Here are some software development methods you’ll need to be aware of:
Waterfall – top down, each phase must be completed before the next one can begin, typically thought of as a slow traditional method.
Spiral – adds the Deming plan to the waterfall method (plan, do, check, act), which adds a risk assessment to each phase. Costs are revised for each phase and a decision to either cancel or continue the project.
Cleanroom – heavy focus on defect prevention and correct code writing from the beginning rather than later.
Prototyping – develop a simple version that is releasable to a customer and solicit feedback to improve the product.
Rapid application development (RAD) – goal is to produce quality code quickly – but can have security flaws if not done correctly & methodically.
Joint analysis development (JAD) – developers working with majority of owners and business stakeholders to ensure the software meets all requirements.
Computer aided software engineering (CASE) – using software utilities and computers – good for large complicated projects.
Component based development – using standardized “building blocks” to put the application together.
Reuse model – components are “reused” meaning that the components have already been built and tested.
Extreme programming – relies on subprojects with the values of simplicity, communication, and feedback.
Continuous Integration and Continuous Delivery (CICD) – You may have heard the term “CICD Pipeline” throughout your career. This is a method of seeking automation and better management of the software development process. The pipeline process flow and communication typically consist of steps that are shared and monitored by most organizations: 1) coding a software unit, 2) performing unit testing, 3) building an integration of units into a larger subsystem, 4) integrating subsystems into a complete application, 5) more testing, 6) delivery, 7) installation, 8) making it available to users. CICD methods should receive security assessments to ensure that the process includes security and that the organization’s methodology of choice is being followed.
Integrated Development Environments (IDE) –
These refer to development environments that are designed to help maximize developer productivity and provide re-usable components with the same or similar interfaces. They typically present a single architecture in which the development can be done. An IDE typically has these components:
- Source code editor
- Build automation tools
- Debuggers
- Class browser
- Object browser
- Class hierarchy diagram
- Version control to help develop graphical user interfaces
IDEs for object oriented programming typically have:
- Class browser
- Tools for creating class hierarchy diagrams
- Object inspector
IPT – or integrated product team refers to a team of stakeholders that work together to achieve a process or product. IPTs can draw from many different disciplines across an organization and can benefit from many different viewpoints consistently throughout the life cycle of the new system being developed. In addition, IPT members provide sufficient representation from all stakeholders participating in the project. This can include management, developers, designers, contractors and security professionals.
IPPD – or integrated product and process development is a potential overarching or governing process (by DoD) that uses IPTs to achieve cost and performance objectives throughout the system’s lifecycle.
Strong Data Typing: Type Safe, or Strongly-typed programming language (aka strong type enforcing) refers to additional logic in the source code to prevent the resulting executable from going wrong from the misuse of a data type. Verifying and enforcing constraints of data types is often referred to as type checking which can be done at different times such as during the compile process or during runtime. Memory access via pointers is one of the main cause of weaknesses exploits and security issues in C or C++. Java performs an internal check, or static type checking which examines whether the arguments an operation can get during an execution are the correct type. If a language specification requires typing rules strongly, or, allowing only those automatic type conversions which cannot lose information, then the process is considered to be strongly typed. If not, it can be considered weakly typed.