Design of a Process for Software Security

Security is often an afterthought when developing software, and is often bolted on late in development or even during deployment or maintenance, through activities such as penetration testing, add-on security software and penetrate-and-patch maintenance. We believe that security needs to be built in to the software from the beginning, and that security activities need to take place throughout the software lifecycle. Accomplishing this effectively and efficiently requires structured approach combining a detailed understanding on what causes vulnerabilities, and how to prevent them. In this paper we present a process for software security that is based on vulnerability cause graphs, a formalism we have developed for modeling the causes of software vulnerabilities. The purpose of the software security process is to evolve the software development process so that vulnerabilities are prevented. The process we present differs from most current approaches to software security in its high degree of adaptability and in its ability to evolve in step with changing threats and risks. This paper focuses on how to apply the process and the criteria that have influenced the process design

[1]  Ivar Jacobson,et al.  The Unified Software Development Process , 1999 .

[2]  Tracy Hall,et al.  De-motivators for software process improvement: an analysis of practitioners' views , 2003, J. Syst. Softw..

[3]  Nahid Shahmehri,et al.  Towards a structured unified process for software security , 2006, SESS '06.

[4]  Didar Zowghi,et al.  A model for the implementation of software process improvement: a pilot study , 2003, Third International Conference on Quality Software, 2003. Proceedings..

[5]  Nahid Shahmehri,et al.  Modeling Software VulnerabilitiesWith Vulnerability Cause Graphs , 2006, 2006 22nd IEEE International Conference on Software Maintenance.

[6]  Tracy Hall,et al.  Motivators of Software Process Improvement: an analysis of practitioners' views , 2002, Journal of Systems and Software.

[7]  David N. Card,et al.  Learning from Our Mistakes with Defect Causal Analysis , 1999, IEEE Softw..

[8]  J. Herbsleb,et al.  A systematic survey of CMM experience and results , 1996, Proceedings of IEEE 18th International Conference on Software Engineering.

[9]  Peter G. W. Keen,et al.  The Process Edge: Creating Value Where It Counts , 1997 .

[10]  Gary Mcgraw Software security , 2004, IEEE Security & Privacy Magazine.

[11]  Watts S. Humphrey Why don't they practice what we preach? , 1998, Ann. Softw. Eng..

[12]  Steven B. Lipner,et al.  The trustworthy computing security development lifecycle , 2004, 20th Annual Computer Security Applications Conference.

[13]  Michael Howard,et al.  Building More Secure Software with Improved Development Processes , 2004, IEEE Secur. Priv..

[14]  Richard Turner Seven Pitfalls to Avoid in the Hunt for Best Practices , 2003, IEEE Softw..

[15]  Nahid Shahmehri,et al.  A Cause-Based Approach to Preventing Software Vulnerabilities , 2008, 2008 Third International Conference on Availability, Reliability and Security.