Developing Secure Software and Systems

The development and maintenance of network and data security in software systems is done in a late phase of design and coding or during deployment, often in an ad-hoc manner. Network monitoring and recovery, encryption protocols, best practices for combating cyber-crime, or disaster recovery planning are useful methodologies applied to enforce security of a deployed system. Nevertheless these are not enough to protect from attacks directed to software vulnerabilities hidden at design and code level. Introducing security aspects in all the phases of the software development process is an emerging approach to limit costs of adding security features when it's too late and very expensive in terms of time and resources. In this paper we illustrate some proposals to consider security issues in the software process from the early phase of requirements to design and coding

Methods for developing secure software and environments for small and medium enterprises

A thesis submitted for the degree of Master of Science by Research at the University of BedfordshireInformation Security covers activity concerned with the protection of data to ensure that information remains available, to those with rightful access, in the condition that it was originally stored or transmitted. The push to interact via electronic data is constantly increasing. Businesses are demanding that software designers find novel ways of facilitating electronic commerce, creating new business models that have only become possible with the development of the Internet. With the increase of traffic in information across the Internet, the risks associated with data have multiplied, matching the global growth in connectivity. Web application security deals with the measures taken to secure software built to promote e-commerce. Because it is necessary to accept user input across the Internet these applications carry a particular set of vulnerabilities that require a more technical approach to their mitigation. The applications themselves are usually composed of modules that interact across trust boundaries which all require hardening. Information Security governance controls how a company secures its data and that of its clients. While there are laws and standards that address the security requirement, applying them to all magnitude of businesses is difficult because the policies are biased towards large organisations in their assumptions of resources. This thesis investigates an international standard that can be used by small businesses to achieve legal compliance and a reasonable level of security. The thesis brings together a method for producing secure web applications and a checklist procedure for improving a company's data protection practices. Both offerings apply to small software production houses where there may be some overlap in role function and the pressure to meet software production deadlines can sometimes lead to a culture where security is seen as an avoidable expense

A Preliminary Study: Challenges in Capturing Security Requirements and Consistency Checking by Requirement Engineers

There has been a growing concern on the importance of security with the rise of phenomena, such as ecommerce and nomadic and geographically distributed work. Realizing the security early, especially in the requirement analysis phase, is important so that security problems can be tackled early enough before going further in the development process and avoid re-work. Ensuring the consistency of elicited functional security requirement of requirements specification is also crucial as the requirements should be well understood and agreed upon by all the stakeholders and end-users. Therefore, the aim of this paper is to further discuss on the challenges faced by Requirement Engineers (REs) in: (1) capturing Security Requirement and (2) Consistency Checking in Requirement Engineering. Motivated from the need to ensure consistency in functional security requirement for developing secure software and the gaps found in the existing works, a survey has been conducted involving 38 experts in software engineering in the industry. The survey aims to identify the current problems faced by them during the elicitation process, security standards used as the reference, elicitation and validation method, and the important properties considered while developing secure software. Results of the survey show that REs face difficulties to understand the security needs and the existing standards are difficult to understand. Therefore, it is proposed that an automated tool to elicit security requirements should be developed

