A Design For Comprehensive Information System Management Framework Integrating Secure Software Development Resource Management and Real-Time Monitoring
A Design For Comprehensive Information System Management Framework Integrating Secure Software Development Resource Management and Real-Time Monitoring
Herlambang Rafli Wicaksono Ihsan Fadli Tampati Nathanael Berliano Novanka Putra
Politeknik Siber and Sandi Negara Politeknik Siber and Sandi Negara Politeknik Siber and Sandi Negara
Bogor, Indonesia Bogor, Indonesia Bogor, Indonesia
[email protected] [email protected] [email protected]
Abstract—This paper proposes a holistic framework for the from [5], several websites from various organizations
development, management, and monitoring of secure web worldwide have been successfully breached by hackers,
information systems. Emphasizing a secure software resulting in data leaks. Data breaches can have significant
development life cycle (SDLC), resource management, and real- impacts on the continuity of companies or organizations.
time monitoring, the framework aims to standardize and Companies or organizations that have experienced data
enhance the process of web application development while breaches are likely to lose customers due to a decrease in
prioritizing security at every phase. The framework customer trust or may not operate optimally due to financial
incorporates threat modeling during planning and design, losses [6], [7], [8]. Additionally, as the scale of an organization
security guidelines during implementation, and continuous
grows, it becomes increasingly difficult to manage tasks and
vulnerability scanning. Additionally, it integrates resource
management to ensure effective allocation of human, hardware,
monitor the organization's website. Therefore, concrete
and software resources. Tools are employed for real-time solutions are needed to address the organization's
monitoring, providing usage insights that inform managerial cybersecurity issues, organizational task management, and
decisions. The proposed framework strives to create a website monitoring.
comprehensive approach to web application development that is This research proposes a comprehensive framework for
both secure and well-managed. The implementation results integrating the information system development,
demonstrate the proposed framework's effectiveness in
management, and monitoring processes into a cohesive
simplifying development, optimizing resources, and enhancing
process to minimize cyberattacks, facilitate organizational
security for web applications. Furthermore, compared to the
secure software development lifecycle (SSDLC) framework, it task management, and intensify organizational monitoring.
offers advantages in resource management and real-time The proposed framework will be implemented in the website
monitoring, rendering it more comprehensive. development process using the Secure Software Development
Lifecycle (SSDLC) agile methodology, organizational task
Keywords—Information System, Information System management using Notion, and digital resource monitoring
Management, Development, Resource Management, using CloudFlare real-time monitoring.
Monitoring
II. LITERATURE REVIEW
I. INTRODUCTION Some work has been done to research Software
As time progresses, technologies continue to advance Development Life Cycle (SDLC) as a structured framework
rapidly. The rapid development of technology drives utilized by organizations to guide the development process of
companies or organizations to integrate their services with an application from the beginning to the end of its life cycle
technology to enhance service quality, organizational [9], [10], [11], [12], [13], [14], [15], [16], [17]. The aim of the
productivity, and organizational agility [1], [2]. One of the software development environment is to efficiently deliver
technologies commonly used to integrate services is a website. functional products within a short timeframe and with
Based on data from "google it" [3], the use of websites is minimal resources. Various software development
crucial because 86% of people rely on the internet, and 46% methodologies exist, all of which generally encompass
of people prefer to search for information through the internet. activities such as requirement identification, architectural
Therefore, organizations need to introduce their services design, implementation, testing, deployment, and
through the internet using a website. maintenance. But, in such cases, important aspects like
software quality and security often receive little to no attention
However, a recent report from SiteCheck [4] indicates that and the significant value that projects could offer is frequently
there are 628,085 websites identified as 'infected sites' out of overlooked [18].
a total of 54,743,804 websites examined as of mid-2023. The
category of 'infected sites' can arise due to various conditions, To ensure security, implementation of the enhanced
but typically result from hackers exploiting vulnerabilities in version of the SDLC that integrates various security measures
websites to obtain valuable information such as credit card or practices. These may include security specification
information, SEO, traffic, etc. Furthermore, according to data languages, security requirements engineering processes,
Authorized licensed use limited to: Universitas Indonesia. Downloaded on November 05,2024 at 06:42:26 UTC from IEEE Xplore. Restrictions apply.
