Software Security

 

Software Security is a concept of incorporating the concept of security during the software development phase rather than as an afterthought when the entire software has finished development [1].

What is Software Security?

Softwares' are critical to any infrastructure or services. Software, along with Hardware and Internet forms the backbone of the modern IT infrastructures, entertainment, gaming, banking, news, broadcasting and communication. Thus, it is imperative that the sofware should be have adequate measure to safeguard the data and infrastructures. Software Security, is a relatively new field that emerged in 2000's [1] as a shift in the paradigm towards building secure software led by software developers, designers, architects and computer scientists. 

Defining Software Security

Software Security, is the concept of ensuring that the software continues to perform correctly during a malicious attack. Software security best practices ensure that security is implemented early into the Software Development Lifecyle (SDLC), knowing and understanding threats or software defects, designing for security and performing rigorous risk analysis and testing.

Software security vs. Application Security

It is important to distinguish between application security and software security. Application security is usually associated with implementing security measures after a software has been developed, while the software security is incorporating the security best practices during the entire process of software development (SDLC). G. McGraw [1] defines the difference as follows:

On one hand, software security is about building secure software: designing software to be secure, making sure that software is secure, and educating software developers, architects, and users about how to build secure things. On the other hand, application security is about protecting software and the systems that software runs in a post facto way, after development is complete.

Quality vs. Secure Code

Secure code does not necessarily equate to a quality code, conversely quality code does not amount to a secure code [2]. Security and quality are the two forces that go hand-in-hand. One must understand how to write a quality code before trying to make it secure. Quality is a measure of ease of use and software reusability and maintainability.

Triads of Software Security

The three goals of software security, often termed as the three pillars or more popularly as the C.I.A triad are: confidentiality, integrity, and availability.

  • Confidentiality: pertains to the authorizations and restrictions of access to the information
  • Integrity: pertains to the improper or unauthorized of modification of information
  • Availability: concerns itself ensuring the resources are available to use at all times and in a timely fashion.

Selected Syllabi

  1. Worcester Polytechnic Institute, CS 4401 (A12): Software Security Engineering
  2. Brown University, CSCI 1650: Software Security and Exploitation
  3. Univ. of South Florida, USF CIS 6373, Foundations of Software Security
  4. (ISC)2, Certified Secure Lifecycle professional Certification
  5. Coveros, Fundamentals of Software Security
  6. Stanford University, CS155 Computer and Network Security

Learning Resources

  1. Coursera, Software Security
  2. MIT Open Coursework (OCW) 6.858, Lecture Notes
  3. MOOC, Penetration Testing and Ethical Hacking (Cybrary)

Textbooks

  1. Merkow, M. S., Raghavan, L. (2010). Secure and Resilient Software Development. United States: CRC Press.
  2. Misra, A., Ransome, J. (2013). Core Software Security: Security at the Source. United States: Taylor & Francis.
  3. McGraw, G. (2006). Software Security: Building Security in. Germany: Addison-Wesley.
  4. Barnum, S., McGraw, G., Allen, J. H., Ellison, R. J., Mead, N. R. (2004). Software Security Engineering: A Guide for Project Managers. United States: Pearson Education.
  5. Conklin, W. A., Shoemaker, D. P. (2019). CSSLP Certification All-in-One Exam Guide, Second Edition. United States: McGraw-Hill Education.

References

[1] G. McGraw, "Software security," in IEEE Security & Privacy, vol. 2, no. 2, pp. 80-83, March-April 2004.

[2] Misra, A., Ransome, J. (2013). Core Software Security: Security at the Source. United States: Taylor & Francis.