Developing Secure Software With C And C++: A Different Approach

Tez (Yüksek Lisans) -- İstanbul Teknik Üniversitesi, Fen Bilimleri Enstitüsü, 2005Thesis (M.Sc.) -- İstanbul Technical University, Institute of Science and Technology, 2005Ağa bağlı bilgisayarlar yaygınlaştıkça, günlük işlerin yürütülmesinden devlet sistemlerinin otomasyonuna kadar her seviyede rol almaya başlamışlar ve bu sistemlerin güvenliği de kritik hal almıştır. Bilgi işlem sistemlerinin güvene layık olabilmesi için bütün bileşenlerinin güvenli olması gerekir, yazılım da bu bileşenlerden belki de en önemlisidir. Yazılımların, yaşam süreçlerinin bütün aşamalarında güvenli bir yapıyla sonuçlanacak şekilde tasarlanmaları gerekmektedir. Bu makale, bir yazılımın yaşam sürecini baştan sona ele almaktadır. Güvene layık bir yazılım için her aşamada, nelere dikkat edilmesi gerektiği anlatılmış, hangi tasarım seçeneklerinin olduğu sıralanmış, farklı metotlardan hangilerinin izlenmesinin daha iyi olacağı tartışılmış ve hangi araçların kullanılabileceği incelenmiştir. Bu sayede geliştirme veya bakım gibi değişik aşamalardaki projelere referans kaynağı olarak hizmet verebilmektedir. Bu makalede ele alınan yaşam süreci, yazılım mühendisliğinde sıklıkla başvuru olarak kullanılan, süreci isteklerin tanımı, tasarım, geliştirme, kontrol etme ve bakım olarak bölümleyen “Şelale Yaşam Süreci”dir. Yeni nesil programlama dilleri çıktıkça, C/C++ ve Birleştirici gibi düşük seviye dillerin yeni öğrencilerce benimsenmesi azalmaktadır. Buna ve başka sebeplere de bağlı olarak bu dillerde tecrübeli eleman eksikliği baş gösterdikçe, zaten güvenliğin sağlanmasının göreceli olarak daha zor olduğu bu ortamlarda ciddi güvenlik açıkları oluşmaktadır. Dünya üzerindeki kod tabanının çoğunluğunun halen bu dillerden oluşması durumu daha kritik yapmaktadır. Bu makalede bahsedilen konuların çoğunluğu dilden bağımsız olsa da, ilgili bölümlerde, az önce bahsedilen sorunu göz önüne alarak C/C++ ve Birleştirici dilleri üstünde durulmuştur. Sonuç olarak, yazılım güvenliğinin etkin olarak sağlanabilmesi için, güvenliğin bütün yaşam süreci evrelerinde ele alınması gerekliliği gösterilmiştir. Ayrıca, yaşam sürecinin aşamalarından bir çoğuna, daha önce bu kapsamda uygulanmamış olan yeni yöntemler önerilmiştir.As networked computing penetrates daily life more and more, it becomes more common in every level from daily life to automation of government systems. In order computing systems to be secure, each and every of their components must be secure, too. Software is most important component among those. Each phase of software lifecycle must be implemented in a secure fashion. This thesis is inspecting lifecycle of software from beginning to the end and aligns the new ideas that it is bringing to the lifecycle. After giving necessary background information about the subject, new ideas have been presented, examples have been given and possible other options have been discussed. During explaining most of the subjects, the topics that is considered to be complimentary is either added or referred to. Thanks to that, this thesis can be a reference source to projects in different phases like implementation and maintenance. Waterfall lifecycle model, which is used frequently in software development projects and divides software projects into phases as analysis of requirements, design, implementation, verification and maintenance, is used as a template in this thesis. As new generations of programming languages emerge, adoption of low-level languages such as C/C++ and assembly by new students is decreasing. As lack of experienced staff shows up itself due to this and other causes, severe vulnerabilities are happening in such environments, where developing of secure software is already proven to be hard. The fact that majority of current code base in the world is in those languages makes the situation even more critical. Although most of the subjects in this thesis are programming language independent, C/C++ and assembler language problems are especially covered because of the reasons just mentioned. As a result, it has been shown that security countermeasures must be taken in all phases of software lifecycle in order to ensure high level of security throughout the application. Furthermore, new ideas of security countermeasures have been brought to many of the phases of software lifecycle.Yüksek LisansM.Sc

Secure Software Development: A Developer Level Analysis

Developing secure software is still an important issue in the computing world. Big software firms spend huge sums of money to offer secure software and systems. However, security incidents due to insecure software results in loss of revenue and reputational damages to user firms. Incorporating security requirements early in the development process is the most effective and cheapest method to build secure software. We chose a behavioral lens in order to understand antecedents to secure software development. We explicate the effects of personality, training, education and organizational culture on the development of secure software