979-8-3503-7588-6/24/$31.00 ©2024 IEEE 209
2024 7th International Conference on Informatics and Computational Sciences (ICICoS)
Authorized licensed use limited to: Universitas Indonesia. Downloaded on November 05,2024 at 06:42:26 UTC from IEEE Xplore. Restrictions apply.
210
2024 7th International Conference on Informatics and Computational Sciences (ICICoS)
In order to make sure that the system blueprints are reliable codebase. Additionally, CI/CD fosters a collaborative
implemented properly, one should choose at least one of the environment, as teams work cohesively, integrating changes
available secure coding guidelines. The choosing of regularly and resolving issues promptly. Lastly, the
guidelines to be used is also up to the authorities, adjusting the consistency and automation provided by CI/CD ensure a
SDLC model being used for developing. Secure coding standardized deployment process, increasing overall
principles should be well-implemented in the process of efficiency and productivity.
coding the system. Sanitizing input, encoding output,
parameterizing query, and much more security related best- B. Resource Management
practice must be deeply understanded by the developers. Resource management is a critical aspect of organizational
Common vulnerabilities such as SQL injection and Cross Site operations that involves the efficient allocation and utilization
Scripting (XSS) should be well mitigated by applying the best- of various resources, including human resources (man),
practices available. Automated testing or checking can also be financial resources (money), physical resources (machine),
implemented to minimize the daily effort and human error. and temporal resources (time). The purpose of resource
management is to ensure that these resources are utilized
3) Vulnerability Assessment before Delivery: effectively to support the organization's objectives, maximize
Vulnerability Assessment (VA) is a process of scanning a productivity, and achieve optimal outcomes.
system for its potential and/or suspected vulnerabilities and
Effective resource management involves identifying the
assessing them as consideration for action taken. VA is aimed
necessary resources and allocating them appropriately to meet
to find all potential and/or suspected holes in terms of the project's needs. Additionally, resource management
security. This action will help to identify and address the involves careful planning and scheduling to ensure that
exact location of security weakness. resources are available when needed and are utilized
Before the delivery phase of the SDLC, VA should be efficiently. Furthermore, resource management also
implemented to identify and address potential vulnerabilities encompasses the assignment of tasks and responsibilities to
in the system. The VA methodology used can be adjusted to individuals within the organization. Similarly, managing
the SDLC model implemented. For example, passive testing financial resources involves budgeting, tracking expenditures,
can and should be used in the Waterfall SDLC because of its and ensuring that funds are allocated in a manner that aligns
detailed and linear structured phases. On the other hand, Agile with organizational priorities. Finally, managing physical
SDLC can be improved using active testing specifically using resources such as machinery and equipment involves
automated services for more time efficiency and simplicity. maintenance scheduling, asset tracking, and ensuring that
4) Continuous Integration and Continuous Delivery: these resources are utilized effectively to support
organizational activities.
Continuous Integration (CI) ensures that developers
frequently merge their code changes into a shared repository, C. Integration of Real-time System Monitoring
triggering automated tests to identify integration issues early Monitoring is an essential part of any management,
in the development cycle. Continuous Delivery (CD) extends including information system management. This activity
CI by automating the deployment process, allowing includes the continuous observation and analysis of various
successfully tested code changes to move seamlessly through aspects of an information system, such as its performance,
staging environments to production. By utilizing the GitHub security, and availability. Done by employing specialized
Actions feature, developers can configure automated testing tools and processes, system monitoring aims to ensure the
upon any changes as shown in Fig. 2. Upon successful optimal functioning of the system by detecting and addressing
issues promptly. By actively monitoring indicators, managers
testing, the system can automatically trigger deployment to
can make informed decisions, allocate resources effectively,
the server. The deployment process requires credentials for and enhance efficiency and resilience.
the SSH server, which are stored in GitHub environment
variables. IV. IMPLEMENTATION EXAMPLE
The implementation of CI/CD practices offers several In this example we will manage the development,
benefits to software development teams. Firstly, it accelerates resource, and monitoring of a laboratory management
time-to-market by enabling faster integration and deployment software. The first part is the software development, in which
of new features and updates. Secondly, it minimizes errors by we will be using the Agile SDLC model. Please be aware that
detecting integration issues early, ensuring a more stable and the selection of models and methods is flexible and chosen by
the organization to suit its specific needs and circumstances.
