An Anatomy of Security Conversations in Stack Overflow Lopez, Tamara; Tun, Thein; Bandara, Arosha ...
2019 IEEE/ACM 41st International Conference on Software Engineering: Software Engineering in Society (ICSE-SEIS),
05/2019
Conference Proceeding
Open access
As software-intensive digital systems become an integral part of modern life, ensuring that these systems are developed to satisfy security and privacy requirements is an increasingly important ...societal concern. This paper examines how secure coding practice is supported on Stack Overflow. Although there are indications that on-line environments are not robust or accurate sources of security information, they are used by large numbers of developers. Findings demonstrate that developers use conversation within the site to actively connect with and tend to security problems, fostering knowledge, exchanging information and providing assistance to one another.
The causal analysis of software vulnerabilities can be an effective way for building and evolving a dependable and reliable software system. Vulnerable source code can be leveraged by the attackers ...to break the system. Assisting the programmers so that they can avoid writing vulnerable code can cut down the effort and cost of protecting the software from security incidents. Security vulnerabilities can be prevented by identifying those programmer behavior related root causes that are the recurring reasons for the security bugs. Such repeated erroneous behavioral patterns have been coined as human cognition failures or human errors. In the case of software development, these erroneous behavioral patterns can lead the programmers to write vulnerable code. The goal of this research is to explore the available literature to identify frequently occurring programmer human errors in software implementation so as to provide programmers a handy list of cognitive issues that can be avoided by just being aware of them. Our literature review identified eight papers from where we extracted 20 human errors by programmers that have the potential to lead to writing vulnerable code.
Developers struggle to program securely. Prior works have reviewed the methods used to run user-studies with developers, systematized the ancestry of security API usability recommendations, and ...proposed research agendas to help understand developers' knowledge, attitudes towards security and priorities. In contrast we study the research to date and abstract out categories of challenges, behaviors and interventions from the results of developer-centered studies. We analyze the abstractions and identify five misplaced beliefs or tropes about developers embedded in the core design of APIs and tools. These tropes hamper the effectiveness of interventions to help developers program securely. Increased collaboration between developers, security experts and API designers to help developers understand the security assumptions of APIs alongside creating new useful abstractions-derived from such collaborations-will lead to systems with better security.
This paper presents the results obtained studying the prospective market of software security management systems in Russia that meet the requirements of national standards for secure software ...development. Basic national standards for secure software development in the context of software products certification are considered. The particulars of national and international standards harmonisation are addressed. Original conceptual models of secure software development are proposed. Statistical data on the introduction of safe procedures in serial production of information protection software is given. The peculiarities of the Russian market of secure software production are pointed out. The conclusion about the effectiveness and prospects of developing software security management systems as part of quality and information security management systems is made.
Meeting Industry Needs for Secure Software Development Mead, Nancy R.; Seshagiri, Girish; Howar, Julie
2016 IEEE 29th International Conference on Software Engineering Education and Training (CSEET),
04/2016
Conference Proceeding, Journal Article
In this paper, we describe a partnership between the Central Illinois Center of Excellence for Secure Software (CICESS) and Illinois Central College (ICC) that resulted in the creation of a two-year ...degree program in Secure Software Development. That program incorporated an apprenticeship model and the Software Engineering Institute's software assurance curriculum recommendations at the community college level. We describe the industry needs, the software assurance curriculum recommendations, how ICC implemented those recommendations, and the return on investment model presented to industry.
As time progresses, there is growth in the population of internet users, resulting in a rise in digital threats. Among these dangers, the prominence of phishing attacks has become a significant cause ...for concern due to their increasing frequency. The latest report from the Anti-Phising Working Group (APWG) stated that phishing attacks continued to increase from the third quarter of 2022 to the fourth quarter of 2022. This research contributes to reducing phishing attacks by providing convenience to the public in detecting phishing URLs through a secure mobile application. This study is the first to develop a secure mobile application for detecting phishing URLs using a deep learning-based detection method with the architecture of long short-term memory (LSTM) and gated recurrent unit (GRU). The application is developed using the secure software development lifecycle (SSDLC) agile scrum methodology. This method was selected due to the requirement for rapid and sustainable app development with potential threat mitigation. Threat mitigation is carried out through risk analysis, threat modeling, secure coding, and security testing. Based on the test results, the developed mobile application successfully mitigated 85.7% of potential threats, demonstrated robust security in its program codes, and exhibited 98.1% precision in detecting phishing URLs.
Various new technologies have developed as software security solutions have become more critical. One of the essential parts of software quality is the product's security. Though providing examples ...covering all phases of secure software development is necessary, very few of these situations have been documented. More than a few approaches have been proposed and implemented to handle software security, but only a few of them provide valid evidence for developing secure software applications. This paper presents the results of a Systematic Mapping Study (SMS), which was carried out to determine the existence of software security metrics, tools, standards, and security-related research topics mainly discussed and addressed. A total of 116 studies were chosen for inclusion in this review. Selected studies led us to discover 55 Secure Software Engineering (SSE) metrics, 68 SSE tools, 33 SSE standards, and 12 SSE research topics that have been discussed and addressed. This effort will aid software development firms in better understanding existing security measures employed in creating secure software. It can also serve as a foundation for researchers to build and create new software security solutions and identify new research directions.
A context description of a software system and its environment is essential for any given software engineering process. Requirements define statements about the environment (according to Jackson’s ...terminology). The context description of a Service-Oriented Architecture is difficult to provide, because of the variety of technical systems and stakeholders involved. We present two patterns for SOA systems and support their instantiation with a structured method. In addition, we show how the pattern can be used in a secure service development life-cycle.
How Can Secure Software be Trusted? Futcher, Lynn; Von Solms, Rossouw
South African computer journal = Suid-Afrikaanse rekenaartydskrif,
11/2011, Volume:
47, Issue:
47
Journal Article
Peer reviewed
Open access
The security of software applications is a major concern, especially for information owners, software developers and users. Increasingly, these stakeholders need to be confident that the software ...applications being developed are secure and can be trusted when used in the intended environment. However, a problem exists in terms of how to confidently address the security of software applications in order to protect the information to be stored, processed and transmitted by them, thereby increasing their associated levels of trust. The purpose of this paper is therefore to address some key aspects relating to the security and trustworthiness of a software application functioning within the intended environment. These key aspects include those relating to the security controls implemented and installed by the software developers and those involving the actual usage of the security controls implemented.
The Software-defined networking (SDN) is integrated into Low Earth Orbit (LEO) satellite for flexible and agile operation. This cutting-edge convergence has security risks that require detailed ...assessment. These security challenges include software vulnerabilities, compromised centralized control, security policies, open interfaces and APIs, protocol security, and authentication and authorization mechanisms. Therefore, we proposed an approach based on the Secure Software Development Life Cycle (SSDLC) to analyze and assess the security risk assessment of the LEO-SDN architecture. The security issues were investigated for LEO satellites with the SDN framework. The security of the software, the control mechanisms of SDN, and the inherent dynamics of LEO satellite networks were then assessed. The open interfaces in SDN and the communication protocol security between SDN and LEO were suggested.