Software security requirements engineering: State of the art

Software Engineering has established techniques, methods and technology over two decades. However, due to the lack of understanding of software security vulnerabilities, we have not been so successful in applying software engineering principles that have been established for the past at least 25 years, when developing secure software systems. Therefore, software security can not be just added after a system has been built and delivered to customers as seen in today’s software applications. This keynote paper provides concise methods, techniques, and best practice requirements guidelines on software security and also discusses an Integrated-Secure SDLC model (IS-SDLC), which will benefit practitioners, researchers, learners, and educators

AI Usage in Development, Security, and Operations

Artificial intelligence (AI) has become a growing field in information technology (IT). Cybersecurity managers are concerned that the lack of strategies to incorporate AI technologies in developing secure software for IT operations may inhibit the effectiveness of security risk mitigation. Grounded in the technology acceptance model, the purpose of this qualitative exploratory multiple case study was to explore strategies cybersecurity professionals use to incorporate AI technologies in developing secure software for IT operations. The participants were 10 IT professionals in the United States with at least 5 years of professional experience working in DevSecOps and managing teams of at least three DevSecOps professionals within the United States. Data were collected using semi structured interviews, and three themes were identified through thematic analysis: (a) implementation obstacles, (b) AI cloud implementation strategy, and (c) AI local implementation strategy. A specific recommendation for IT professionals is to identify knowledge gaps and security challenges in the DevSecOps pipeline to facilitate the necessary training. The implications for positive social include the potential to improve organizations\u27 securities postures and, by extension, the societies and individuals they serve

AI Usage in Development, Security, and Operations

Artificial intelligence (AI) has become a growing field in information technology (IT). Cybersecurity managers are concerned that the lack of strategies to incorporate AI technologies in developing secure software for IT operations may inhibit the effectiveness of security risk mitigation. Grounded in the technology acceptance model, the purpose of this qualitative exploratory multiple case study was to explore strategies cybersecurity professionals use to incorporate AI technologies in developing secure software for IT operations. The participants were 10 IT professionals in the United States with at least 5 years of professional experience working in DevSecOps and managing teams of at least three DevSecOps professionals within the United States. Data were collected using semi structured interviews, and three themes were identified through thematic analysis: (a) implementation obstacles, (b) AI cloud implementation strategy, and (c) AI local implementation strategy. A specific recommendation for IT professionals is to identify knowledge gaps and security challenges in the DevSecOps pipeline to facilitate the necessary training. The implications for positive social include the potential to improve organizations\u27 securities postures and, by extension, the societies and individuals they serve

ANFIS Modeling of Dynamic Load Balancing in LTE

Modelling of ill-defined or unpredictable systems can be very challenging. Most models have relied on conventional mathematical models which does not adequately track some of the multifaceted challenges of such a system. Load balancing, which is a self-optimization operation of Self-Organizing Networks (SON), aims at ensuring an equitable distribution of users in the network. This translates into better user satisfaction and a more efficient use of network resources. Several methods for load balancing have been proposed. While some of them have a very buoyant theoretical basis, they are not practical. Furthermore, most of the techniques proposed the use of an iterative algorithm, which in itself is not computationally efficient as it does not take the unpredictable fluctuation of network load into consideration. This chapter proposes the use of soft computing, precisely Adaptive Neuro-Fuzzy Inference System (ANFIS) model, for dynamic QoS aware load balancing in 3GPP LTE. The use of ANFIS offers learning capability of neural network and knowledge representation of fuzzy logic for a load balancing solution that is cost effective and closer to human intuition. Three key load parameters (number of satisfied user in the net- work, virtual load of the serving eNodeB, and the overall state of the target eNodeB) are used to adjust the hysteresis value for load balancing