This describes the need for and the challenges of building secure software, general principles of secure software development, and the key elements of a secure software life cycle process.
Key Highlights of Term Paper
* Software’s Vulnerability to Attack
* The Challenge of Building Secure Software
* Software Assurance
* General Principles of Secure Software Development
* What the Software Practitioner Needs to Know
* Integrating Security into the Software Life Cycle
Software’s Vulnerability to Attack
What makes it so easy for attackers to target ...view middle of the document...
The security of software is threatened at various points throughout its life cycle, both by inadvertent and intentional choices and actions taken by “insiders”—individuals closely affiliated with the organization that is producing, deploying, operating, or maintaining the software, and thus trusted by that organization—and by “outsiders” who have no affiliation with the organization. The software’s security can be threatened
* During its development: A developer may corrupt the software—intentionally or unintentionally—in ways that will compromise the software’s dependability and trustworthiness when it is operational.
* during its deployment (distribution and installation): If those responsible for distributing the software fail to tamperproof the software before shipping or uploading, or transmit it over easily intercepted communications channels, they leave the software vulnerable to intentional or unintentional corruption. Similarly, if the software’s installer fails to “lock down” the host platform, or configures the software insecurely, the software is left vulnerable to access by attackers.
* during its operation: Once COTS and open source software has gone operational, vulnerabilities may be discovered and publicized; unless security patches and updates are applied and newer supported versions (from which the root causes of vulnerabilities have been eliminated) are adopted, such software will become increasingly vulnerable. Non-commercial software and open source software (OSS) may also be vulnerable, especially as it may manifest untrustworthy behaviours over time due to changes in its environment that stress the software in ways that were not anticipated and simulated during its testing. Any software system that runs on a network-connected platform has its vulnerabilities exposed during its operation. The level of exposure will vary depending on whether the network is public or private, Internet-connected or not, and whether the software’s environment has been configured to minimize its exposure. But even in highly controlled networks and “locked down” environments, the software may be threatened by malicious insiders (users, administrators, etc.).
* during its sustainment: If those responsible for addressing discovered vulnerabilities in released software fail to issue patches or updates in a timely manner, or fail to seek out and eliminate the root causes of the vulnerabilities to prevent their perpetuation in future releases of the software, the software will become increasingly vulnerable to threats over time. Also, the software’s maintainer may prove to be a malicious insider, and may embed malicious code, exploitable flaws, etc., in updated versions of the code.
Both research and real-world experience indicate that correcting weaknesses and vulnerabilities as early as possible in the software’s life cycle is far more cost-effective over the lifetime of the software than developing and releasing frequent security...