CSS321_JoshuaGardner_IP5

1 SOFTWARE ASSURANCE GUIDELINE – T-MOBILE U.S.A CSS321: Software Assurance Software Assurance Guideline – T-Mobile U.S.A. Individual Project – Week 5 Joshua Gardner November 5 th , 2023

2 SOFTWARE ASSURANCE GUIDELINE – T-MOBILE U.S.A Table of Contents Unit 1: Project Outline ............................................................................................................. 3 Company Description ....................................................................................................................... 3 Applications Provided ....................................................................................................................... 3 Development Methods ...................................................................................................................... 4 Unit 1: Security in the Development Life Cycle ......................................................................... 5 SDLC ................................................................................................................................................. 5 Security Development Components .................................................................................................. 6 Unit 2: Software Assurance Techniques .................................................................................... 7 Analysis ............................................................................................................................................. 7 Guidelines ........................................................................................................................................ 10 Unit 3: Security in Nontraditional Development Models ......................................................... 11 Identifying Non-Traditional Security Model ...................................................................................... 11 Non-Traditional Development Process .............................................................................................. 12 Non-Traditional Software Development Policies & Processes ........................................................... 14 Section 4: Security Static Analysis .......................................................................................... 16 Application Design Layout ................................................................................................................ 16 Component Diagram ........................................................................................................................ 17 Major Components .......................................................................................................................... 17 C++ Code Samples ............................................................................................................................ 19 Security Static-Analysis Tools & Guidelines ....................................................................................... 19 Unit 5: Software Assurance Policies and Processes ............................................................... 21 Software Assurance Training Plan ..................................................................................................... 21 Software Assurance Metrics ............................................................................................................. 22 Security Team Roles & Responsibilities ............................................................................................ 23 Resources .............................................................................................................................. 24

3 SOFTWARE ASSURANCE GUIDELINE – T-MOBILE U.S.A Unit 1: Project Outline Company Description The purpose of this report is to provide T-Mobile U.S.A with a fully completed software assurance guideline. Software assurance guidelines are vital to large-scale organizations such as T-Mobile U.S.A. because it encourages the organization to invest in techniques, tools, processes, and standards that help with building software, while also finding ways to reduce security breachers. T-Mobile U.S.A is the 2 nd largest wireless provider in the United States with a total of 98.3 million customer (Blumenthal, 2020). While T-Mobile has vastly changed the wireless landscape through a series of “Un-Carrie” moves. While these moves brought great change and a series of great publicity for the company, the companies Achilles heel has been the victim of multiple software security breaches over the last five years. T-Mobile USA brand first began in 2002 after Deutsche Telekom purchased VoiceStream wireless (Katz, 2022). The company is currently being led by CEO Mike Sievert, who assumed the role in April 2020 from previous outspoken CEO John Legere, following the acquisition of Sprint. T-Mobile currently has two main headquarters the first campus in located in Bellevue, Washington. The second campus acquired as part of the merger with Sprint is located in Overland Park, Kansas. In the last fiscal year T-Mobile reported revenues of 79.5 billion dollars (Katz, 2022). Applications Provided Being a part of the wireless industry has led to T-Mobile taking part in a variety of different ventures. As part of these ventures many different pieces of software have be adopted both on a desktop and application level. T-Mobile has a variety of applications that are used on daily basis by their customer base some examples include, T-Mobile App, T-Mobile Tuesdays, or

4 SOFTWARE ASSURANCE GUIDELINE – T-MOBILE U.S.A T-Mobile Home Internet. Additionally, they also have an online web interface for their account management and an internal desktop application for customer account management that also uses a database to pull all the customers information. Development Methods While T-Mobile is large organization, it is comprised of a multitude of different organizations within the company. In this guideline we will be specifically looking at their technology team. Currently, T-Mobiles technology team recently saw a new change in leadership as John Saw took over as Chief Technology Officer in April of 2023. The company currently employs a hierarchical structure when it comes to reporting. Within the technology field it is divided into subsets with some teams specializing in UX, mobile application, and internal software teams. While T-Mobile does hire remote workers for their tech space, they tend to prefer to hire employees who are located near a customer experience center or headquarters. As part of their development T-Mobile has a set of internal systems used to develop their programs for their internal care teams as well as generalized operating system platforms to produce their application-based platforms. As a direct employee for T-Mobile when it comes to testing their internal software, there are specific employees throughout multiple facets of the business that specifically pilot these programs.

5 SOFTWARE ASSURANCE GUIDELINE – T-MOBILE U.S.A Unit 1: Security in the Development Life Cycle SDLC The purpose of this section is to review the software development life cycle (SDLC) within T-Mobile. I can help provide a breakdown of each of the major components of the company’s SDLC as I am currently employed within their technology team and therefore have firsthand knowledge of the software process. In addition to providing a brief rundown of the major phases within the SDLC, this section will also discuss components of the security development model and how they pertain to each phase of the SDLC model. Lastly, this section will also discuss how the security model is applied within each phase of the SDLC cycle. As mentioned in the first section of this repot, T-Mobile publishes applications that are used on an internal basis only, as well as applications and web platforms that are used externally on the customer facing side. The importance in using an SDLC is essential as it provides the software team with a way to develop, test, and publish their software. While the SDLC follows a general format, dependent on the organization you’re working for, there may be slight differences (Softwaretestinghelp, 2023). In the case of T-Mobile, our organization has a total of six distinct phases. Each project begins with the Requirements Gathering / Planning phases. This is followed by the design phase, then the coding phase (my current role), and then dependent on the team lead there is the deployment phase and lastly the maintenance phase. Dependent on the team in some instances the deployment and maintenance phase are grouped together. In the first phase, the technical leadership team reviews information obtained from feedback both internal and external teams which is then used to develop and idea for a software product. After a need for a service has been identified, a member of our business support team, will meet with a tech lead to discuss what needs to be built and how it will improve the business