This is an innovative practice full paper. The need to develop software securely cannot be over-emphasized. The changing legal and regulatory international and local landscape for software ...requirements is astounding. For example, the European Union's General Data Protection Regulation (GDPR), the United States' Health Insurance Portability and Accountability Act (HIPAA), the Chinese Cybersecurity laws, and the credit card industry's Payment Card Industry Data Security Standard (PCI-DSS) are all upholding higher standards for system development and deployment. Such legal and regulatory changes of necessity require modifications and updating in software development methods that must be incorporated into cybersecurity software development courses to properly prepare students for successfully working in the field. To address these and other changes within the computing field, the Accreditation Board for Engineering (ABET) recently proposed preliminary cybersecurity accreditation criteria for which fewer than 20 universities have both applied and become ABET Cybersecurity accredited. The accreditation requires maintaining continuous course improvement in the core courses including a secure software development course. This research first reports on important topics incorporated into a senior-level secure software development for cybersecurity majors. Our research then analyses student Institutional Review Board (IRB) approved surveys to learn which course components could benefit from continuous course improvements. We apply machine learning to help build categories for ABET continual improvement. Finally, we share lessons learned and plans for future work.
State of the systems security Bodden, Eric
2018 IEEE/ACM 40th International Conference on Software Engineering: Companion (ICSE-Companion),
05/2018
Conference Proceeding
Software-intensive systems are increasingly pervading our everyday lives. As they get more and more connected, this opens them up to far-reaching cyber attacks. Moreover, a recent study by the U.S. ...Department of Homeland Security shows that more than 90% of current cyber-attacks are enabled not by faulty crypto, networks or hardware but by application-level implementation vulnerabilities. I argue that those problems can only be resolved by the widespread introduction of a secure software development lifecycle (SDLC). In this technical briefing I explain where secure engineering currently fails in practice, and what software engineers can do if they want to make a positive impact in the field. I will do so by explaining major open challenges in the field, but also by resorting to success stories from the introduction of SDLCs in industry.
To meet growing demands in the United States market for cybersecurity professionals, the National Security Agency and Department of Homeland Security have jointly established the National Center for ...Academic Excellence. Until recently, cybersecurity efforts were focused on securing the network. However, numerous studies have revealed that significant vulnerabilities have been found within the software code. To teach programmers and software engineers having secure software engineering labs is critical. Experiential learning is the cornerstone of cybersecurity education. Laboratory exercises provide critical value to students. Real-world, malicious actors use varying tactics and techniques for cyber-attacks. Laboratory environments should mirror this dynamism, and students should be exposed to various tools and mitigation strategies.
Full text
Available for:
GEOZS, IJS, IMTLJ, KILJ, KISLJ, NLZOH, NUK, OILJ, PNG, SAZU, SBCE, SBJE, UILJ, UL, UM, UPCLJ, UPUK, ZAGLJ, ZRSKP
This article discusses the issues of standardizing commercial production of secure software products. It studies administrative and technical controls for minimizing the number of vulnerabilities ...during development and operational support of secure automated systems software. We classified standards and guidelines on secure software development. We analysed applicability of the available methodological approaches to secure software development during evaluation of conformance to the information security requirements, including during certification of the software products. The article proves feasibility of harmonizing the developed regulatory requirements and practical measures with the methods stipulated in ISO 15408 and ISO 12207 international standards. We introduced the notion of secure software and developed a basic set of requirements that allows, among other things, evaluating the conformance of the software development processes to secure software requirements. We prove that the set of requirements shall rest, first of all, on the accepted security policies and up-to-date threats. Sample requirements under development are provided. We developed an original conceptual model for analysis and synthesis of a set of controls for secure software development that rests on a set of generated requirements. The article shows that the conceptual model gives the software developers an opportunity to make a science-based choice of software development controls. We developed general methods for selecting a set of secure software development controls. We provide indirect proof of efficiency of the suggested approach. It should be noted that the suggested approach was used as a basis for the national standard on development and production of secure software.
