Respond to Barun:
The article I have chosen for this discussion is “Research on Software Design level Security Vulnerabilities” published by S.Rehman and K.Mustafa. This paper identifies one of the major problems in software security as a lack of knowledge about security among the software developers in design. The paper also describes that the developers and researchers are targeting vulnerabilities avoidance at the early phase of SDLC rather than vulnerabilities identification at the implementation and deployment level. The paper also focuses that software vulnerabilities can occur in the software at any phase of SDLC, but design level problems accounted for more than 50% of the security flaws. Reducing the magnitude of securities vulnerabilities are in software is becoming one of the emerging needs in computer security, and unfortunately the problem is growing dramatically. Ten vulnerabilities of security breaches cover mostly 75% of the total vulnerabilities found in software application.
As most of the security vulnerabilities are found in the design, the lack of effective methods for security integrations in the design phase of the software life cycle is felt. The most challenge today for software designers is avoiding design-level flaws that result in security vulnerabilities. The lack of support for tools and automated methods further makes it more challenging. So, Threat modeling can be one of the efficient measures to make the design more secure. Similarly, the well design framework can help the developers to trace the software vulnerabilities. The implementation of securities policies which is most considered at a required level can be further extended at a design level.
Reference:
S. Rehman, & K. Mustafa. (2009). Research on software design level security vulnerabilities. ACM SIGSOFT Software Engineering Notes, 34(6), 1–5. https://doi-org.ezproxy.umgc.edu/10.1145/1640162.1…
Respond to Andrew:
For this week’s discussion I examined “Security Engineering Approach to Support Software Security” by Francisco José Barreto Nunes, Arnaldo Dias Belchior, and Adriano Bessa Albuquerque, for an article which was presented at the 2010 IEEE 6th World Congress. The basic premise of the article evaluates some historically used frameworks for security in software engineering and compares them to the technique of interest to the authors, “PSSS” or Process to Support Software Security.
PSSS is intended to be a little bit more wide-reaching than some previous frameworks, with the general idea being that PSSS can be used at every phase of the Systems Development Life Cycle instead of only at one, requiring a shift to a different management framework when a project moves to a new part of the lifecycle. The process is designed to be applied at all parts of the lifecycle to ensure a more smooth and consistent set of good security practices across the entire development of a project. Security, the authors point out, has a tendency to be an afterthought or something which is primarily an element of focus only as a project nears completion. By keeping it in mind at every phase of the SLDC and making it a priority for success of the project, the authors purport that software projects will be able to deliver a more adequate level of security to customers and end users with less overall headache for dev teams.
It seems to me that it’s a bit like the “non-sexy” part of any endeavor. Is it fun to do accounting? For most people, no, but a business which tries to operate without a plan for its finances from the start is likely to run in to some challenges, one way or another.
Cited:
Francisco José Barreto Nunes, Arnaldo Dias Belchior, and Adriano Bessa Albuquerque, “Security Engineering Approach to Support Software Security,” 2010 6th World Congress on Services, July 2010, https://doi.org/10.1109/services.2010.37.
0 comments