IT products developed without due consideration of security issues have caused many security accidents over the last ten years. As a result, the importance of security in software development is increasing. It is impo...
详细信息
ISBN:
(纸本)9783642271410
IT products developed without due consideration of security issues have caused many security accidents over the last ten years. As a result, the importance of security in software development is increasing. It is important to ensure that no known vulnerabilities remain in the design, development, and test stage, in order to develop secure IT products. Even when an IT product is designed securely, various security vulnerabilities can occur, such as buffer overflow, if the general coding technique is used at the development stage. Therefore, the introduction of secure coding rules becomes most critical in developing a robust information security product. This paper proposes a method of applying a secure coding standard in the CC evaluation process. The proposed method is expected to contribute to improving the security of IT products in the CC evaluation process.
Software is critical to life in the 21st century. It drives financial, medical, and government computer systems as well as systems that provide critical infrastructures in areas such as transportation, energy, network...
详细信息
ISBN:
(纸本)9781450310987
Software is critical to life in the 21st century. It drives financial, medical, and government computer systems as well as systems that provide critical infrastructures in areas such as transportation, energy, networking, and telecommunications. As the number and severity of attacks that exploit software vulnerabilities increase, writing reliable, robust, and secure programs will substantially improve the ability of systems and infrastructure to resist such attacks. Education plays a critical role in addressing cybersecurity challenges of the future, such as designing curricula that integrate principles and practices of secure programming into educational programs. To help guide this process, the National Science Foundation Directorates of Computer and Information Science and Engineering (CISE) and Education and Human Resources (EHR) jointly sponsored the Summit on Education in secure Software (SESS), held in Washington, DC in October, 2010. The goal of this session is to share some of the key findings and challenges identified by the summit and to actively engage the community in the discussions. Each of the speakers participated in the summit and brings a unique viewpoint to the session.
Software needs to be secure, in particular, when deployed to critical infrastructures. secure coding guidelines capture practices in industrial software engineering to ensure the security of code. This study aims to a...
详细信息
ISBN:
(纸本)9781665403924
Software needs to be secure, in particular, when deployed to critical infrastructures. secure coding guidelines capture practices in industrial software engineering to ensure the security of code. This study aims to assess the level of awareness of secure coding in industrial software engineering, the skills of software developers to spot weaknesses in software code, avoid them, and the organizational support to adhere to coding guidelines. The approach draws on well-established theories of policy compliance, neutralization theory, and security-related stress and the authors' many years of experience in industrial software engineering and on lessons identified from training secure coding in the industry. The paper presents the questionnaire design for the online survey and the first analysis of data from the pilot study.
According to a recent survey with more than 4000 software developers, "less than half of developers can spot security holes". As a result, software products present a low-security quality expressed by vulner...
详细信息
ISBN:
(纸本)9783030587925;9783030587932
According to a recent survey with more than 4000 software developers, "less than half of developers can spot security holes". As a result, software products present a low-security quality expressed by vulnerabilities that can be exploited by cyber-criminals. This lack of quality and security is particularly dangerous if the software which contains the vulnerabilities is deployed in critical infrastructures. Serious games, and in particular, Capture-the-Flag (CTF) events, have shown promising results in improving secure coding awareness of software developers in the industry. The challenges in the CTF event, to be useful, must be adequately designed to address the target group. This paper presents novel contributions by investigating which challenge types are adequate to improve software developers' ability to write secure code in an industrial context. We propose 1) six challenge types usable in the industry context, and 2) a structure for the CTF challenges. Our investigation also presents results on 3) how to include hints and penalties into the cyber-security challenges. We evaluated our work through a survey with security experts. While our results show that "traditional" challenge types seem to be adequate, they also reveal a new class of challenges based on code entry and interaction with an automated coach.
Software developer/operator companies have to face growing cyber threats. secure coding is a development process resulting in software products that resist cyber-attacks. Although several security standards and guidel...
详细信息
ISBN:
(纸本)9798400702433
Software developer/operator companies have to face growing cyber threats. secure coding is a development process resulting in software products that resist cyber-attacks. Although several security standards and guidelines exist to help developers create secure software, tool-supported identification of vulnerability issues is also needed. Static analyser tools can help to find security issues in the code. However, those work usually in a language-dependent way. In this paper, we show secure coding issues for the programming language Erlang and demonstrate a tool, RefactorErl, that supports the identification of these vulnerabilities in Erlang systems.
Many industrial IT security standards and policies mandate the usage of a secure coding methodology in the software development process. This implies two different aspects: first, secure coding must be based on a set ...
详细信息
ISBN:
(纸本)9781728151656
Many industrial IT security standards and policies mandate the usage of a secure coding methodology in the software development process. This implies two different aspects: first, secure coding must be based on a set of secure coding guidelines, and second software developers must be aware of these secure coding practices. On the one side, secure coding guidelines seems a bit like a black-art: while there exist abstract guidelines that are widely accepted, low-level secure coding guidelines for different programming languages are scarce. On the other side, once a set of secure coding guidelines is chosen, a good methodology is needed to make them known by the people which should be using them, i.e. software developers. Motivated both by the secure coding requirements from industry standards and also by the mandate to train staff on IT security by the global industry initiative "Charter of Trust", this paper presents an overview of important research questions on how to choose secure coding guidelines and on how to raise software developer awareness for secure coding using serious games.