Problem: developers are increasingly adopting security practices in software projects in response to cyber threats. Despite the additional effort required to perform those practices, current cost ...models either do not consider security as an input or were not properly validated with empirical data. Hypothesis: increasing degrees of application of security practices and security features, motivated by security risks, lead to growing levels of added software development effort. Such an effort increase can be quantified through a parametric model that takes as input the usage degrees of security practices and requirements and outputs the additional software development effort. Contributions: the accurate prediction of secure software development effort will support the provision of a proper amount of resources to projects. We also expect that the quantification of the security effort will contribute to advance research on the cost-effectiveness of software security.
While researchers have developed many tools, techniques, and protocols for improving software security, exploits and breaches are only becoming more frequent. Some of this gap between theoretical ...security and actual vulnerability can be explained by insufficient consideration of human factors, broadly termed usability, when developing these mechanisms. In particular, security mechanisms may be difficult to use, may conflict with other priorities, or may assume more security knowledge than users possess. For almost 20 years, the usable security community has investigated how to improve the usability of security tools and interfaces aimed at end users. More recently, the community has begun to apply similar techniques in the context of improving security tools - such as APIs and bug-finding software - aimed not at end users but at developers, whose security errors are magnified across all users of their products. In this paper, we review key lessons learned from usable security for end users and consider how to apply them in the context of developers. We propose a research agenda aimed at developing a high-quality, comprehensive literature for usable security for developers, including: investigating how to conduct reliable research in this context, understanding developers' attitudes, knowledge, and priorities, measuring the status quo, and developing improved tools and interventions in the future.
Security in general, and database protection from unauthorized access in particular, are crucial for organizations. Although it has been long accepted that the important system requirements should be ...considered from the early stages of the development process, non-functional requirements such as security tend to get neglected or dealt with only at later stages of the development process.
We present an empirical study conducted to evaluate a Pattern-based method for Secure Development – PbSD – that aims to help developers, in particular database designers, to design database schemata that comply with the organizational security policies regarding authorization, from the early stages of development. The method provides a complete framework to guide, enforce and verify the correct implementation of security policies within a system design, and eventually generate a database schema from that design.
The PbSD method was evaluated in comparison with a popular existing method that directly specifies the security requirements in SQL and Oracle’s VPD. The two methods were compared with respect to the quality of the created access control specifications, the time it takes to complete the specification, and the perceived quality of the methods.
We found that the quality of the access control specifications using the PbSD method for secure development were better with respect to privileges granted in the table, column and row granularity levels. Moreover, subjects who used the PbSD method completed the specification task in less time compared to subjects who used SQL. Finally, the subjects perceived the PbSD method clearer and more easy to use.
The pattern-based method for secure development can enhance the quality of security specification of databases, and decrease the software development time and cost. The results of the experiment may also indicate that the use of patterns in general has similar benefits; yet this requires further examinations.
Full text
Available for:
GEOZS, IJS, IMTLJ, KILJ, KISLJ, NUK, OILJ, PNG, SAZU, SBCE, SBJE, UL, UM, UPCLJ, UPUK
While fuzzing can be very costly, it has proven to be a fundamental technique in uncovering bugs (often security related) in many applications. A recent study on bug reports from OSS-Fuzz observed ...that recent code changes are responsible for 77% of all reported bugs, stressing the importance of continuous testing. With the increased adoption of CI/CD practices in software development, it is only natural to look for effective ways of incorporating fuzzing into continuous security testing. In this paper, we study the effectiveness of fuzz testing in CI/CD pipelines with a focus on security related bugs and seek optimization opportunities to triage commits that do not require fuzzing. Through experimental analysis, we found that the fuzzing effort can be reduced by 63% in three of the nine libraries we analyzed (55% on average). Additionally, we investigate the correlation between fuzzing campaign duration and the effectiveness of fuzzers in vulnerability discovery: a significantly shorter fuzzing campaign facilitates a faster pipeline for developers, while it can still uncover important bugs. Our findings suggest that continuous fuzzing is indeed beneficial for secure software development processes, and that there are many opportunities to improve its effectiveness.