Secure Software Development through Coding Conventions and Frameworks

It is difficult to apply existing software development methods to security concerns. Using software for security testing purposes, in particular, is hard to do. The fact that there is a restriction on the implementation of software affects the ease with which security can be tested. In this paper we propose a decision process of coding conventions for security, mindful of testing security. Then, we apply our method to preventing injection attacks on Web application programs, and establish some coding conventions that can be used against injection attacks and cross site scripting. We also discuss security frameworks, which are also useful as conventions

[1]  Cem Kaner,et al.  Testing Computer Software, Second Edition , 1993 .

[2]  W. W. Royce,et al.  Managing the development of large software systems , 1970 .

[3]  Matt Bishop,et al.  About Penetration Testing , 2007, IEEE Security & Privacy.

[4]  S. Jajodia,et al.  Information Security: An Integrated Collection of Essays , 1994 .

[5]  Herbert H. Thompson,et al.  Why Security Testing Is Hard , 2003, IEEE Secur. Priv..

[6]  Gary McGraw,et al.  Software Security Testing , 2004, IEEE Secur. Priv..

[7]  Brian Foote,et al.  Designing Reusable Classes , 2001 .

[8]  Sigrid Eldh Software Testing Techniques , 2007 .

[9]  G. McGraw,et al.  Testing for security during development: why we should scrap penetrate-and-patch , 1997, Proceedings of COMPASS '97: 12th Annual Conference on Computer Assurance.

[10]  Jan Jürjens,et al.  Secure systems development with UML , 2004 .