Software security research has a core problem: it is impossible to prove the security of complex software. A low number of known defects may simply indicate that the software has not been attacked yet, or that success...
详细信息
ISBN:
(纸本)9781665457019
Software security research has a core problem: it is impossible to prove the security of complex software. A low number of known defects may simply indicate that the software has not been attacked yet, or that successful attacks have not been detected. A high defect count may be the result of white-hat hacker targeting, or of a successful bug bounty program which prevented insecurities from persisting in the wild. This makes it difficult to measure the security of non-trivial software. Researchers instead usually measure effort directed towards ensuring software security. However, different researchers use their own tailored measures, usually devised from industry secure coding guidelines. Not only is there no agreed way to measure effort, there is also no agreement on what effort entails. Qualitative studies emphasise the importance of security culture in an organisation. Where software security practices are introduced solely to ensure compliance with legislative or industry standards, a box-ticking attitude to security may result. The security culture may be weak or non-existent, making it likely that precautions not explicitly mentioned in the standards will be missed. Thus, researchers need both a way to assess software security practice and a way to measure software security culture. To assess security practice, we converted the empirically-established 12 most common software security activities into questions. To assess security culture, we devised a number of questions grounded in prior literature. We ran a secure development survey with both sets of questions, obtaining organic responses from 1,100 software coders in 59 countries. We used proven common activities to assess security practice, and made a first attempt to quantitatively assess aspects of security culture in the broad developer population. Our results show that some coders still work in environments where there is little to no attempt to ensure code security. Security practice and culture do no
Software security continues to be a matter of concern for both end-users and developers, with the cost of potential lapses expected to become larger as software plays a larger role in society. Despite investments in s...
详细信息
ISBN:
(纸本)9798350330328
Software security continues to be a matter of concern for both end-users and developers, with the cost of potential lapses expected to become larger as software plays a larger role in society. Despite investments in secure coding training programmes, organisations are not achieving the expected success rate. An often overlooked reason for this among many others is that current training programmes are not tailored to consider the diversity among software developers as it relates to human aspects. In this research, data was gathered from software developers of various backgrounds on their perceptions of secure coding training, their expectations from and challenges with such a training program. The findings suggest that developers with personality traits of agreeableness tend to ignore secure coding standards. Additionally, developers with higher work experience tend to demand storage management, responsible use of privileges, security and privacy laws and testing topics to be included in the secure coding training. Furthermore, in terms of training structure, developers with higher openness tend to demand hands-on training to be included. The study's findings seek to inform future researchers and organisations on factors to consider when designing adaptive secure coding programs that would address the needs of developers from different backgrounds.
Code security or robustness has been an important topic in the recent decades for the research and software production communities. Defects in code can cause vulnerabilities in the program or system because it can be ...
详细信息
Code security or robustness has been an important topic in the recent decades for the research and software production communities. Defects in code can cause vulnerabilities in the program or system because it can be exploited by attackers. This project has enhanced secure coding Assistant system with Design by Contract and Programming Logic. The enhanced system can help programmers detect, locate, and eliminate code errors while coding. Java programmers using this enhanced system are suggested to provide their design contracts to three program structures (i.e., methods, if-then-else statements, and while-loop statements). Programmer-defined design contracts can be automatically generated and checked at the dynamic time of their program execution. Based on the inference rules of if-then-else statements and while-loop statements in the programming logic, the system can automatically generate sub-design contracts using programmer-defined design contracts. The system-generated sub-design contracts can also be automatically checked during run time to further help programmers detect and locate code errors. Furthermore, the weakest pre-conditions of certain sequences of assignments can be automatically generated from the post-conditions of the sequences based on the inference rule of the sequence statements and the assignment axiom in the programming logic. This helps programmers statically analyze the correctness of the relevant programmer-defined design contracts. With the enhancement presented, secure coding Assistant can help programmers for early detection of violations of secure coding rules and defects in Java code at the same time.
The increasingly distributed nature of many current and future technologies has introduced many challenges for devices designed for such settings. Devices operating in such environments, such as Internet-of-Things (Io...
详细信息
The increasingly distributed nature of many current and future technologies has introduced many challenges for devices designed for such settings. Devices operating in such environments, such as Internet-of-Things (IoT), medical devices, connected vehicles, etc., typically have limited computational power and rely on batteries to operate. Therefore, efficiency is a paramount requirement for any algorithm designed to be implemented on these devices. Furthermore, these devices typically generate and collect huge amounts of extremely sensitive and personal data, such as health-related data, behavior-related data, etc. As a result, there is a need for security and privacy protections to guard against various attacks. Additionally, since these devices are typically resource-constrained, any algorithm or protocol needs to be efficient to enable its implementation on such devices. Efficient security and privacy solutions are essential to cope with, as well as enable, high deployment rate of such devices for various sensitive applications. In this dissertation, efficient solutions for protecting the security and privacy of data generated by such devices are explored. Low-complexity protocols for generating secret keys in static environments, along with a formulation of threshold-secure coding with a shared key and corresponding coding schemes are presented. Additionally, algorithms for coded machine unlearning for regression problems are presented, as well as a new setup and algorithm for federated learning with opt-out differential privacy are presented and evaluated.
暂无评论