAM) for their own systems.
Customers are responsible for securing their data within the cloud environment. This includes
implementing proper access controls, encryption, and data classification.

462

463

70
 Cloud Deployment Models
Private Cloud Community Cloud

464

Cloud Deployment Models

Public Cloud Hybrid Cloud

465

71
 Cloud Services
• Many businesses choose cloud services to be as DR for their
on-prem datacenters.
• Many businesses already decided to move to office365 office
suite, to replace existing Exchange server, and CRM with
salesforce.
• Many business replaced their on-prem endpoint security
solution or security web-filter with cloud-based solutions such
as Crowdstrikeand Zscaler.
• Some businesses may decide to host their DMZ where servers
need to published are placed on the cloud to get enhanced
security features (DDOS)

466

467

72