The first step is to define the requirements of the software
using a use case diagram. To elaborate the security, we extend
the use case diagram further to misuse case diagram so the
potential security vulnerability. Misuse case diagram is a
diagram used to describe sequence of actions that an entity can
perform in order to cause harm to the legitimate user or the
system itself [26]. This diagram can be used to understand
threats to the system that potentially could lead to
vulnerabilities.
The misuse case diagram depicted in Fig. 3 reveals several
critical vulnerabilities that require immediate attention to
enhance system security. Firstly, there's a vulnerability to
Fig. 2. Continuous Delivery Workflow Cross-Site Request Forgery (CSRF) during lab attendance and
Authorized licensed use limited to: Universitas Indonesia. Downloaded on November 05,2024 at 06:42:26 UTC from IEEE Xplore. Restrictions apply.
211
2024 7th International Conference on Informatics and Computational Sciences (ICICoS)
(a)
(b)
Authorized licensed use limited to: Universitas Indonesia. Downloaded on November 05,2024 at 06:42:26 UTC from IEEE Xplore. Restrictions apply.
212
2024 7th International Conference on Informatics and Computational Sciences (ICICoS)
(a)
(a)
(b)
(c)
Fig. 8. Notion Implementation
Authorized licensed use limited to: Universitas Indonesia. Downloaded on November 05,2024 at 06:42:26 UTC from IEEE Xplore. Restrictions apply.
213
2024 7th International Conference on Informatics and Computational Sciences (ICICoS)
streamline their development processes, optimize resource lifecycle,” in 20th Annual Computer ecurity Applications Conference,
utilization, and proactively monitor the performance and 2004, pp. 2–13. doi: 10.1109/CSAC.2004.41.
[13] V. Figueroa, “Secure Software Development Life Cycle - OWASP
security of their web applications. Overall, the proposed LATAM Tour 2016,” 2019.
framework serves as a valuable blueprint for organizations [14] M. Beiter, “Steps in a Secure Software Development Lifecycle
seeking to enhance the security, efficiency, and effectiveness Model.” [Online]. Available: https://www.michael.beiter.org/2013
of their information system management practices. /11/29/steps-in-a-secure-software-development-lifecycle-model-1/
[15] M. I. Daud, “Secure software development model: A guide for secure
REFERENCES software life cycle,” Proc. Int. MultiConference Eng. Comput. Sci.
2010, IMECS 2010, no. July 2010, pp. 724–728, 2010.
[1] P. P. Tallon, M. Queiroz, T. Coltman, and R. Sharma, “Information [16] M. Buinevich, K. Izrailov, and A. Vladyko, “The life cycle of
technology and the search for organizational agility: A systematic vulnerabilities in the representations of software for
review with future research possibilities,” J. Strateg. Inf. Syst., vol. 28, telecommunication devices,” in 2016 18th International Conference
no. 2, pp. 218–237, 2019, doi: on Advanced Communication Technology (ICACT), 2016, pp. 1–2.
https://doi.org/10.1016/j.jsis.2018.12.002. doi: 10.1109/ICACT.2016.7423419.
[2] T. Ravichandran, “Exploring the relationships between IT [17] A. Hudaib, M. Alshraideh, O. Surakhi, and M. Alkhanafseh, “A
competence, innovation capacity and organizational agility,” J. Survey on Design Methods for Secure Software Development,”
Strateg. Inf. Syst., vol. 27, no. 1, pp. 22–42, 2018, doi: International Journal Of Computers & Technology, vol. 16, pp. 7047–
https://doi.org/10.1016/j.jsis.2017.07.002. 7064, Dec. 2017, doi: 10.24297/ijct.v16i7.6467.
[3] S. Knowledge, “Importance of Website: Know why do you need a [18] J. de V. Mohino, J. B. Higuera, J. R. B. Higuera, and J. A. S.
website,” Web Development. [Online]. Available: https://star- Montalvo, “The application of a new secure software development life
knowledge.com/blog/importance-of-website-for-business/ cycle (S-SDLC) with agile methodologies,” Electron., vol. 8, no. 11,
[4] S. Remote and W. Scanner, “SiteCheck”, 2023. [Online] Availabe: 2019, doi: 10.3390/electronics8111218.
https://sitecheck.sucuri.net. [19] M. Leppänen et al., “The highways and country roads to continuous
[5] “Who’s Hacked? Latest Data Breaches And Cyberattacks,” Cyber deployment,” IEEE Softw., vol. 32, no. 2, pp. 64–72, 2015, doi:
Crime Magazine. [Online]. Available: https://cybersecurityventures. 10.1109/MS.2015.50.
com/intrusion-daily-cyber-threat-alert/ [20] L. Chen, “Continuous delivery: Huge benefits, but challenges too,”
[6] L. Cheng, F. Liu, and D. D. Yao, “Enterprise data breach: causes, IEEE Softw., vol. 32, no. 2, pp. 50–54, 2015, doi:
challenges, prevention, and future directions,” Wiley Interdiscip. Rev. 10.1109/MS.2015.27.
Data Min. Knowl. Discov., vol. 7, no. 5, pp. 1–14, 2017, doi: [21] A. A. U. Rahman, E. Helms, L. Williams, and C. Parnin,
10.1002/widm.1211. “Synthesizing Continuous Deployment Practices Used in Software
[7] R. Janakiraman, J. H. Lim, and R. Rishika, “The Effect of a Data Development,” in 2015 Agile Conference, 2015, pp. 1–10. doi:
Breach Announcement on Customer Behavior: Evidence from a 10.1109/Agile.2015.12.
Multichannel Retailer,” J. Mark., vol. 82, no. 2, pp. 85–105, Mar. [22] H. H. Olsson, H. Alahyari, and J. Bosch, “Climbing the ‘Stairway to
2018, doi: 10.1509/jm.16.0124. Heaven’ -- A Mulitiple-Case Study Exploring Barriers in the
[8] A. H. Juma’h and Y. Alnsour, “The effect of data breaches on Transition from Agile Development towards Continuous Deployment
company performance,” Int. J. Account. Inf. Manag., vol. 28, no. 2, of Software,” in 2012 38th Euromicro Conference on Software
pp. 275–301, Jan. 2020, doi: 10.1108/IJAIM-01-2019-0006. Engineering and Advanced Applications, 2012, pp. 392–399. doi:
[9] M. U. A. Khan and M. Zulkernine, “On selecting appropriate 10.1109/SEAA.2012.54.
development processes and requirements engineering methods for [23] D. Agrawal, S. Das, and A. El Abbadi, “Big data and cloud
secure software,” Proc. - Int. Comput. Softw. Appl. Conf., vol. 2, no. computing: Current state and future opportunities,” ACM Int. Conf.
November, pp. 353–358, 2009, doi: 10.1109/COMPSAC.2009.206. Proceeding Ser., pp. 530–533, 2011, doi: 10.1145/1951365.1951432.
[10] J. Ley, "Some work has been done to research Software Development [24] K. Alhamazani et al., “Cross-Layer Multi-Cloud Real-Time
Life Cycle (SDLC) as a structured framework utilized by Application QoS Monitoring and Benchmarking As-a-Service
organizations to guide the development process of an application from Framework,” IEEE Trans. Cloud Comput., vol. 7, no. 1, pp. 48–61,
the beginning to the end of its life cycle," *IEEE Access*, vol. 10, pp. 2019, doi: 10.1109/TCC.2015.2441715.
1234-1245, 2022.. [25] F. Buccafurri et al., “Analysis of QoS in cooperative services for real
[11] A. M. Rea-Guaman, I. D. Sánchez-García, T. S. Feliu, and J. A. time applications,” Data Knowl. Eng., vol. 67, no. 3, pp. 463–484,
Calvo-Manzano, “Maturity models in cybersecurity: A systematic 2008, doi: https://doi.org/10.1016/j.datak.2008.08.004.
review,” in 2017 12th Iberian Conference on Information Systems and [26] G. Sindre and A.L. Opdahl, “Eliciting security requirements with
Technologies (CISTI), 2017, pp. 1–6. doi: misuse cases,” Requirements Eng 10, 2005, pp. 34–44,
10.23919/CISTI.2017.7975865. https://doi.org/10.1007/s00766-004-0194-.
[12] S. Lipner, “The trustworthy computing security development
Authorized licensed use limited to: Universitas Indonesia. Downloaded on November 05,2024 at 06:42:26 UTC from IEEE Xplore. Restrictions apply.
214